559741c9738226c2573fa4188a1a465563926b28d885f80e6507fee91bde626e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

581799237e8f5c3cecfedfb6b8aaeb7a.exe
Size

484KB
MD5

581799237e8f5c3cecfedfb6b8aaeb7a
SHA1

2964ab933b7bf2c7a04ce2fcbc4b7820431c699a
SHA256

559741c9738226c2573fa4188a1a465563926b28d885f80e6507fee91bde626e
SHA512

aeb02472d44741ae40bd0bbb0b54525c76ec54a9d49813684adf1dde60b80d5c9c0214230d5f722761ca1ad0425ba967190fa5c23b520a189a63f617bd40928f
SSDEEP

6144:byEjM5jcA3YDMThyH4JXkUGzekBdxacADVsS3dT/Y5sYl2i69h88HoihJEmYQUmv:byEjMvIIBtYLdsDVVJqkJbrvh/+g

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	581799237e8f5c3cecfedfb6b8aaeb7a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	581799237e8f5c3cecfedfb6b8aaeb7a.exe

Renames multiple (51) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	dKYEcsIc.exe

Executes dropped EXE 3 IoCs

pid	Process
2840	jcMkIYEI.exe
3956	dKYEcsIc.exe
2528	JEwAYsYI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jcMkIYEI.exe = "C:\\Users\\Admin\\JOkcUAUs\\jcMkIYEI.exe"	jcMkIYEI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dKYEcsIc.exe = "C:\\ProgramData\\UikAIEUs\\dKYEcsIc.exe"	dKYEcsIc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dKYEcsIc.exe = "C:\\ProgramData\\UikAIEUs\\dKYEcsIc.exe"	JEwAYsYI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jcMkIYEI.exe = "C:\\Users\\Admin\\JOkcUAUs\\jcMkIYEI.exe"	581799237e8f5c3cecfedfb6b8aaeb7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dKYEcsIc.exe = "C:\\ProgramData\\UikAIEUs\\dKYEcsIc.exe"	581799237e8f5c3cecfedfb6b8aaeb7a.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	581799237e8f5c3cecfedfb6b8aaeb7a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	581799237e8f5c3cecfedfb6b8aaeb7a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	581799237e8f5c3cecfedfb6b8aaeb7a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	581799237e8f5c3cecfedfb6b8aaeb7a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\JOkcUAUs	JEwAYsYI.exe
File opened for modification	C:\Windows\SysWOW64\sheConvertToConfirm.doc	dKYEcsIc.exe
File opened for modification	C:\Windows\SysWOW64\sheEditComplete.jpg	dKYEcsIc.exe
File opened for modification	C:\Windows\SysWOW64\sheRepairApprove.ppt	dKYEcsIc.exe
File opened for modification	C:\Windows\SysWOW64\sheSelectAdd.pptx	dKYEcsIc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\JOkcUAUs\jcMkIYEI	JEwAYsYI.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	dKYEcsIc.exe
File opened for modification	C:\Windows\SysWOW64\sheClearUnblock.mp3	dKYEcsIc.exe
File opened for modification	C:\Windows\SysWOW64\sheDismountBlock.docx	dKYEcsIc.exe
File opened for modification	C:\Windows\SysWOW64\sheInitializeDismount.exe	dKYEcsIc.exe
File opened for modification	C:\Windows\SysWOW64\sheUnlockNew.rar	dKYEcsIc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4744	reg.exe
2336	reg.exe
1380	reg.exe
928	reg.exe
4724	reg.exe
968	reg.exe
4200	reg.exe
4344	reg.exe
4192	reg.exe
1992	reg.exe
4088	reg.exe
2740	reg.exe
4572	reg.exe
392	reg.exe
2776	reg.exe
3664	reg.exe
3504	reg.exe
1964	reg.exe
1808	reg.exe
3528	reg.exe
4428	reg.exe
4724	reg.exe
4188	reg.exe
2256	reg.exe
3972	reg.exe
4064	reg.exe
4900	reg.exe
968	reg.exe
1552	reg.exe
3528	reg.exe
3344	reg.exe
1808	reg.exe
3788	reg.exe
1172	reg.exe
2024	reg.exe
4736	reg.exe
4052	reg.exe
4244	reg.exe
4948	reg.exe
1248	reg.exe
4972	reg.exe
1856	reg.exe
1172	reg.exe
4676	reg.exe
832	reg.exe
4404	reg.exe
4232	reg.exe
4568	reg.exe
368	reg.exe
1596	reg.exe
2688	reg.exe
4880	reg.exe
3684	reg.exe
4760	reg.exe
1028	reg.exe
3076	reg.exe
3648	reg.exe
4068	reg.exe
1992	reg.exe
1556	reg.exe
4064	reg.exe
2276	reg.exe
4536	reg.exe
3476	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe
3516	581799237e8f5c3cecfedfb6b8aaeb7a.exe
3516	581799237e8f5c3cecfedfb6b8aaeb7a.exe
3516	581799237e8f5c3cecfedfb6b8aaeb7a.exe
3516	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4736	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4736	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4736	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4736	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4260	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4260	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4260	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4260	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2844	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2844	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2844	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2844	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2040	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2040	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2040	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2040	581799237e8f5c3cecfedfb6b8aaeb7a.exe
1652	581799237e8f5c3cecfedfb6b8aaeb7a.exe
1652	581799237e8f5c3cecfedfb6b8aaeb7a.exe
1652	581799237e8f5c3cecfedfb6b8aaeb7a.exe
1652	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4872	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4872	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4872	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4872	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4364	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4364	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4364	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4364	581799237e8f5c3cecfedfb6b8aaeb7a.exe
5020	581799237e8f5c3cecfedfb6b8aaeb7a.exe
5020	581799237e8f5c3cecfedfb6b8aaeb7a.exe
5020	581799237e8f5c3cecfedfb6b8aaeb7a.exe
5020	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4680	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4680	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4680	581799237e8f5c3cecfedfb6b8aaeb7a.exe
4680	581799237e8f5c3cecfedfb6b8aaeb7a.exe
760	581799237e8f5c3cecfedfb6b8aaeb7a.exe
760	581799237e8f5c3cecfedfb6b8aaeb7a.exe
760	581799237e8f5c3cecfedfb6b8aaeb7a.exe
760	581799237e8f5c3cecfedfb6b8aaeb7a.exe
3020	581799237e8f5c3cecfedfb6b8aaeb7a.exe
3020	581799237e8f5c3cecfedfb6b8aaeb7a.exe
3020	581799237e8f5c3cecfedfb6b8aaeb7a.exe
3020	581799237e8f5c3cecfedfb6b8aaeb7a.exe
3584	581799237e8f5c3cecfedfb6b8aaeb7a.exe
3584	581799237e8f5c3cecfedfb6b8aaeb7a.exe
3584	581799237e8f5c3cecfedfb6b8aaeb7a.exe
3584	581799237e8f5c3cecfedfb6b8aaeb7a.exe
3528	reg.exe
3528	reg.exe
3528	reg.exe
3528	reg.exe
4748	cscript.exe
4748	cscript.exe
4748	cscript.exe
4748	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3956	dKYEcsIc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe
3956	dKYEcsIc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 2840	4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe	90
PID 4804 wrote to memory of 2840	4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe	90
PID 4804 wrote to memory of 2840	4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe	90
PID 4804 wrote to memory of 3956	4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe	91
PID 4804 wrote to memory of 3956	4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe	91
PID 4804 wrote to memory of 3956	4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe	91
PID 4804 wrote to memory of 3416	4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe	93
PID 4804 wrote to memory of 3416	4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe	93
PID 4804 wrote to memory of 3416	4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe	93
PID 4804 wrote to memory of 1596	4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe	95
PID 4804 wrote to memory of 1596	4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe	95
PID 4804 wrote to memory of 1596	4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe	95
PID 4804 wrote to memory of 376	4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe	98
PID 4804 wrote to memory of 376	4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe	98
PID 4804 wrote to memory of 376	4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe	98
PID 4804 wrote to memory of 4428	4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe	97
PID 4804 wrote to memory of 4428	4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe	97
PID 4804 wrote to memory of 4428	4804	581799237e8f5c3cecfedfb6b8aaeb7a.exe	97
PID 3416 wrote to memory of 3516	3416	cmd.exe	102
PID 3416 wrote to memory of 3516	3416	cmd.exe	102
PID 3416 wrote to memory of 3516	3416	cmd.exe	102
PID 3516 wrote to memory of 4364	3516	581799237e8f5c3cecfedfb6b8aaeb7a.exe	103
PID 3516 wrote to memory of 4364	3516	581799237e8f5c3cecfedfb6b8aaeb7a.exe	103
PID 3516 wrote to memory of 4364	3516	581799237e8f5c3cecfedfb6b8aaeb7a.exe	103
PID 3516 wrote to memory of 3904	3516	581799237e8f5c3cecfedfb6b8aaeb7a.exe	105
PID 3516 wrote to memory of 3904	3516	581799237e8f5c3cecfedfb6b8aaeb7a.exe	105
PID 3516 wrote to memory of 3904	3516	581799237e8f5c3cecfedfb6b8aaeb7a.exe	105
PID 3516 wrote to memory of 1976	3516	581799237e8f5c3cecfedfb6b8aaeb7a.exe	106
PID 3516 wrote to memory of 1976	3516	581799237e8f5c3cecfedfb6b8aaeb7a.exe	106
PID 3516 wrote to memory of 1976	3516	581799237e8f5c3cecfedfb6b8aaeb7a.exe	106
PID 3516 wrote to memory of 4088	3516	581799237e8f5c3cecfedfb6b8aaeb7a.exe	107
PID 3516 wrote to memory of 4088	3516	581799237e8f5c3cecfedfb6b8aaeb7a.exe	107
PID 3516 wrote to memory of 4088	3516	581799237e8f5c3cecfedfb6b8aaeb7a.exe	107
PID 3516 wrote to memory of 3152	3516	581799237e8f5c3cecfedfb6b8aaeb7a.exe	108
PID 3516 wrote to memory of 3152	3516	581799237e8f5c3cecfedfb6b8aaeb7a.exe	108
PID 3516 wrote to memory of 3152	3516	581799237e8f5c3cecfedfb6b8aaeb7a.exe	108
PID 4364 wrote to memory of 4736	4364	cmd.exe	113
PID 4364 wrote to memory of 4736	4364	cmd.exe	113
PID 4364 wrote to memory of 4736	4364	cmd.exe	113
PID 4736 wrote to memory of 3844	4736	581799237e8f5c3cecfedfb6b8aaeb7a.exe	114
PID 4736 wrote to memory of 3844	4736	581799237e8f5c3cecfedfb6b8aaeb7a.exe	114
PID 4736 wrote to memory of 3844	4736	581799237e8f5c3cecfedfb6b8aaeb7a.exe	114
PID 4736 wrote to memory of 1172	4736	581799237e8f5c3cecfedfb6b8aaeb7a.exe	116
PID 4736 wrote to memory of 1172	4736	581799237e8f5c3cecfedfb6b8aaeb7a.exe	116
PID 4736 wrote to memory of 1172	4736	581799237e8f5c3cecfedfb6b8aaeb7a.exe	116
PID 4736 wrote to memory of 792	4736	581799237e8f5c3cecfedfb6b8aaeb7a.exe	117
PID 4736 wrote to memory of 792	4736	581799237e8f5c3cecfedfb6b8aaeb7a.exe	117
PID 4736 wrote to memory of 792	4736	581799237e8f5c3cecfedfb6b8aaeb7a.exe	117
PID 4736 wrote to memory of 4996	4736	581799237e8f5c3cecfedfb6b8aaeb7a.exe	118
PID 4736 wrote to memory of 4996	4736	581799237e8f5c3cecfedfb6b8aaeb7a.exe	118
PID 4736 wrote to memory of 4996	4736	581799237e8f5c3cecfedfb6b8aaeb7a.exe	118
PID 4736 wrote to memory of 2764	4736	581799237e8f5c3cecfedfb6b8aaeb7a.exe	119
PID 4736 wrote to memory of 2764	4736	581799237e8f5c3cecfedfb6b8aaeb7a.exe	119
PID 4736 wrote to memory of 2764	4736	581799237e8f5c3cecfedfb6b8aaeb7a.exe	119
PID 3844 wrote to memory of 4260	3844	cmd.exe	124
PID 3844 wrote to memory of 4260	3844	cmd.exe	124
PID 3844 wrote to memory of 4260	3844	cmd.exe	124
PID 4260 wrote to memory of 1208	4260	581799237e8f5c3cecfedfb6b8aaeb7a.exe	125
PID 4260 wrote to memory of 1208	4260	581799237e8f5c3cecfedfb6b8aaeb7a.exe	125
PID 4260 wrote to memory of 1208	4260	581799237e8f5c3cecfedfb6b8aaeb7a.exe	125
PID 1208 wrote to memory of 2844	1208	cmd.exe	127
PID 1208 wrote to memory of 2844	1208	cmd.exe	127
PID 1208 wrote to memory of 2844	1208	cmd.exe	127
PID 4260 wrote to memory of 4744	4260	581799237e8f5c3cecfedfb6b8aaeb7a.exe	128

System policy modification 1 TTPs 14 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	581799237e8f5c3cecfedfb6b8aaeb7a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	581799237e8f5c3cecfedfb6b8aaeb7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	581799237e8f5c3cecfedfb6b8aaeb7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	581799237e8f5c3cecfedfb6b8aaeb7a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
"C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\JOkcUAUs\jcMkIYEI.exe
  "C:\Users\Admin\JOkcUAUs\jcMkIYEI.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2840
- C:\ProgramData\UikAIEUs\dKYEcsIc.exe
  "C:\ProgramData\UikAIEUs\dKYEcsIc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
    C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4736
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        10⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        12⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        14⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        16⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        18⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        20⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        22⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        24⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        26⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        28⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        29⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        30⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        31⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMcccEYI.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        30⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSQAEMYI.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        28⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMAoAksw.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        26⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        27⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        28⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        29⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        25⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUsUgoUw.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        26⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmAsYAQk.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        24⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EuIAkIws.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        22⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:4220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xucYMIUA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        20⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKkQgssk.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        18⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMYYUIIw.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        16⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\woYwkMgs.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        14⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGAEsMQw.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        12⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LyEIEYEo.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        10⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:4404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        9⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        10⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        11⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAYUoook.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        10⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        11⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKkMQoAw.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        8⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3420
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1172
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:792
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:4996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiEEMYkA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        6⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2760
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3904
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:4088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUksoIUM.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
      4⤵
      PID:3152
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1384
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1596
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4428
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:376
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4456
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAwIwckU.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5020
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2928

C:\ProgramData\BmQUUkMc\JEwAYsYI.exe
C:\ProgramData\BmQUUkMc\JEwAYsYI.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
1⤵
PID:4244
- C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
  C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
  2⤵
  PID:3532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcAgoEkc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:1564
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4472
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3972
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:3020

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:1756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:3216
- - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
    C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
    3⤵
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
      C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
      4⤵
      PID:1208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOUIwYgo.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        5⤵
        
        PID:1168
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:2024
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2408
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2328
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:4752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        5⤵
        
        PID:4520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuEUUsMc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:2028
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4972
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4064
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:4292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:3528
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mosYIAgo.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
      4⤵
      PID:2576
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4404
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4060
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:4188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
      4⤵
      PID:2928
- - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
    C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
    3⤵
    PID:1912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USwcMEMg.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
      4⤵
      PID:1540
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:3504
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:968
    - - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        5⤵
        
        PID:3692
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
      4⤵
      PID:3540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VioIYYUQ.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
      4⤵
      PID:1156
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1380
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4200
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
      4⤵
      PID:4052
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsEQAsUs.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:720
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4968
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2524
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4512

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:2284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:956
- - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
    C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
    3⤵
    PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
      4⤵
      PID:4768
    - - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        5⤵
        
        PID:4996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUgcwAMY.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        6⤵
        
        PID:4380
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4244
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1992
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        6⤵
        
        PID:2028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUUswUcE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
      4⤵
      PID:988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VaYYsYcU.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        5⤵
        
        PID:3648
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:1284
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:1556
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:4572
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:4344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        5⤵
        
        PID:4052
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKcUgEEw.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        7⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies registry key
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        
        PID:3484
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:4900
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1384
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egEckQYk.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        5⤵
        
        PID:1140
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:3228
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4948
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CooIEcYE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:1336
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4760
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1476
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3352
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4092
- C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
  C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
  2⤵
  PID:3116
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3032
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
1⤵
PID:2092
- C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
  C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
  2⤵
  PID:1852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
    3⤵
    PID:3056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEMsEEYQ.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
      4⤵
      PID:5004
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4188
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:5100
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
      4⤵
      PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQksYwoA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQAEIYIE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
1⤵
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:3648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:1808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
    C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
    3⤵
    PID:3732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
      4⤵
      PID:2236
    - - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        5⤵
        
        PID:4584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYQUIocc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
      4⤵
      PID:2776
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3916
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:4536
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2256
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaQYccgE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:532
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4056
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3528
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4676
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSgMQQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:2328
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1856
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
    3⤵
    PID:4092
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgccIUMY.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
1⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:3648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
1⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:3020
- C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
  C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
  2⤵
  PID:4936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:436
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qsEMkYQA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
1⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqoUYAEE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
1⤵
PID:4228
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:3528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKEUAkgw.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:3116
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3144
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4872
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3848
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
1⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:1852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOwYsgYo.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:608
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2084
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3544
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:1496
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:2764

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:4716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EucEUowA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:1168
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1784
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1552
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1172
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:1724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
    C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
    3⤵
    PID:4568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
      4⤵
      PID:312
    - - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        5⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4968
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        6⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        7⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        8⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        9⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        10⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        11⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        12⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        UAC bypass
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        13⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        14⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        15⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        16⤵
        
        PID:2432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        17⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        18⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        19⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        20⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        21⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        22⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        23⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        24⤵
        
        PID:2688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        25⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        26⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        27⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        28⤵
        
        PID:4996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        29⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        30⤵
        
        PID:4396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        31⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        32⤵
        
        PID:1880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        33⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        34⤵
        
        PID:5092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        35⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        36⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        37⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        38⤵
        
        PID:3996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        39⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        40⤵
        
        PID:1396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        41⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        43⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        44⤵
        
        PID:2204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        45⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        46⤵
        
        PID:5000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        47⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        48⤵
        
        PID:1036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        49⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        50⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        51⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        52⤵
        
        PID:8
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        UAC bypass
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        53⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EeIMAQMM.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        52⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEscUAsk.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        50⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwEQwEoc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        48⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        UAC bypass
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:2256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIAQAkkc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        46⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        UAC bypass
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QokkkMgM.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        44⤵
        
        PID:496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAQAosog.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        UAC bypass
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCoosEIY.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        40⤵
        
        PID:532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEQIkwow.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        38⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQoUsoYE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        36⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RyoUYwcE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        34⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        Modifies registry key
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIQQokEA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        32⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liwQkUcY.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        30⤵
        
        PID:3916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:3112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        UAC bypass
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucEEYAIc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        28⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:4572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecccEQUk.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        26⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWQMAgok.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        24⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\poksAkgE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        22⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuIIkUwc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        20⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies registry key
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWQEYoks.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        18⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies registry key
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUIEwwkc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        16⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        Modifies visibility of file extensions in Explorer
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIogUcIc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        14⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:1808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuwIQcUg.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        12⤵
        
        PID:4716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:4244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:3340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYUYkwEc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        10⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYUoYQQs.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        8⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2956
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2688
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCEQoUIE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        6⤵
        
        PID:4260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4048
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKIYAoQQ.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
      4⤵
      PID:3540
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1844
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:832
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4344
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3104
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2740
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIQoEEQc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:4052
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3340
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4736
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3528
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:1476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BmQUUkMc\JEwAYsYI.exe

Filesize
431KB

MD5
91c003ca2f8e0b04422d424fa93c1332

SHA1
a61a680131a8947e05cb80e6eccc978198e2bd60

SHA256
db45a51c6961c381833cb5ef60d20ccb47979493088196c080a1662de115f89b

SHA512
0e1118b119dc25dd9f135d0b6f1513837187925696bec3040fa8cfba8ccacf2da74d6eef3bd033f95285b33486c77e12c19be1737f029165ae8c62cb247b3581

Download Submit
C:\ProgramData\UikAIEUs\dKYEcsIc.exe

Filesize
431KB

MD5
e586146534d460e00a12d7c8879fe062

SHA1
b25b9b94e805066855af36531297814606b15af9

SHA256
85c2766fc17458fc9325d257371a24d7dd8cb0eb60ae256727e4a39894912b83

SHA512
1040fe93ead6ce77266d958df38933209fea12159c2cf30c0f7bf43546e62267b0b9c381949716a388ed6a3663ff23f43529575049378ae5926d623c75ab61dd

Download Submit
C:\ProgramData\UikAIEUs\dKYEcsIc.exe

Filesize
2KB

MD5
4798f4698666ced3ada149bc6bcdc98b

SHA1
15b8dfa2a55157fec6335b605809bbbce7200a8f

SHA256
1c2ea529610ab294f0967d632e594656f4ddde8071ed892d1e12fdf09dfe3f49

SHA512
7407bab97590515d9759cceda15932d280efbf7091a2d3e07b63e243f659e9370dba6f3850021b7d4427b6db768447e97c9048939b4729e91c71b055c591a32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a

Filesize
48KB

MD5
962093c737839e34489f80e492c4ebfe

SHA1
097a7e3bbdc5bd954666f87f7e505104c652e227

SHA256
665784bf5a2b6813e22449ec557faed6f2bba3925fd07ff6a27629f06bf5f9a1

SHA512
82cb897dda8316917f25129f13e88b8c248829ecc7d54f90109e18a76a44698ea19d3385de359f8ec3e2690f3c46340da807e77417f309009c338e3d38cedf1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcAK.exe

Filesize
440KB

MD5
80c6ec6a0498253a8c50325fa8bed161

SHA1
41cc94f118d9d6df8e4aec5b9dd06bf36983caa8

SHA256
eecb5f51a78c9d2317e72ca4ba1531d6682cbce6f853294b459fbeefe6d6f680

SHA512
ec6a6b272a91a4574376751ed08ae0cb5b2781cf976c3d1990146f2ee8a2dddd1fd5c9a62a7f71afebf154afc7042948cbdc51b06104f0c62a39666f81dcc507

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcIi.exe

Filesize
1.1MB

MD5
4e25ac1d5715ea4e274a5dea43880538

SHA1
c00dccb4e9acbbb3267e266ccb2f1c05971ecf30

SHA256
612c04fecf9788c8e59321faa1dd6ae36235bf5604317e900bc7b65db352fc93

SHA512
97abf13774ad808ccc3aeb1679ca651b7076e0503466184aa92b02c3cedc1fbbe68a6909183f4e830c4220f4ab077148379e0a40e48e8323c9712322b6792bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAga.exe

Filesize
3KB

MD5
8ede39881ca4c11d1723540f61085b7e

SHA1
f4c65a345b7fc686e46f3f275e29e533623f4c2c

SHA256
16bec58ea7f130c63a408a2dde259d6f4dd3b0345b84010984c9e0bbe6bdbf3b

SHA512
ee0d45c84a8151af6dc97b1f8785ba467b062ff301db8e594826ddfd77347ff736a1401b1745c61edb7cf78efa9ab9d6c7fd4e9e607801cd17061009bdf18bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Esoq.exe

Filesize
670KB

MD5
7a7ae0848ec28f303b05d213ada9b5b9

SHA1
214dcc082a3eda2f0be04247702044665f7a7068

SHA256
742f786f96965bc420d5302391cf9e833afebee8049e5a65eff0bf43deba297e

SHA512
de02ffd96157c1ba995955807125988db430fd2b8496481b73c5b0f99ce9a226c762873e9a7a5aef865482ac8f574fba934bfff1a2e33c525477559e46c5e0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEYu.exe

Filesize
177KB

MD5
d2b257ff65f530600456cf3d8e80eedd

SHA1
3447d6df9cd76401cc0e24e6862c7f3d12a10b68

SHA256
40016aa205df37469aabbedede6dee1be864bf27b11f148d293047ca7e712b78

SHA512
777e51d25c60362617622bc32e7bea984d9e267c1a6a9eae4fea0324ef3b621a59f9bec0fe1f24f37dc7224ed96eaea2bbf9acdf83b93c9ab3bd0f58ef7fa3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMMu.exe

Filesize
438KB

MD5
7f7213ed4df9db729c23b3020ba083fe

SHA1
cc27742e87b3ef0ede98adbcf22952c8731a8aaa

SHA256
efcf10ff9a9acf8c34f42cf6e6362417eaa3ab1bb51e9b49be3146532b878d0d

SHA512
6a4a146740f2f128369d88136e13f92400b9caf209408b691e10dd7dca49b1f8f0609117509c44db23352652f141efe34485638566533ce4f77d198e233c45df

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMEa.exe

Filesize
92KB

MD5
4e7df42a9e09024de56b187399c1cce3

SHA1
3e8628ca82c88dffa19d6edbd60a192a1da95f3f

SHA256
ed520aed92880766e024d252524769dcf1afaac46f80d611d3e2169e27ef0c29

SHA512
21ba7f1723f0902a4bffad8bd10b7a4f8a192a485acb110ac2956a01f89648157da3298de0f167fcbd9fb710671cb78b93014aa0371d44bf8d4c8aad0727041e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgQM.exe

Filesize
5.5MB

MD5
7f573c9c80d624c54531a504139191fd

SHA1
242d9fe17ffb1d403fe9675da4fbdcb8fd78968b

SHA256
fd5c6dbf6146dd57efd6589db35d1cc8bc4069eb931d5a5237a2041ea086d779

SHA512
18a9828233b4c43fc7356e1d95d3d7e61a515c2da6d8c0e2d1ba0975967a002491ba24aed6f64401eb92397eda4c2bc7c20d56033b80b5f09d784a304ff891a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIIC.exe

Filesize
438KB

MD5
9690da822ca345c1682da32635640e34

SHA1
d513c8b5d6e4cd5a2bf8dead399b63a743660fc0

SHA256
ed27808e7c60ae82fc9cf8f4a47ba9f82d82ed54a5b01069e0e3c0e50513b008

SHA512
15637d2ba7576ee1f50dce95f0cf9010ac9cbb6fdba6df361221dc2b6dda800ed225f5431e26612571d91b5afbd062971232c8f96ba5c718d779a8f788a57718

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcQy.exe

Filesize
140KB

MD5
8e0c650738f9a68b9f7b9f6be4ce8003

SHA1
564511f3e009c6c839c000d4a76b306fda40185a

SHA256
072c6e905efee8a1f915def4c0204c876e61e303f8ad74b8a2c0b7fc9e89c461

SHA512
0dcdb5513c4f5ebab7eb038f8c8282e4de9c3e075e212f477e2aa30cf8033d1db63be2687fed2d599032c8e8e2292b80a35b88d4c1abe58a5e43bd97464a0aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgAW.exe

Filesize
78KB

MD5
cc91500f27e06f532d482b7f07e903ab

SHA1
1db04b5f65c30ed958cdd62571ab3ac3c3f48972

SHA256
2d4b07ad7d65cf809ccf5102b1b4e3880666db0ba549d98b73d459a98770523a

SHA512
398edfa674aca6a44c0d1238166613fa3602a786db4a1278f80e4a0189c6eca1d7f5bc1789b97ee338d766eae95050f97dc6731314fe29bae3e87e84fd69d9b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgUu.exe

Filesize
438KB

MD5
a689248196042cf39da90a9c9cccc33b

SHA1
c02d4208afae515abf69785b48383590f560dfe3

SHA256
75b667d2a16936432b3be5c9d81f8c66aaddcae17597b61a82c2f3fe8ca801d5

SHA512
91cb16a4201ff6be2cbdc38f92abc037fb05d989f53c7055f800ccef74349185de1bbe9aaf76786f365f44f256ac8c6fc982d16b2f6cefda5ef7758a08a258ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\JgAm.exe

Filesize
436KB

MD5
4dfd575ca2c9ff25d103167777c8b1f2

SHA1
c7c41220b6b66257c521153beb27f1b97a388d36

SHA256
336f40a4b36e74a9078f1f00fd7cbf191f4e80daf80e4a469b9be377d7aec2d2

SHA512
d5bb93f470e9f0093eb3e37ae8ca59d34a8a4ac7f64193edbad8cfd5e5c329ff8d2beddbb4ab434c282c1ea3c8948d04158a4993389f8b8bfa24e6c32ef27147

Download Submit
C:\Users\Admin\AppData\Local\Temp\JoEQ.exe

Filesize
1018KB

MD5
0a98a9f66bd5e3cc41630c4ae1ea7b63

SHA1
775cdf281ffacef5e3894372317003c1fd90b40e

SHA256
736c50c508594c5bd09f307be185ad831ef352a513316492c2917e430ebf571b

SHA512
3a565efbac7b36e78549a8ed6d1fef06e5489fe02a36bd6691a2e8638e05dd401b8cb12ff25c90e6c4f84b5f7d9e804250b567bb82c2cd4736dbcd18dab48f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMIU.exe

Filesize
439KB

MD5
8b518a5fe14e6b95c3b14c462ab0b801

SHA1
9ae69c09727122fd507131df39dc002a79944e69

SHA256
ab268ac9cc9eba47d0f025aa0e7aceda727245a5a010bd803811cff063899de5

SHA512
c3e11a8a0493a45cb9f2f1de356e960d71b861102321eabc5be91bd0ff0cd48dfff85aad34d735496c1135db165cec665f8afc7667f10d347a011a674f6d692f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUcU.exe

Filesize
397KB

MD5
3cf1bb79b5456d86ab2ee18ebdc55271

SHA1
1e1c81873e038f8d9086597ec32b3bbf64ae4da4

SHA256
4cb25e6207a8ecc7fc004dc686da26c8fda97bc1ebee3ea34e1118a781d0bd1b

SHA512
9ee002f39490b9df483864d246007d427fd754e408ef1f3434b01ab7f757c05115e04bc198b78d0203aae66e8c46eb24cf0c917e43fe6f67c8a67cdf1fbfca4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KogW.exe

Filesize
281KB

MD5
45f38ae7885b76976eecaac2ae245762

SHA1
9a2c9b99c753132589843be6dd58280ea7edceb2

SHA256
a8497ec3cd2e7db0804b5957a24b38a0fa45cbe8d389d443ba377ef1b7b558f8

SHA512
3d9cb2b25d525e88863532d10e7e66bc73d77a8f2eb2280bb9c5653088e10313eda7a51a5ec47abc3be1c89e8bec12ed7b91784ed2bedb68eb7708b5b5369dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwcM.exe

Filesize
471KB

MD5
76d76ffc93de9c3e68d389963eac130f

SHA1
1b95631db2a55150ae239571772e1cdb94c5fdfe

SHA256
79b6f53e34f92320833e041df6af5a7812f836698dd215ed71231c70eeafad8f

SHA512
b253994743b29c73a3b5c49f775ae397ebb5c1f546c0a5e12a73454875665124f32cf1cb30993c7be33eb69b98c2953aed63d305ed691ca3f9a8d3859c4d6628

Download Submit
C:\Users\Admin\AppData\Local\Temp\LcoY.exe

Filesize
876KB

MD5
983dc37e3038635552e047b87e03c127

SHA1
8dddb8e38b7b69fb330ab68d390e9977f70dbf61

SHA256
adc9137745e4b41694c1e8f2e599a895e122bd85e871204c7f89985a1e4fac69

SHA512
7081dae0acd93ab5be6ae10b9b603a7f3a1286f1326cb607565993b2297640259f68fd84f5cabbe18a582eef4bacfd915f2408067613d4340e020ba05dd3af58

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsQo.exe

Filesize
434KB

MD5
6b9bf4e3c3fbe74f531e941e6566caf4

SHA1
9e4152280f409d20fc520b256da35cf74e7d9dfa

SHA256
c16c9d3b0fc4d898aaa3318297a76ee4b6a7bd6fde6fd1d30a0e123a2e18e88d

SHA512
852b6bc5442cc37b84674e52de1b1c6cebc6cc0c3af30c014984aa04628960408b0f0d4288cd105be1fcf50007beabfaab751bb0c4c132271df77ecd64782613

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEgU.exe

Filesize
71KB

MD5
bda10572bcc851da3b3cb27e8690e460

SHA1
a97d8c51e9c45fe7763ce0774d9b8916228d5cd6

SHA256
90037c5af75baed536e08aaec684ac547695bcebd6c3c2e67c4a0b3b2973ab7b

SHA512
114bb48e6364256b7848ba781291387a4ba4ba43a880574ec0c79029870f5f429ab5cc487007b4d33055dbb19000ce60e29e818f3dfb194e244615ea4593e07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NsoW.exe

Filesize
559KB

MD5
e6dce4a9bd490e6e132470093653241e

SHA1
937009ac855d2d9b9b5170403f346d115c153e35

SHA256
20594929824a3edc9e129673afc8c543a7a7eb95f5e9da9d072767fc4c1f7188

SHA512
043b48b5c8e4add5aeda99a82a855ab8f0e372622c0d5cb9f435ace9ad7fcc43d0f92aafcb99414b624380dbd71b511eb6eeace1edcb7387565931de3fba60ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAQM.exe

Filesize
888KB

MD5
815fa958219eb3da93b20098bdbb24cd

SHA1
93b662bd9190602d9637c7741b372b2313453a37

SHA256
6be5a26096d8877a0bfa917daf5ebff2b8ca86192ead2b68370bd4b78413018b

SHA512
ab346bbc7fe57dfd0487ec50e82bd6d9a6696c69f82b4d965b19466f29d92c7577075dacdc66a867ee603723fc7554c5ab0350512cb14a8c39680587c2a1bed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\PkAE.exe

Filesize
436KB

MD5
44816ecf9bb1b6cb0911e0716ed6ecaa

SHA1
ee6b5d268c175200b27393987a9456810d70db7c

SHA256
b5307b6a844dd5d3d2a2822cb7808f3fee7ad3836b0e2a083e8d4694dda7decb

SHA512
ea04d9e2804bc0ac56fb33a8817e8a9eed0c940a49a38f76cab1257abbd0f1e3b1195445ccac2b3515554b6bb475adf133208bcf072def8338dd9fb93f67e252

Download Submit
C:\Users\Admin\AppData\Local\Temp\PscU.exe

Filesize
416KB

MD5
ba885a20437551f43aa9ff98d69245a1

SHA1
809a27f595acef6235d14fc0b5e899c1e721868b

SHA256
28f181211e742bf8a67263ac624e701d3aa8eebd8644f2eac3e414b96af2ab42

SHA512
253d575d8848206759dc3fcbad333ca12df6ae264b975eafd7526dddd6e85c67084b746b1ddb4be62434621c3423768bc8fbcb75e851525098904912ea52edb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUAq.exe

Filesize
441KB

MD5
ad3d219a472dd770c3b69e1ba700809d

SHA1
1153fa7cc59e232762f23efa94a591326fb3c6a7

SHA256
e9415395916733f3966a6fb2b3946622cfabab0ae2b37c95db09c46a9c02a65f

SHA512
84c4e2351c11018c71605dc9c53d0b033335919897ed7befe4d995537c41fb1c7dc0f448600d1f453dc24692d619dc0b4a836311787d8db1545a9f406830dcdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qkkq.exe

Filesize
441KB

MD5
4dc71d9330f22bb7de22dc1b587e2320

SHA1
2f4e2f108645e415333b962a29705ef6aa40fa51

SHA256
9725ac4689dc3a4e43b3d502225e030004d24944196962893fcf0e3a17152c20

SHA512
09106fee0bddb7586de759218126a1a7aaeedead67c2036f6d1639ce596b3a2cdb8fc2a9521029fee828fa79a845a65dd36c471fe9db0bebe244b5fe2520f0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUgk.exe

Filesize
92KB

MD5
86dfe6ddfe156e3d571bd88c71cb40be

SHA1
df919edce08791f09f96f6483a6538bc745f5651

SHA256
d54fd73d76ac34a119f94d82d25cc5878de433d615297c7f40588f6ec63eac5e

SHA512
cef9f79284739f7534856a8e4b5e97bb71e9ca78631885bd3e1c8611a7b9f56cfd5b83c1d530323b793a57ef02894093c80b9a83f364aa87667e89edc75c61d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rsou.exe

Filesize
156KB

MD5
13fbe1b62a25237ad7a3851c9f50fe98

SHA1
34d8aac27c47ccb9502bfcefdd8959cdcc8eedbd

SHA256
f70b60e8a069c1cba8ec9eda6882727dbd719598dc626fbff9146c247cac80e2

SHA512
abd3a27afa8a6a8866252c26eef9c1f8065d32ea57307b70d8af75f63f6c37c561a0dd3ff121978e349874d78d3e9057ccffa36112cb3809e39650b8d1db3692

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIYK.exe

Filesize
32KB

MD5
d831083ab82b90211a9d31ed8aba857c

SHA1
9017ae0f82cf4a5f55b72fdf26d6b5155c6ebc82

SHA256
7355bf7bf1524d7ed296cd57b50c4c07641ac6607a2e127181a0e9a1857fb923

SHA512
d956c3e79b038c5c10ddce6b62ae427d730e8ff41c99a7066bc0ac94ac0dec830934ce1473c810bdf25b7766e7d8a168919dc7515958d44148be3c925071d53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoEm.exe

Filesize
257KB

MD5
52be84126c4e8607f29489fff3f0161d

SHA1
0058356f724eaf484cc6b7533c118e502b414e7d

SHA256
fd42535aaeedacd8ef6c9b66c52e5048b61621d0b0e3803a0d3fc12f131bb2c0

SHA512
9bcff9926e23abff8d72dcf923229362923c0e3126e5e3aff16e3ba42e46a439afb2e6665bc069fe530c6a3f11374347a80fd3b1342d1febb7c949d8952697fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SokA.exe

Filesize
6.1MB

MD5
c06d641e8b58e43cff95f7a3cb8315e4

SHA1
136b53ea3b72151c3b4141ed71ed1e6ad02e3a0d

SHA256
54d24d027a8da1c50ebf5455f3b34fe78a27a139a16430963c12ffb1f17586cf

SHA512
36fb08c3a64bbf9501ee8290187080c3b5ece56d1f113465e454c07a3af132628360174063ad8cd04076ace7e493b506bdd268939b86c67eb052df7d5094f7b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TYUK.exe

Filesize
979KB

MD5
b0c881e622ec6cf5f5870922c5d228fa

SHA1
421cd72589f8481ba0c3e5b87d3244d0e5d96791

SHA256
f4e8cebe5242adfbd2faa15f2389bc146af119c8db3ae6e89696e7b624a21193

SHA512
a5521a4a1144a034a3c0679f0a5729ba2934c8433d5cf24f7f87c36d6b4125d766259bc746e950b7d79a14cd8df603b42b5057fd6cb440bb4f11f1f422aec0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\VcIs.exe

Filesize
437KB

MD5
44ec02dc5b75e723d4f7a7921c49723f

SHA1
744cec8f4244ff29cb3be3138656807d33b5cd21

SHA256
0f5619ba15fb56e72cfae72d3e086d78102c8dc043b89d76a7fbabc4c4664bcc

SHA512
0ffa387b0106267366954e64e90771e5da839ab14227e7439086026ab93dc5a46bda3ab088df50ea78e34840717669198fbbc569653ef535a700d88c75d7eed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\VgMS.exe

Filesize
351KB

MD5
753b781624e6ce50975290e74d87a735

SHA1
8b59b56384d1313e2dfbc853f2d35564d192beb5

SHA256
219586b32a1a66be2a6e353441594518bdd85dbf0413d98858f759fb4cf610b5

SHA512
2b3916825f767dc9a4386764135a13a4b4657b2c27696fff17e74c4f1ec30bbf3c8698aa0506802ca08fef198f1633bb3e676330a2d556c396b71ccdbbc9c428

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeIU.ico

Filesize
1KB

MD5
72743e7257fbf4406406386272c363df

SHA1
4d6df808961c1e58e6095a2726494ab17b8d1ba7

SHA256
ea20fa01b90789046cc5d47a37d18b998702845bc3595db1397eb3fb97e87f30

SHA512
4011fdb23acaf71a24eaef145f6d3e34b66088ff673da6b899e1f71401485330942aa0587ef9fe5d8132b31b52bf2089ed8a3318573c79056ecf60720c456244

Download Submit
C:\Users\Admin\AppData\Local\Temp\XAYo.exe

Filesize
436KB

MD5
14862eaca4e84392b107f5ac28770ad6

SHA1
c1185bb9609e73acb9e731a39b92af333abe0bee

SHA256
847da13944ae57f365f144ef56b5ec1a9d9aa5f02aa08a0638c58baa3c2d59f4

SHA512
8c080e473b6adbb25cbf6a21d08ad724003265076a1f7655b2d505a30a85ea4e262f7391aac6a513637022640e16c3a8be33e5fa0929d56b399783f5c033ef7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIQi.exe

Filesize
350KB

MD5
a2dfa267c37e63f75fbc90b1eda62ec1

SHA1
1eabee1f494d785db7c389a0a47b32e68e96f808

SHA256
15491fda21da59a926a021f7ed2c0fd100f306d7c00c3328087e26f5017fb4b6

SHA512
58a4b58affbf25092c0471be02db37db14a013cb6081669ddc343b634e11bb9693047d3b09f33e65d5d3c7bb70bd0aeb12cfbb7e707ad829ad06c790fd58bb8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUgo.exe

Filesize
1.3MB

MD5
ee65059f9d147ca372c855f10f51e5f1

SHA1
cb6e0ff5bcc5f00b6898ad3c3ed6ac8b26f43e6e

SHA256
305d98d457be29e5cbb3ed2f9f5925ef3acd1b4ef42cac3263bd4ba1d7684f98

SHA512
e3c616187bdf27487cfcf63cdb4004f40e6b4bb695b3cf46b972900f73b11acc0896e9eae9618f7e7044e2679a9d5ccb4c84692ee696f081d00c8e5baeed5c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQkY.exe

Filesize
434KB

MD5
2875150488a826be87682ef80d4e755f

SHA1
d37dc745beebae5e31728408075bae59a322d526

SHA256
736d89b5e5a3692a4f2c134a108d3628d54988752aa26465b2957ee4e4006e06

SHA512
2724be5f95db287950dd083c067c663be3683340a5e714b6c9c60ceda0d0eefc05b4e6c42793920ef174a36299061b370820658dc9dbdd1c68381c5fc67eaf97

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUUO.exe

Filesize
1.0MB

MD5
5e1c67357a9a291256fd676e0f5127b1

SHA1
c66d08df8b65ca89b20b8ee44825b7680ed45b83

SHA256
6aed109678d2ee1fb28ce743e115461c6b0ef7c33c078e963bdc2a65974808c6

SHA512
ff9ba801c223c5ed3796e19443b8d950b6fd88e4c7420500dfbf4d70d586ad6c6f1e855076e1bd355d77295588b0b3fc4047829b1769606cbc9279d675eb1d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZUsI.exe

Filesize
1.1MB

MD5
97240826881f6f2d2f799f06eb1ff37d

SHA1
a70461af1a092bc550a59bf759abb30c5ebfde0c

SHA256
215d758302a2cb0dc2108fa36193e52a97f7e2e72ba19d5c19f172461f4c80d1

SHA512
75a6afc29d52b47e217a4b6c8bccae0fc63e0e20679e7f2d797e2373a8ab562eab5ead343b958835445f8778370eaff5aaa2ab643db3535852776c9760d3a50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZiEEMYkA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZsgO.exe

Filesize
442KB

MD5
ea1d0e22ba307d9c55cfd8ab433d9170

SHA1
6b39d1309b6edc337d250c7b46a07c0102b35d2e

SHA256
c253ff8501cc328f143c815ec19a1abae4f6927d2b6af3354ad39364b1ad581c

SHA512
56146e35a62c14ebabc9269277ec6ad4911c651d5c14deacef111e66d1c80463d4372d6662ac0b6dfb224c2a735a539898df64a9f2dbd8ecf70bcdbf05e53219

Download Submit
C:\Users\Admin\AppData\Local\Temp\aGgQ.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEwq.exe

Filesize
442KB

MD5
bf63be0dc059cd66c35bf494209ca930

SHA1
00cc4396a47576176eebe8441d6b43212352cf58

SHA256
e99f13b31dcdacdd955bbd305f12287a14701486f33f825ba49c416ee2726e3c

SHA512
db9a4cb3693d77c939666c5180511661ae9d6fee1edf7ceafea15e5f2c9b806d48e6b3f8b8b71f122a3d8aabb24e83e457c6255473e3b875101ac3423db6d270

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMUg.exe

Filesize
91KB

MD5
5ac64f854879152d927c8ce269c2413d

SHA1
67e9fb86875be7a76a5e47495aa77a11a4c2cb24

SHA256
9562f9439f63c05c329eba7d6381c12350b9d21ef6d259eaa81d39fda63320fb

SHA512
a7a4ff030fba7a244ea6e2d27ae1444e4f08ba767f925b761f208541a155aecf6c241e0b510fe0aebdbcda77343d395bf9c7a6325babec0f49ba163593368279

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkEM.exe

Filesize
434KB

MD5
caa4877f3875ac348802264bc76e75d0

SHA1
97308a4c55077669e079d2b0f8c73eb52c4423c6

SHA256
fed54021ac7e6572e9f8fc8bf4072fb42bb295f9e822582a085836076c23fa25

SHA512
9ec259461d07b6e27b375bcbaaf5567a4c7f567eac9406c4d6d45c8d53a71b4a5ca9f72e4568bb5192c38e7a046d1bc2edf4e982c7e48f8469c1ecbf24458e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYkW.exe

Filesize
435KB

MD5
914715fd9272a1b27cd5042eae836975

SHA1
05c586bab4936830055435477b8a6f4e6795bfeb

SHA256
5f3e29cfcd40f0d7eaaf6d8b658842ed3baa6aabded2627b04ac3766600bd141

SHA512
5398950c696d691578e31deaac3bf597d3e2a5da9c2ac62ac9a543abaed107d4dc517c7800aeed25d13980fefbed12ea95ac10dc8840c118efb95bd8be48c6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAAq.exe

Filesize
64KB

MD5
7488fe586a4a448d08fb81ed71a0f095

SHA1
275eb74f99094a7420c73d451b5befd39fb6f68a

SHA256
6a069d74b36f3e4ecea6381d133fe4df2be2a72c6ad634f1985e34161e6db18e

SHA512
152fdd4315945a5e6df6240c8c6416cf9f108701c0e3b2256c1b3d47bee66b09ee4728bc36e138a4e0055cc7733f14021e456cd1fd6d4f5e617e04a3c644e294

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIIU.exe

Filesize
443KB

MD5
ca749d4f387399bf7b24aef5cf92ac5c

SHA1
fe71e33a9581d52bc6e8ab5f0cda46c898b1e4df

SHA256
c5c74da5952aea691888f468644ea025c7fe15b23368424685bcfb8926228733

SHA512
9a446d3e8c32356c106a39ecd34ac10ae3aab831f111c00128fc144a5560f0b77819e40a9de58ec10888645b4ba7a505ef71dfcf003d18a9dc7c3955d070b389

Download Submit
C:\Users\Admin\AppData\Local\Temp\jksa.exe

Filesize
92KB

MD5
de3c96a686ce036882aae8afe556830e

SHA1
608c74fca8fb3e5a7e5d17d9b9ff6c2deeb2734d

SHA256
49c56c40e3205ad1c3f8b4245326ec1bf8853efe25f1b18f7a883a70378e89ef

SHA512
db5752b642a9f871f5b6694e2050d0e8a17e9fef2830df91ef9fcb8649dde3f2b7d5e6e20149f335669f647777cf62c5430f78275b004ad0c7b70ec91e851bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAgk.exe

Filesize
436KB

MD5
d0bdaa100271938f527c3c83c3809ed7

SHA1
1502628874065a911db393c52ca320a36cd53aa1

SHA256
2497e322a113736b26ed11dbf8c9766988677aadf3e874887060916788bff79b

SHA512
0a2bc43c817707ac28b266686d54ac357c5f9e61b9ec7ab5a4728f92cd0089ee42ece813e4609c99c8037291d7ea864a3412256b453fedb23461da746fea2719

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsAk.exe

Filesize
438KB

MD5
086c8319e4eacc263032b478c8028687

SHA1
39e93b7507c64e7337a97749dcf9d99fbd737449

SHA256
dce81f638ac5d5bc0d42e74b428944c376b4864fe12d171445a539bf48bee360

SHA512
5915524410e848f7d56e647f5e966e86e6d902e4e9949ca2e08ce22410150d2d787397b54c9bed554985b9464c4a8b93ffd4e66f722eb1b3580b7b7f535323a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAYc.exe

Filesize
465KB

MD5
b4847117b1b9782d350dc3b31e1f89a9

SHA1
3569983f3f60628e2b5a1681f72cf7bbef659a48

SHA256
9cd9e7075139de083f7980f831812b3dc9a7a18dace4b58881ded85dbcd0e67e

SHA512
653e1312b2be168847bbc23a7f27086ad2c00671b75dc08dfe6186d937b93b990a2dec22909dad9c037e310f185aeb50b2af97c0b999e71c47e8d353cd71dab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgcq.exe

Filesize
438KB

MD5
665fa5c207e524bf3ce701a841c6bdd9

SHA1
531682a41073db36190129f8ec35de23eeb07542

SHA256
b6d886ffabbfe0e8dd0359f004482f7df4ae8fb2ce742d0f8ed7c898f4de3b93

SHA512
8ebbdfd9400d68ef5fe2acbf2ce6f518224211fcc384545a7302cd1bdd4f04411da3fb6b6ef3ccc0eda3089f0fb240c5c0ac5dd80dfe443f14f8b2c2ea8d90c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocQa.exe

Filesize
10KB

MD5
13492d9f6f95ddf635abbc9039ac7fe2

SHA1
b4d4d8a786d62dff1f79980f39f985868f9e73c2

SHA256
8135db5d84022fee9f8fd5186374c665b87b83a85b547848817fd33c79768272

SHA512
ff10e96e89e6fd3a84e497749961673775ff0f193817a4b639fe33975461d83853ba0972dd00e4dc9861c8543e7d9d811b316f5837678b80b2daf41dce3c2c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\okUw.exe

Filesize
512KB

MD5
919139d86491158b9006b34634fff2e9

SHA1
46f9914ca3cf288e4dd95605fd60568beaeb073f

SHA256
04a61f4cf84f9e93a810206fa38ca68b7746ce3230cee7dff01f18607e93fe25

SHA512
0677f74f14eef28a326440dad19cda0f74e55000ace7252eeaea80e5521ab000fae8e3d36a300c8995dd2267914084b2d4c140843c0d90da9c6f0e4cb2d90c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\psEw.exe

Filesize
1.0MB

MD5
65fad099eaafeb2f4e18cea7b08abcb9

SHA1
3c64eda469b03e674f0bbe6a1663b32f4efd0e7e

SHA256
3d4a2bde1545df5d1d9b3533ab8a99c64d878cb76bfeb6b53ecf52e0b69e9840

SHA512
e37b9415d4eeb7592121283663cc769d15abe2c93a39c5ad8b32b0bcf577950170f1f290f2fb98ef9b23f1df548ec922127a92b812ade6bcfb49b277d92b8c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\qswE.exe

Filesize
1019KB

MD5
4c8840d249930f03604ecce884088ea8

SHA1
e04bfaed3059914cda448e7422330c952bc29eec

SHA256
0c653bffc29ff2cd14787b2ae65da4b89b8a7443b3589828f26dc0ea14a9a95e

SHA512
1e280d7d6a16d9b5445d064b7dabcb87e35be19e5bf74129aa7a1b7b34143b63e0275d5cd75b6760c011ee469d7f83f79b75d225addad914ec50c39ab8834b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsoM.exe

Filesize
436KB

MD5
edf9a4c9b8d521d2b4f389cc407ca7af

SHA1
bd2018e5ee70dbe5ef207422dd99ce24b874d19e

SHA256
918a3998dec7b5f6f86a28bdc49708d57b4bdf90b4352c28c0204cb2a708838f

SHA512
b7fd435e735109603bd7baab5f76dda7c445e5e0fc075396cdec038b953b2120fcf56fa6bdf497e75b64a337bad76da14994fdab164cc16e4b003f7b24e2e1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\scEQ.exe

Filesize
436KB

MD5
b029fbd99bae518b4fa57e64e4ffb008

SHA1
ad586da91a85d9e36309f3e8813389c61a5411ec

SHA256
25c139203b7dbdbf43deaa401c7a56993fbcb609a326f5abc8b7a0fd1352dfc4

SHA512
9231e53f0d9a7dd608866ec4d22bfbdb4218fc3d75097966ad1935ad96a24694557350d9c237342806fc647f3fe9c920e9e33993dbc6da75c989611b6b89c926

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgIO.exe

Filesize
444KB

MD5
552909b141ba52fc0dfb9bb3c97222f4

SHA1
282f45f12cf88d1780e300feb040aea6fca153c1

SHA256
662189d97aaac3856a4426ea0a84b0016aa8921d308b14c5d8e549dc7dea5673

SHA512
2c94ba5647ce3b8e66721815485041a675008afe3d3fc8106e840d603f7c5cb4995a9296e3f127846984e3a83632a7b5925962184e6f750fb1aac63b1e8f8263

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkoE.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\tswy.exe

Filesize
32KB

MD5
72777340b5552e6beb69ecee50183dda

SHA1
1ab2fbc0c51dd01d5beba7e5939144a2f069ebf9

SHA256
e1802b38cd0e17afe048800dfe32f9c9888596c4e71c880dd29992dd125087bb

SHA512
1503dca177f5187ce3c0d24ae0e804632c12078dd5489acedfaa52e8bd316b97df309b5d5d0980de9698df51067ef8743d27cd76d124a5890786acdb1fc1c8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEwM.exe

Filesize
342KB

MD5
ee266aceaecb8d1723a5ce6eafae8cfc

SHA1
5369b7a28adf33e44bb3835c5e62eb3441b35da3

SHA256
2ddd34010e03e285a6f18bdeb1d466dc31510029c0364309f0fd0c2742e00969

SHA512
74ba447ed35516fe51d6c07efc0d46d7a18f3a0b3b026af2b7d11d8b705b1987f08bf57a2c1f6eee451878b4aa42fcab2d4ba178e189d967d0af0a1a293d0e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkgU.exe

Filesize
367KB

MD5
2c01cfee4fc4b6ba0759280f1840aaa9

SHA1
f48e8df472f2932ed82ced582a64a62c390a0e15

SHA256
4bd2b6102b99711811d246a9e35cd35c7ac92a562d62109099c6efe176e2e1f8

SHA512
31b3822ab5a22ce0ee283dc41143f057ffd195c55df664f5bd550b8402cdb17e4ad01fd672facb343ca445a0d67ac49bfe60a03e99353e4b1fee1ed18d1b655f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsoS.exe

Filesize
1.0MB

MD5
f2bf6ca72c75aae24fb95dbf7c969c37

SHA1
b95618aeea338bd43790a7c0b854f51eaa8bdd8c

SHA256
4eb865b7a9c0534abb68fd0c9960ca6f39410f48687f55e61f513deafea0fa98

SHA512
31ff26c1627446ed241db8d3e7758212890396360e55a45c2d4e0b68508a48ef4ea7e6f59d2fb0e0b679aa7ee7a7b80272be3304b0e1be31a49ecc9cb5f02fa7

Download Submit
C:\Users\Admin\JOkcUAUs\jcMkIYEI.exe

Filesize
434KB

MD5
b4ff809ea9be547240c9b4c67ffda744

SHA1
812aed667fc29e15d678d063bbcbd3786cec248f

SHA256
8e78a4b04787024f537fea0c87cdeba4bd3b17e3a9572f727592877eb5924511

SHA512
87f3be542c5dd13b8805a21f904b3cb12e1a2127300492b7b10c3bcdfb2062b1f8a15b2c4db51f96703b85767a32bd79a867a7b1703849d2e6a1e49713897206

Download Submit
memory/760-171-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/760-182-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1516-586-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1516-630-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1652-114-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1652-84-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1756-878-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1756-842-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1912-1073-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1912-1221-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1912-1208-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1912-1023-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2040-82-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2040-75-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2528-60-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2528-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2840-47-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2840-6-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2844-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2844-69-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3020-183-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3020-194-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3020-682-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3020-724-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3056-918-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3056-875-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3116-762-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3116-799-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3216-353-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3216-393-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3516-30-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3516-22-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3528-210-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3528-219-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3532-543-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3532-521-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3584-206-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3584-198-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3692-504-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3692-467-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3788-920-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3788-966-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3956-12-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3956-53-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4260-68-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4260-41-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4292-1165-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4292-1115-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4364-132-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4364-146-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4680-170-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4680-158-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4736-39-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4736-31-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4748-274-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4748-235-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4804-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4804-40-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4872-101-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4872-122-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4936-333-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4936-272-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5020-147-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5020-159-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download