341a3edcc224c0faba1688873dc174b21dec926cf98e69c95ee379155ef70f6f

Analysis

max time kernel
140s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e402303456d80df99b5442339851753.exe
Size

484KB
MD5

6e402303456d80df99b5442339851753
SHA1

c304b462bded7e9c622bfdcb5df58a92b49b002d
SHA256

341a3edcc224c0faba1688873dc174b21dec926cf98e69c95ee379155ef70f6f
SHA512

d863dca7ef35cfd5db26135798901ff1fb61a2856ae534f3615746553a212d9461e1ba01504cff5a48c91c12f91ff289a898c6ff0ace4047ea8037cee8e91a1b
SSDEEP

12288:SU3yrwb7pzzRJclyX8DlsFpycim7J3M2iJKl:Tyrwd37cZBXc9F3n

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	6e402303456d80df99b5442339851753.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	6e402303456d80df99b5442339851753.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6e402303456d80df99b5442339851753.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6e402303456d80df99b5442339851753.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6e402303456d80df99b5442339851753.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Blocklisted process makes network request 8 IoCs

flow	pid	Process
43	3668	cmd.exe
49	3668	cmd.exe
50	3668	cmd.exe
57	3668	cmd.exe
67	3668	cmd.exe
69	3668	cmd.exe
180	3668	cmd.exe
217	3668	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	ueQgUAMc.exe

Executes dropped EXE 3 IoCs

pid	Process
2720	NEAwEkEU.exe
4236	ueQgUAMc.exe
3004	ZggwwsIA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ueQgUAMc.exe = "C:\\ProgramData\\fsMsgwAk\\ueQgUAMc.exe"	ZggwwsIA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QiUswMgw.exe = "C:\\Users\\Admin\\nGUIEwUY\\QiUswMgw.exe"	zmstage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oOQkUUEo.exe = "C:\\ProgramData\\eGssYows\\oOQkUUEo.exe"	zmstage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NEAwEkEU.exe = "C:\\Users\\Admin\\YkMwUcsY\\NEAwEkEU.exe"	cscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ueQgUAMc.exe = "C:\\ProgramData\\fsMsgwAk\\ueQgUAMc.exe"	cscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ueQgUAMc.exe = "C:\\ProgramData\\fsMsgwAk\\ueQgUAMc.exe"	ueQgUAMc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NEAwEkEU.exe = "C:\\Users\\Admin\\YkMwUcsY\\NEAwEkEU.exe"	NEAwEkEU.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6e402303456d80df99b5442339851753.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6e402303456d80df99b5442339851753.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6e402303456d80df99b5442339851753.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6e402303456d80df99b5442339851753.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6e402303456d80df99b5442339851753.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6e402303456d80df99b5442339851753.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\YkMwUcsY	ZggwwsIA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\YkMwUcsY\NEAwEkEU	ZggwwsIA.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	ueQgUAMc.exe
File opened for modification	C:\Windows\SysWOW64\sheStartRemove.zip	ueQgUAMc.exe
File opened for modification	C:\Windows\SysWOW64\sheSwitchUninstall.gif	ueQgUAMc.exe
File opened for modification	C:\Windows\SysWOW64\sheUnpublishWatch.docx	ueQgUAMc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1292	5800	WerFault.exe
5492	3180	WerFault.exe	84
3500	5904	WerFault.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1652	reg.exe
4676	reg.exe
760	reg.exe
2716	reg.exe
3648	reg.exe
5232	reg.exe
6076	reg.exe
5776	reg.exe
5540	reg.exe
5148	reg.exe
5916	reg.exe
5492	reg.exe
2540	reg.exe
4804	reg.exe
2956	reg.exe
2580	reg.exe
1804	reg.exe
5900	reg.exe
2576	reg.exe
8	reg.exe
4244	reg.exe
6084	reg.exe
5144	reg.exe
4432	reg.exe
3064	reg.exe
2348	reg.exe
4960	reg.exe
5624	reg.exe
3324	reg.exe
2220	reg.exe
5576	reg.exe
2576	reg.exe
5948	reg.exe
888	reg.exe
1472	reg.exe
5656	reg.exe
4804	reg.exe
2396	reg.exe
4968	reg.exe
4376	reg.exe
4276	reg.exe
4252	reg.exe
4684	reg.exe
1832	reg.exe
728	reg.exe
4824	reg.exe
5556	reg.exe
5816	reg.exe
1524	reg.exe
2520	reg.exe
4880	reg.exe
4988	reg.exe
5832	reg.exe
2740	reg.exe
1020	reg.exe
3060	reg.exe
6104	reg.exe
5516	reg.exe
1736	reg.exe
2992	reg.exe
3884	reg.exe
2520	reg.exe
4800	reg.exe
5296	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4816	cscript.exe
4816	cscript.exe
4816	cscript.exe
4816	cscript.exe
4604	6e402303456d80df99b5442339851753.exe
4604	6e402303456d80df99b5442339851753.exe
4604	6e402303456d80df99b5442339851753.exe
4604	6e402303456d80df99b5442339851753.exe
2036	reg.exe
2036	reg.exe
2036	reg.exe
2036	reg.exe
4084	6e402303456d80df99b5442339851753.exe
4084	6e402303456d80df99b5442339851753.exe
4084	6e402303456d80df99b5442339851753.exe
4084	6e402303456d80df99b5442339851753.exe
3988	6e402303456d80df99b5442339851753.exe
3988	6e402303456d80df99b5442339851753.exe
3988	6e402303456d80df99b5442339851753.exe
3988	6e402303456d80df99b5442339851753.exe
2692	6e402303456d80df99b5442339851753.exe
2692	6e402303456d80df99b5442339851753.exe
2692	6e402303456d80df99b5442339851753.exe
2692	6e402303456d80df99b5442339851753.exe
4032	6e402303456d80df99b5442339851753.exe
4032	6e402303456d80df99b5442339851753.exe
4032	6e402303456d80df99b5442339851753.exe
4032	6e402303456d80df99b5442339851753.exe
4036	cmd.exe
4036	cmd.exe
4036	cmd.exe
4036	cmd.exe
3064	6e402303456d80df99b5442339851753.exe
3064	6e402303456d80df99b5442339851753.exe
3064	6e402303456d80df99b5442339851753.exe
3064	6e402303456d80df99b5442339851753.exe
2992	reg.exe
2992	reg.exe
2992	reg.exe
2992	reg.exe
5084	6e402303456d80df99b5442339851753.exe
5084	6e402303456d80df99b5442339851753.exe
5084	6e402303456d80df99b5442339851753.exe
5084	6e402303456d80df99b5442339851753.exe
3824	6e402303456d80df99b5442339851753.exe
3824	6e402303456d80df99b5442339851753.exe
3824	6e402303456d80df99b5442339851753.exe
3824	6e402303456d80df99b5442339851753.exe
4948	6e402303456d80df99b5442339851753.exe
4948	6e402303456d80df99b5442339851753.exe
4948	6e402303456d80df99b5442339851753.exe
4948	6e402303456d80df99b5442339851753.exe
4020	Conhost.exe
4020	Conhost.exe
4020	Conhost.exe
4020	Conhost.exe
2696	cmd.exe
2696	cmd.exe
2696	cmd.exe
2696	cmd.exe
5008	Conhost.exe
5008	Conhost.exe
5008	Conhost.exe
5008	Conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4236	ueQgUAMc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe
4236	ueQgUAMc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 2720	4816	cscript.exe	1263
PID 4816 wrote to memory of 2720	4816	cscript.exe	1263
PID 4816 wrote to memory of 2720	4816	cscript.exe	1263
PID 4816 wrote to memory of 4236	4816	cscript.exe	22
PID 4816 wrote to memory of 4236	4816	cscript.exe	22
PID 4816 wrote to memory of 4236	4816	cscript.exe	22
PID 4816 wrote to memory of 3544	4816	cscript.exe	1056
PID 4816 wrote to memory of 3544	4816	cscript.exe	1056
PID 4816 wrote to memory of 3544	4816	cscript.exe	1056
PID 3544 wrote to memory of 4604	3544	cmd.exe	1260
PID 3544 wrote to memory of 4604	3544	cmd.exe	1260
PID 3544 wrote to memory of 4604	3544	cmd.exe	1260
PID 4816 wrote to memory of 3976	4816	cscript.exe	1259
PID 4816 wrote to memory of 3976	4816	cscript.exe	1259
PID 4816 wrote to memory of 3976	4816	cscript.exe	1259
PID 4816 wrote to memory of 3548	4816	cscript.exe	1258
PID 4816 wrote to memory of 3548	4816	cscript.exe	1258
PID 4816 wrote to memory of 3548	4816	cscript.exe	1258
PID 4816 wrote to memory of 228	4816	cscript.exe	1257
PID 4816 wrote to memory of 228	4816	cscript.exe	1257
PID 4816 wrote to memory of 228	4816	cscript.exe	1257
PID 4604 wrote to memory of 4996	4604	6e402303456d80df99b5442339851753.exe	1255
PID 4604 wrote to memory of 4996	4604	6e402303456d80df99b5442339851753.exe	1255
PID 4604 wrote to memory of 4996	4604	6e402303456d80df99b5442339851753.exe	1255
PID 4996 wrote to memory of 2036	4996	cmd.exe	1213
PID 4996 wrote to memory of 2036	4996	cmd.exe	1213
PID 4996 wrote to memory of 2036	4996	cmd.exe	1213
PID 4604 wrote to memory of 3324	4604	6e402303456d80df99b5442339851753.exe	1253
PID 4604 wrote to memory of 3324	4604	6e402303456d80df99b5442339851753.exe	1253
PID 4604 wrote to memory of 3324	4604	6e402303456d80df99b5442339851753.exe	1253
PID 4604 wrote to memory of 1716	4604	6e402303456d80df99b5442339851753.exe	1252
PID 4604 wrote to memory of 1716	4604	6e402303456d80df99b5442339851753.exe	1252
PID 4604 wrote to memory of 1716	4604	6e402303456d80df99b5442339851753.exe	1252
PID 4604 wrote to memory of 4252	4604	6e402303456d80df99b5442339851753.exe	1250
PID 4604 wrote to memory of 4252	4604	6e402303456d80df99b5442339851753.exe	1250
PID 4604 wrote to memory of 4252	4604	6e402303456d80df99b5442339851753.exe	1250
PID 4604 wrote to memory of 1012	4604	6e402303456d80df99b5442339851753.exe	1249
PID 4604 wrote to memory of 1012	4604	6e402303456d80df99b5442339851753.exe	1249
PID 4604 wrote to memory of 1012	4604	6e402303456d80df99b5442339851753.exe	1249
PID 1012 wrote to memory of 2292	1012	cmd.exe	1207
PID 1012 wrote to memory of 2292	1012	cmd.exe	1207
PID 1012 wrote to memory of 2292	1012	cmd.exe	1207
PID 2036 wrote to memory of 4036	2036	reg.exe	1245
PID 2036 wrote to memory of 4036	2036	reg.exe	1245
PID 2036 wrote to memory of 4036	2036	reg.exe	1245
PID 4036 wrote to memory of 4084	4036	cmd.exe	1244
PID 4036 wrote to memory of 4084	4036	cmd.exe	1244
PID 4036 wrote to memory of 4084	4036	cmd.exe	1244
PID 2036 wrote to memory of 2992	2036	reg.exe	1243
PID 2036 wrote to memory of 2992	2036	reg.exe	1243
PID 2036 wrote to memory of 2992	2036	reg.exe	1243
PID 2036 wrote to memory of 3884	2036	reg.exe	1242
PID 2036 wrote to memory of 3884	2036	reg.exe	1242
PID 2036 wrote to memory of 3884	2036	reg.exe	1242
PID 2036 wrote to memory of 2668	2036	reg.exe	1241
PID 2036 wrote to memory of 2668	2036	reg.exe	1241
PID 2036 wrote to memory of 2668	2036	reg.exe	1241
PID 2036 wrote to memory of 4732	2036	reg.exe	1240
PID 2036 wrote to memory of 4732	2036	reg.exe	1240
PID 2036 wrote to memory of 4732	2036	reg.exe	1240
PID 4732 wrote to memory of 2972	4732	cmd.exe	1236
PID 4732 wrote to memory of 2972	4732	cmd.exe	1236
PID 4732 wrote to memory of 2972	4732	cmd.exe	1236
PID 4084 wrote to memory of 4696	4084	6e402303456d80df99b5442339851753.exe	1124

System policy modification 1 TTPs 32 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	6e402303456d80df99b5442339851753.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	6e402303456d80df99b5442339851753.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6e402303456d80df99b5442339851753.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	6e402303456d80df99b5442339851753.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6e402303456d80df99b5442339851753.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6e402303456d80df99b5442339851753.exe

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
"C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe"
1⤵
PID:4816
- C:\ProgramData\fsMsgwAk\ueQgUAMc.exe
  "C:\ProgramData\fsMsgwAk\ueQgUAMc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:3544
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3932

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:2036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:4696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:4036
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:4996
- C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
  C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
  2⤵
  PID:2992
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2912
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:3192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYcoUEUM.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:1576
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:4020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4280
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  - Suspicious behavior: EnumeratesProcesses
  PID:4020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:3824
- C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
  C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
  2⤵
  PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIYYgssA.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:8
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4804
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:5148

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:4988
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:2568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:4824
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2348
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:1280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIckoYAc.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:2984
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4868
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4044
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkcAAQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4252
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4384
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    PID:3448
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3252
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
    C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
    3⤵
    PID:1020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:3976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGswUwok.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:4840
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3836
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3040
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKkMcgco.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  - Blocklisted process makes network request
  PID:3668
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3344
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3600
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2696

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:3668
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1472
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3884
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:3180
- C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
  C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
  2⤵
  PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SsAQIcUc.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    PID:2912
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4372
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 312
  2⤵
  - Program crash
  PID:5492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwwAsooE.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:464
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:228
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3548
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3976
- C:\Users\Admin\YkMwUcsY\NEAwEkEU.exe
  "C:\Users\Admin\YkMwUcsY\NEAwEkEU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2720

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:4288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:4956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeEkAwwU.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
    C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
    3⤵
    PID:740
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2984
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1652
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2696
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4384
- C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
  C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
  2⤵
  PID:4824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkMUoYEI.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    PID:5084
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2208
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4252
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1444
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      UAC bypass
      PID:2520
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    PID:3756

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuMwcgQk.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:4364
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2440
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3600
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5068
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:2240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:4592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1980
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:5220
- - C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
    C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
    3⤵
    PID:5288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:776
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:5896

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:3212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:3800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOgAsIYY.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:4720
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAIUIsgc.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5572
- C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
  C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
  2⤵
  PID:5168
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5756

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:6064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:3036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5452

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5612

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5184
- C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
  C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
  2⤵
  PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkwYwQMM.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    PID:760
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3732
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:5284
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5996
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:5160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5304

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5380

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:6028
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2568

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BaIskAYk.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:5808
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2568
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5584
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:5492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:4676
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5964
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:5672

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5932

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckokwcgA.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:6008
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:5144
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5052
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:5128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:6092
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5904 -ip 5904
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 372
1⤵
- Program crash
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5904 -s 284
1⤵
- Program crash
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3180 -ip 3180
1⤵
PID:5188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5800 -ip 5800
1⤵
PID:5888

C:\ProgramData\yGcIsoAM\AAQQYkEk.exe
C:\ProgramData\yGcIsoAM\AAQQYkEk.exe
1⤵
PID:5904

C:\ProgramData\eGssYows\oOQkUUEo.exe
"C:\ProgramData\eGssYows\oOQkUUEo.exe"
1⤵
PID:5800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:6032
- C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
  C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
  2⤵
  PID:6132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuEckosY.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    PID:1980
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:872
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      PID:5816
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5124
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:5508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:3060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5576
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:4276

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqkQMkos.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:5248
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5768
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4276
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:2972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5552

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5740
- C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
  C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
  2⤵
  PID:2220

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:4036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYkEAAAM.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:6004
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5620
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5732
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:6060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:5132
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5320
- C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
  C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
  2⤵
  PID:6036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGIMUcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    PID:5832
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:5816
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5384
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    PID:5312
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5592

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAwcIcwY.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:5480
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyIcgogo.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    PID:5960
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5688
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:5616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    PID:5660

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmkIQMUg.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:4800
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:5776
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3240
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:5544

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:3180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aycQMwAM.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:5252
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:5352
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4960
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:6112

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:3500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKMMgMcY.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:4432
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:5764
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1448
  - - C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
      C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
      4⤵
      PID:5164
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4676
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:5380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAYcgYkI.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
      4⤵
      PID:5580
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:6036
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:5576
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:5944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
      4⤵
      PID:5836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    PID:5100
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:5652

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:4956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puUIQsQo.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:5928
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2520
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4088
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:5776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwQIsYYw.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:5636
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5680
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5836
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:5232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    PID:5572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vogMMUgo.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
      4⤵
      PID:6120
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:6104
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:6096
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:6088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
      4⤵
      PID:6016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:6000

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMwYUAQs.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:6096
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:6040
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5900
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:3804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5228

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5148
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1416

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:4620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5172

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcoYoUgc.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:6072
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5844
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5128
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:6016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5680

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:3084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocUgcQwA.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:5192
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5440
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5836
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:5768

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQkgsMIs.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:3240
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2580
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5656
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:5336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5320

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqoAYYIw.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:5552
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5592
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5380
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:5148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYwMMAIU.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    PID:4800
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3956
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:2520
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    PID:5896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:5876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsYAsgok.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:5352
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - Checks whether UAC is enabled
    - System policy modification
    PID:2220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKIAUAUw.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
      4⤵
      PID:5248
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:5432
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:4968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
      4⤵
      PID:4948
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4500
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4804
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCwEQgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3304
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5504
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5352
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:5908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    PID:5320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:5936

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:4856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FioQMwAU.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:5332
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MGwMMkgI.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    PID:5756
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4684
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:5516
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:5916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    PID:5592
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:5900
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMYQsgcY.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    PID:5524
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:5656
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:5924
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5712
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5288
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4660
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:5184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYckEcIs.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
      4⤵
      PID:5392
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:3876
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1652
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
      4⤵
      PID:5100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:5224
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:4004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:5524
- - C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
    C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
    3⤵
    PID:6016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcAMIwUg.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
      4⤵
      PID:5132
    - - C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        5⤵
        
        PID:5980
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:5160
    - - C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        5⤵
        
        PID:6104
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:5640
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:4684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
      4⤵
      PID:1416
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCQAokMI.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:6028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYUcccYk.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    PID:5708
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:5812
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:6108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    PID:5928
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5184
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4660
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeMscoUA.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:4040
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwsQEYkg.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    PID:5408
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:6076
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:6056
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGQgQsoQ.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2244
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
      4⤵
      PID:5068
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:5220
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - UAC bypass
  PID:5440
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:2284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEAAcQoM.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:5280
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3800
- - C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
    C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
    3⤵
    PID:532
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4376
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:5816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgEgkosA.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:5980
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:5948
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5940
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:5672

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOoEkMIo.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:5256
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2220
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5740
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:4896

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOccsQUs.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:776
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5384
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5416
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:5084

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eaMkMoow.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:4488
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5144
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - UAC bypass
    PID:5844
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5596
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:5844

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QswQgoMw.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:6136
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:6004
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5780
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5792
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:5980

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:5284
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5528
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4044
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5552
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkYwwUkA.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:6048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5672
- C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
  C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
  2⤵
  PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCMwsYkw.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    PID:8
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsMwQQYU.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:4824
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:4988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
      4⤵
      PID:3364
  - - C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
      C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
      4⤵
      Modifies visibility of file extensions in Explorer
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4084
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4740
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4940
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:5812

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:6120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMUoYUMs.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:5368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:6088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:3876
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HmEcccos.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5364
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:6008
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyYIscoE.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2348
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:5296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:5740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmUkUkog.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:1668
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:1512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeEUgckE.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:6132
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:776
  - - C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
      C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
      4⤵
      PID:900
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1236
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      UAC bypass
      Checks whether UAC is enabled
      System policy modification
      PID:888
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    PID:1448
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:5540
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:5228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:6060
- C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
  C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
  2⤵
  PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:1448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:2628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zukwswMw.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:5420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:5124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:3212
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5056
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4020
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2976
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:2532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUMYgIgE.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:5860
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PuQkoEcY.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    PID:5100
  - - C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
      C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
      4⤵
      PID:3660
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:5296
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:5760
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5292
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    PID:5340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwwkEwcc.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
      4⤵
      PID:5164
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkUwgcgE.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        5⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:5656
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:5636
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:5628
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        5⤵
        
        PID:5500
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:5168
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:5684
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:5652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
      4⤵
      PID:5524
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
    C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
    3⤵
    PID:1444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:5408
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5308

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:4728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiMwMwkE.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:6088
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:5624
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5228
- - C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
    C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
    3⤵
    PID:3176
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5468
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:4004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\desIAQUw.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:5632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:6104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWcsIoEk.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
- Checks whether UAC is enabled
- System policy modification
PID:4960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:5784
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqoskUcY.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:5880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:5512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4244

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmYgUQUE.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:6068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:776
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
PID:5468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5376

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:6084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5996

C:\Users\Admin\nGUIEwUY\QiUswMgw.exe
"C:\Users\Admin\nGUIEwUY\QiUswMgw.exe"
1⤵
PID:3180

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5764

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:3380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:5376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:6040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkgQsIQM.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:5828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:5728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:5724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
- Modifies visibility of file extensions in Explorer
PID:5492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5700

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:5340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAgMAUAE.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:3720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:1832
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FucsQoQw.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:4592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZckEYwEs.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:5068
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:368
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4080
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:5044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWcMYEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- UAC bypass
- Modifies registry key
PID:1832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUwwgEsA.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:2240
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3732
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3976
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:4480
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkwokgss.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:776
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1148
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3192
    - - C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        5⤵
        UAC bypass
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        System policy modification
        
        PID:3824
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
      4⤵
      PID:2716
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3084
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    PID:1760
- - C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
    C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4948
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:4384
- C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
  C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
  2⤵
  PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2576
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:3976

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\weoYIUgc.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqogwooM.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1212
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:3180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKUMMAUE.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:4376
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:760
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4944
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:1716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIsoQkwE.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:3848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:464
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1100
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sscYAYcE.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:2872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rYYYUEcs.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:2108
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1020
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2676
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:4604
- C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
  C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKQQskIA.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1456
- C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
  C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
  2⤵
  PID:840

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeYMUwow.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:3120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HawAQcoc.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
- Modifies visibility of file extensions in Explorer
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3988
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsMcoMUk.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:2924
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:728
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - UAC bypass
  PID:8
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:2028

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:952
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:2976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:3636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEAwYUUg.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyQswsoA.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
  C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3824
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACkwoMwM.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:2028
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1472
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2984
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3380
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:3720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeUQAkUY.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmAMkIUg.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
- Checks whether UAC is enabled
- System policy modification
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3600
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSMIgkwQ.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:4696
- C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
  C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Suspicious behavior: EnumeratesProcesses
  PID:3988
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
PID:2696
- C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
  C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5084
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYMYAoog.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msMkMQEg.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
  2⤵
  PID:4840
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:396
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2588
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKcEkkIw.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4732
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:2668
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3884
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    - Suspicious behavior: EnumeratesProcesses
    PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  PID:4604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeockYgA.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1012
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:4252
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:3324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:2984

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:3064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoYsQEwE.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
- Modifies visibility of file extensions in Explorer
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
1⤵
- Checks whether UAC is enabled
- System policy modification
PID:2440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4040

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkogIgsU.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5000

C:\ProgramData\BqMUUwwk\ZggwwsIA.exe
C:\ProgramData\BqMUUwwk\ZggwwsIA.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3004

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
1⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\2390928208\zmstage.exe
C:\Users\Admin\AppData\Local\Temp\2390928208\zmstage.exe
1⤵
- Adds Run key to start application
PID:3380

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
1021KB

MD5
e712e30946b9b061c76984688dca88c1

SHA1
dc3d857686e9f96460d698b9a5ae3813517bae22

SHA256
090aec59c33dbd9114b4704fe4efb529dea499706352ff1c7db8de079766bd80

SHA512
84aab3ea512162299a27b0f96982377ebeb680f61be8505414164a6fce8e0f2230d475e22b4909568e6da190f7a5fa0651bc47eb32cbbdf205b0a64c21d7ff32

Download Submit
C:\ProgramData\fsMsgwAk\ueQgUAMc.exe

Filesize
431KB

MD5
1891e4f51526b6bc45084114e3e8e8a8

SHA1
e7519ab981a62f328f11687139e6dbbcdda6b656

SHA256
1c22a0a1555e41d6418240da4d1b9744e7a1cc94487970df637e0e7f118b5af6

SHA512
ebaccf856615c4cc0e33b50deda2169b929327d309f6597426e3e9fec1eeda42ba7ed5d9f38ddf7ac018cf09214f448dd6cf911cd4a9cdc91a4d16aef1b478ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

Filesize
440KB

MD5
b9fe65663fab2beb7c6103108186a1de

SHA1
11238a5dcbf47677a1c05e3429c2969219130557

SHA256
b649c347489da3931643f83b8728ee713d149351f23e00b6e647fed18ab7e7a7

SHA512
6ff856c3dccb6cf399b0e75c487b518eb260ebf2b9f480842d9bbc6d04c04d0b60a9f3b7a6732cf20d76bda7bf0ad127a477f5f2a7f89bac58c2ed2e5d1ba2ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

Filesize
432KB

MD5
93d14c20b2cc86b709d9815a8cdd51cd

SHA1
cabdffee84c4bbb26bda0d9950760ef2058f2285

SHA256
0f2c21b256c7272b369cbfd819a187f9b922acd48ee965d5170b1014f11f2458

SHA512
95295848f7c157041013a5f9d94c32d5b704dc7a6a25e8289e62b28f64dc18067e5e048eac8589a0d6d0752f5d60e855f4b5e73cef404498122733548713521d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkgG.exe

Filesize
441KB

MD5
d36a9ee8d2d5477ea2b810412bb757c6

SHA1
068c8e0b1f5fb4b118168dc1470363e85f0c050c

SHA256
5dcb0d3c89004ed71d4a66bbca439e6344d3e9eccefbae32eccf98d0038c2144

SHA512
6a29866a429ec6d54c10d0e33e618a4011a8a0e1e9476e6961cb981105a73ef2b543d820f1dcfab09968efc0aa47656d3208b2da06e2969e57350a0b02f331b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ckog.exe

Filesize
436KB

MD5
2f917ba6b1e9539cfd71dcb1b7720eb0

SHA1
b28fc8b4ff3574518ff6df85f86f657278d28d65

SHA256
ad6c626bba6891ad0a83f9e271b62a2eed813b57e577fbf273d5ad98a6bc65c0

SHA512
1ea942af304c316374bda3621271ac6d3b2165e190fe815279c11403e912673cde0256d50f8c8499b89a90a4bc250bb50030953dabc88ef13f1cd9ec9786be6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEES.exe

Filesize
443KB

MD5
c3d78303df1528e018b9c7db257637ac

SHA1
cd77acd44d960f46a4666ee63314b6113a0f74bb

SHA256
ee1c679983bb25d42073b7d38e8e05294024e92cf7bf680bd585f12b07280004

SHA512
54f54a93e758eda0473f163a560e563dbcd4544b57d2de4f8a84e1f0e086f270dd687239ab18fcb93712e2925706bf6d3c0657ca9d726871726cb071ba60aaeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgUk.exe

Filesize
440KB

MD5
7fdf7de88390f857c2d4363f85f910ce

SHA1
9ed3b494e9b519a29d4463a9a026c0201199806c

SHA256
ecb35a9a693bfd02b7aba8f18fed5e70ccd218fab1d8a7a310d165744072fd9d

SHA512
ed8a65b73b623980143d3227c5f66ce5b599d052d6b75407390294bd82e506d7fae206e5ce8b05589289c0ba8f6c34d90a493c0e1aefce911029641ab5b1bf6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eoou.exe

Filesize
445KB

MD5
6f7f18afb5f39b04eedae16494376bbe

SHA1
86da5482591efe18136a2c92e2e907597f0e47c2

SHA256
98c4ccdd5d2367832e19e271061570e82d652a081e954ac344b6fff3de7f91a8

SHA512
a9c6bb7687590acae8ff0845140c4e3cf6228a6cacb643e20b74f521675fd88282e4b48042d08ed6eed1a7aa081722a1a8d5a43b300720da22048daad23d80c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMoW.exe

Filesize
440KB

MD5
32c1823e3cae2283b3c3bb5077321276

SHA1
3c0530bdaf2886a26ae5b720431086848b13824c

SHA256
27455a15ed4985397f5a8d6e3693ada5fa2c6b10a36760524bd8fed44d8b44eb

SHA512
b3cbfbc75edc94bf967652622f2a7af6c5a377f79c34bbfa301e847bd6b65d7e24f5cf307db31eabaf5a8405f75fbf448479b7414575fe980117105283f39cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoUU.exe

Filesize
440KB

MD5
685617d25a0606d2dadbf788ba85e062

SHA1
0f39b0911fcdd86c9736da402993c85d6f483035

SHA256
90ede1859e4fd8add436db1077d03998806ca83c3faba5d4fc65d18a399f06e5

SHA512
8d24b09715687f50a26cef7843fc7d610974be2a4c12aab524b46bf47bf123895b4f838f68d6b8ce9d73df7825c2106c16126f91ad822025bb1a60115926a50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcQs.exe

Filesize
446KB

MD5
97e736b8fe6763c4edc4e0ea2d028374

SHA1
399bc086287b8dced5dcac05ca4c85db3d4c08e0

SHA256
e5ca64243082154cbae534f977594b5cfedc9a4a38556492eeecb1aa21cc7da6

SHA512
2e68106e0487769b6bad66203dfb145de55d9f2099f03d45fdc45a3ad6be66ff7869e1d0d16dcf594fe4fe1eba804ec1d63a306c7c584e1bf195a01f40dced46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwIm.exe

Filesize
438KB

MD5
591af576897cb766987efba23bebf5ca

SHA1
4867ff57cdd344bb178ad2a62f1c34f83e408901

SHA256
211e28099b959d7550a2c0d992f98b9df1269527391e46422fd1d15e0be3eadb

SHA512
5d63f67d0644362de4c210dc3dacee4d7913ef0219be0ff5efb45905883ac0b3ef3594846905c11c7b0b25179b892b400e419f3a83b942c248be2800883bbd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iwwy.exe

Filesize
443KB

MD5
86b219a8a6840e2667b606134d78a182

SHA1
1af5bab2359bb6ebe311e99e2fb1090895b72490

SHA256
482f340da526ef7f54f579cd7ef8520e184ca69ae48117fea17d54af61723252

SHA512
6162a7b368164f5b27fe2cafb02d4fc0f8d8fb7620fda0ef36128324e6a07855dec9269f5ef9622a527e7878d9f485ff4ab79f721fa9418b389a9f15a0d11a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEoW.exe

Filesize
438KB

MD5
7f4069d0537b44cce485e76f29dcddb9

SHA1
ba16c6bb09c041b493858d9d4fe6ce2f505d959b

SHA256
2a42d2ab9355a0d64d669e7eb45f806f2c15703652a79baeb6e88b30f41db661

SHA512
1fc3c3bd195337a1e7eae849f08bde184d8d5ef707571b6e21d6bbab042e1ce5ae25c96eef032c765ecc72ed11ac43ded9ecdac0793ff121546fee4c4a49aca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMgm.exe

Filesize
438KB

MD5
c219f52b6dbe54c7474de5ebb328500b

SHA1
06ab3216541046daa5073c783020c8cc33fae43d

SHA256
537c94d536ff69d3eeb378797957bde41e3fd1d004f439fe3ee62d391145c347

SHA512
3dce651a8b0909ab365558e22b9502ecc35b2d0e54e0cd559827cbaa88d7f25dcb8e3d5cf6cc75154d38631328a978e86c244cffa7c76612ec8c5beda1422148

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsMc.exe

Filesize
5.5MB

MD5
5b72d8eab1683e1d5c120a4ffd950c3d

SHA1
8a49570c0cefb8f71dca8f0779867753c178e80d

SHA256
abdc8d2b68824a806d0d49686ab31f57804c6651b59dd13ac63ea1daf32197ca

SHA512
9a0db0488b63eadeb812548f95068f539feda23d03d7e03d21b5658767733d6331cc5f2cb3d49c55723788f8df0b743bd9e055379d417f07fe4fbe5727f77d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYIA.exe

Filesize
442KB

MD5
ad9fe69f8dc2ed7aa2e146fae77cf00d

SHA1
399e4738f02ecc9502ff1e91ad1eed068ca2135a

SHA256
2bd900578a4196bb7dd247efcc1ace249d29100ceeabfd685592cb99d51b4d8f

SHA512
8ecb3e3656f716060ff2660836ca0f08a79b8b9004aa3314e33e2a2cc5a760a0dd38055da30a2b35006487e47b93eace130f396e1e5685ebe2187fd493e724a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgIs.exe

Filesize
440KB

MD5
e1ef5e27ccf654526cf38be8118fbde1

SHA1
d43d9f25315df2baf240a56cf1407f7bf55cdfa4

SHA256
beaf848fcdda193c240e2c6d0274ef12c17f78ceb1c44422a520684efd7d8b05

SHA512
03bbcb1a701a28aa972e30e9a72684ab64793e1a4359a6c8c6e4f04d03fbb9f3e451666ced8aacf98681f170e0491748776744ca64035aaf262fd7a4bd6763e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwEk.exe

Filesize
440KB

MD5
d2ed874b97be01b741f2cbe80e019abc

SHA1
190077757583515018735951194a4b9a0cfe08c7

SHA256
ab810080b5a3c39e7158fcbc3691a6c0e2caaa76e53b4e4688e1b06104be1342

SHA512
0a79885fc5ba671544d203c0abc7a1a80d557824d9ba4a15b9b1573599c2e7f683e338b55cdb167cdb85f8da317606d1270b4ba72f61413e0bcb1895c76a50c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQUe.exe

Filesize
437KB

MD5
a8bdc4222d8961a3d202a3e2e3615928

SHA1
2929e8d150a6a29276e7da87d723759d9c512074

SHA256
8084968c86cd7f4ef04b72d3aef484ee46df78f7414796345b03df3d5ca7bc3c

SHA512
5614f5247f6b36a6738235d9c38c54fe1cab0bd9ae4a8423e2585ea2ba0960d12bac7788a0e03bef28ca996d36775f4e7344f67702ac34702dbb776fc66a16b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQoO.exe

Filesize
432KB

MD5
c73b32eaacc1319e14d6d1aebce1453e

SHA1
c11c81ff5cda0bb20f2c1fa06aa29e7dc032c5a7

SHA256
f27e82b541ff9fb42f629a92aebe597e7fd327a31256f08d01e02e29faff7afc

SHA512
27353a6db0e642ebc767a1741adbeda1e3f3cf5184dc7f33b1d0c91e637731449f6840a21e45968a6664ce162d604afebea9b4aba414e4e8784ed6155a2cb7f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIkI.exe

Filesize
453KB

MD5
7584356857f893d7df9da98325f04a30

SHA1
a874fb5682e5478a99b14690dc4b9e233ee8e7a2

SHA256
a205026455c37ea42b0fb1bde000c62b1ed58b77b28930d57bd96bdb56bf5192

SHA512
ee208209adc21d8558467ba2b36c05918df992424d04efc3a87d1f763278f027a634041ed7c5fe17af219d6a53033798a53d8c7693cbe23747ffadb082c8bf91

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQUy.exe

Filesize
438KB

MD5
98925d07738b8c3fc91d7a54621534b8

SHA1
620975476f7058068bde4609f666c56cab227d71

SHA256
b221445db11de894c149b7c87d993488a360413f6216a4da0c45925fa5e068b2

SHA512
6954768030ad4284ff4dadb4c14192bda30da80e81614eed5c8d8a2956e123fdb4d144c1cdf7a677b82e073a9524a6f7fee93a94f0fd75845e8ac6efd52daa77

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsQe.exe

Filesize
2.4MB

MD5
d49bbd49c0d1060586d26265af73576f

SHA1
a2891966c7038a26ea02c899805dacbf12317f40

SHA256
8a20df5adf2ddafddc3183f6d96343ffbc0aaf7d83432b336adbd1d9a8edb479

SHA512
1ab78d2707d994a83bba75674f6079385c471a29bfca1995cb88c766f9638b747a9bac06cc5e90df3beb1911635fb5696231e1d3072e722d3ff6a01101cce0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wgoc.exe

Filesize
440KB

MD5
95ac6873642942b26a54d3a4fe48ca92

SHA1
17e0572932d28e2c84991652586170595abb947f

SHA256
6d16deebb988a4bb3d195f8032c88c83a670b5424d632e2182d232820e7d06f4

SHA512
b7115936e81609a184125e4742d9807371a5fb921d61e5ed62006c246af2698ac6bb87e7a5dab1b796e1f2cbc8575e8e3825907c2e5bd51428f938d3bba6d917

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYcQ.exe

Filesize
1.2MB

MD5
ad130460b20776438f6e95e3434b67de

SHA1
5ccabaad458d19d92c39d2589142250e233890e7

SHA256
58c1251f0bdc897cca4a81a17c3521dbcd8ec16b6997b49e27d8b401d2d3dd14

SHA512
52fbfe988176cea1cf44df1cbb44e2134e229fa4620d680b3a19beabe154b27956fcd6d6ae9911cfbf55d0515ad02a628c1f797bbe63669f2d4e88ccd5b03d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMQg.exe

Filesize
1.0MB

MD5
c73b80192311af029bfc803010a0c8be

SHA1
5fd418f13facf87ac80b461c9a25cb51a2452c71

SHA256
55a2c647f12b5d13f2d972b619c6e4c821aec87cfbb5561c3f1d2966d574d87b

SHA512
57b47e3ba31b8a0384aa7b2b2826894bba93cbb2af99214bc766f48c7e883d8dc2b88930b3b2d915e000b2b58d697a3f42a02b96825c69421f0a5b684fb7e281

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEQI.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkMUoYEI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMQi.exe

Filesize
437KB

MD5
2db4fa0373495a1b103a56fc9ca928e1

SHA1
0932e4512bfd9a1c7cfd51c549bbf91bfde80e76

SHA256
04f37836ee5d189419e9a9e9334bf42723e4004083990b341f3524a2487bbc1c

SHA512
53205e39cea208658505430084a4c7ba8b0f51f5de0be8840401febb9d7b425c64a9007a09c05a670fd2bd24e84dd9b891f839e0d7a988841ed5a3f5de78c2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMMG.exe

Filesize
476KB

MD5
a78bada61a790594066543c49eba8946

SHA1
8588ccfafc385fada5ba9ca8185280d157a630ab

SHA256
171bd6268923ab34c62a13c14bc496cfbbc4c98c2ac049c4ed2e8a6bc4f7d65f

SHA512
f28d82cde6373b8b1006b0cd61ebfb6aa57c60ef84b399681fc0d3894298501656d58fb12e6abf06be0b2d05f52229ca1e32dbab44383cd788edbd2cb52e7ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOgw.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQga.exe

Filesize
435KB

MD5
44febf701147c7b1c6ac4d924b4bf3ed

SHA1
882fa23c074bf7eb42f5565979c8fd9c22aaa248

SHA256
6dd48ef6b8554d6863ff5acc4073aa0f7ccd66d74f74b86f11e38eac195be7de

SHA512
7d12e322974b96afa5866215d4f10a79c280bc21fca312fe3e36ea5606790999599ebdb533f17ba5f923189a141eb357780e4746af87a812e6c35d5df4850581

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQsa.exe

Filesize
556KB

MD5
2a7001bc0c4309c572a9a48d0395eae0

SHA1
9c3abc3d967a6a917941ce4cb339264659875f28

SHA256
a2f69500d4c81d29fad8ff33fe88e64ee1918484e64874ad0ab4433da75e9575

SHA512
97cd790ce955872f760ab3dc2f0fc96bd45a37752975aa9b9881d97862e6f1ffd9da42d3a02c9d5640af50143358a4f6ba8e1840ae0a7dd44994d66c1154cc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYoC.exe

Filesize
434KB

MD5
afcb05660ac8b4791258ef43aa1b7104

SHA1
a84940bf2523028bb86b79362829de2f23a358b2

SHA256
e2f86fd098ada3ccae5814130d1379b632d0ee98092661553b30e5841ac98892

SHA512
c4bd4a7226f085f0bd046b1f5d98200b7690c82afffcb94f05bd5182867d563c5abd88ba9bebeaac95a106e14fbe2604a75f5795a7511b43f5fbf60e8b891ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogAG.exe

Filesize
437KB

MD5
52b2dff4386ebb3bb6c14aef49133ab0

SHA1
1e1dc4f058c40ff384a7a0d84b693308fbeb5e07

SHA256
8654344e4501affca46cf07fc0d8d0e97f06561f6c04411f80bcfb2ac30889b6

SHA512
cad69212c063731bb6f3dc1ff212dcde4d20c45498cf5e645a502c6b18ac2aa3f09023e58890ed2343d374b4b99e0133563fa1f418dd59d6e4e011904a546650

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgwc.exe

Filesize
441KB

MD5
742abb83d02b93ebf9b36c11bd852b8c

SHA1
03442f99efac4a538012ba9a85e8b7d7a2a8af58

SHA256
e6cfd191ad1268d66b97d04ab747def86a8d50fab57c3c90cfe9949c3dcc7036

SHA512
4b58b4c581f47ea7e0fba83d3fcc4ac21b9ea2c9af4fd4e006fb1e2b27fd6b10003d2acf3382ec9e653eefdd2562ed16539467cc0e297582b93af5a7596c7f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAES.exe

Filesize
558KB

MD5
5f137ab9bc4a8ee2b2a045600c57f7d7

SHA1
ccd8d272996a9df4cf902d0cc1ba9b9f27b88a86

SHA256
fe3c1a2a16d37cb3d58b9539b53c74fe52099ea837d02215c98c10d41549e311

SHA512
66abc54cd91596fb52d1eaeaa54e2808ddf76e61f3077808b581c07b672504f18f2da0befca9e810666df684ea3d5b8af70967853f69e907e9361d20feb839ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEsQ.exe

Filesize
505KB

MD5
3105907b1e15dde61136ae5b3f24f81a

SHA1
9c2ba8660ee9b0dded63247779cd37ccb262399f

SHA256
987387bfba13ee20793cb3cbb6736b74ce387c925fb42d108ba9256e1c94b288

SHA512
b95803115a463038cbb8870149f528e1569b13202a26382e55f5badfa3186209648f9ee72ba1ad1fdade9ee75168fd55b3bbed26776a55ef215c727f3022d3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUQe.exe

Filesize
438KB

MD5
f84ee1d4e23a2b170f8784f16ddc9563

SHA1
adee7b2c9972765adf95c94c14c99036d596acd6

SHA256
7a216fc748a3f808c7e3909050c7c11567617a1029f702979710a8295fed3419

SHA512
10b6653c2a747b9a4f4406b05225d815514360a19d2959d698a80c7a3e8f34a15f60627b3cfecfe79b8c9110214c198a4cc59aab93de627b38cc59c04caf6c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUUg.exe

Filesize
807KB

MD5
b5c257120dcebd10a4e8bab97dd83cee

SHA1
3ddfbb6f9cf89ef8aae6a4b602b90f73a598e3fb

SHA256
ed7ec9f3582b179e4c01e22392806c893c7f8f2d470d782def266e94cbeb3a21

SHA512
81c6712a165524511cfde17e6224b4088b1480e29d9bebf0ded13acb09df838910ac1a5f0efc577d5ead77e2fa1eaf87a7b5fb35a1b42a697654b3c204b14efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycIW.exe

Filesize
443KB

MD5
837cbec1226a2512262b8a5624b06d2d

SHA1
c86521360cbae1d01c92e2c5d3b4a0ab135743ab

SHA256
a8519cd4e528b61c11cba1df1b9f2893dc84498227f23bd70bae3bef72bd0b26

SHA512
515e964e4b8a5c7dfa1d0b09b1ff33eb8ac514e95a678f25298caadf83a9538afe5c4840d905386a50acc56652dbf2ddc024656c9adb53b635871b17863f9318

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykUW.exe

Filesize
439KB

MD5
5da91bf6843b8ef96dc8930dec11a69d

SHA1
14e4d93272d2357ef2ac31d080543f382c9785e9

SHA256
9c0c2d8a8d4495c447cb4a32bc2c4f182f3fdaf8f9527736651b5593d4c95db2

SHA512
e8f7eff865464ce37e6522a3ab93882c87d852608c2744cfc565d347843dff0cecf77670805bc878f9ae37eec0ef63face33ebd14ba5dc0b92e44435e781bbd6

Download Submit
C:\Users\Admin\YkMwUcsY\NEAwEkEU.exe

Filesize
432KB

MD5
dea7dddd054407b417f477b61396ee31

SHA1
a6453f8e9cb4155e2959db54e121f4ed0d3e110d

SHA256
123e344131bb249b34219c732b4eebf02c95b87cb555e0d4ce1f3ba197f462bd

SHA512
0be77a5e9081e303c005698146c246d846fc48dd8be0f92dc4ca7b7e43989ab9238f1325eeb3e3af31427f3081e79d0dba2cfd5a9d35f92776ab641dfbaf9770

Download Submit
memory/740-245-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/740-229-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/840-263-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/840-276-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/952-311-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/952-299-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1020-217-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1020-233-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1280-272-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1280-285-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1908-329-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1908-316-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2036-27-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2036-43-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2692-78-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2692-63-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2696-190-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2696-175-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2720-8-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2720-100-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2992-130-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2992-114-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3004-129-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3004-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3064-101-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3064-118-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3084-325-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3084-337-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3636-290-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3636-303-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3668-320-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3720-253-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3720-267-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3824-140-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3824-154-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3976-294-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3976-281-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3988-51-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3988-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4020-178-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4020-163-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4032-75-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4032-90-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4036-105-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4036-92-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4084-40-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4084-55-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4236-14-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4236-113-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4604-21-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4604-31-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4816-91-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4816-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4816-206-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4824-257-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4824-241-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4948-158-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4948-167-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4988-199-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4988-221-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5008-191-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5008-203-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5084-131-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5084-143-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download