47a29d2d6211e35ee3c7f0ae9c805b3d2633ae0c1e8f56ef17068bf307c21e56

Analysis

max time kernel
138s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2023, 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbeaea693a1a5948798b7cac0d3c862c.exe
Size

484KB
MD5

fbeaea693a1a5948798b7cac0d3c862c
SHA1

67c144a97131a70ae576b92213688ff5b83f8961
SHA256

47a29d2d6211e35ee3c7f0ae9c805b3d2633ae0c1e8f56ef17068bf307c21e56
SHA512

5af865d18b0ac9caf4d35f703daad21333599ffdda5c6d9c36c29294b4bc34a2c16db9b5cd6e9fbe68f1f6824f2567b30a49c6d91a6e563ac1b34efe94a2e793
SSDEEP

12288:8j4x6uqm//2PIJcXvULz4vPFpDI8Bk4/ETeFcPeUFH:8IX//2+cXvoz4vPFpDI8Bi0cPfFH

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	fbeaea693a1a5948798b7cac0d3c862c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fbeaea693a1a5948798b7cac0d3c862c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fbeaea693a1a5948798b7cac0d3c862c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fbeaea693a1a5948798b7cac0d3c862c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Renames multiple (53) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	zqYsckAg.exe

Executes dropped EXE 3 IoCs

pid	Process
4416	asogEYIc.exe
5104	zqYsckAg.exe
1448	ZiUgoYQo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asogEYIc.exe = "C:\\Users\\Admin\\yOckgIsU\\asogEYIc.exe"	fbeaea693a1a5948798b7cac0d3c862c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zqYsckAg.exe = "C:\\ProgramData\\ksEccIwQ\\zqYsckAg.exe"	fbeaea693a1a5948798b7cac0d3c862c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asogEYIc.exe = "C:\\Users\\Admin\\yOckgIsU\\asogEYIc.exe"	asogEYIc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zqYsckAg.exe = "C:\\ProgramData\\ksEccIwQ\\zqYsckAg.exe"	zqYsckAg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zqYsckAg.exe = "C:\\ProgramData\\ksEccIwQ\\zqYsckAg.exe"	ZiUgoYQo.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fbeaea693a1a5948798b7cac0d3c862c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fbeaea693a1a5948798b7cac0d3c862c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fbeaea693a1a5948798b7cac0d3c862c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fbeaea693a1a5948798b7cac0d3c862c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fbeaea693a1a5948798b7cac0d3c862c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fbeaea693a1a5948798b7cac0d3c862c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sheRegisterInstall.gif	zqYsckAg.exe
File opened for modification	C:\Windows\SysWOW64\sheResolveConvertFrom.mp3	zqYsckAg.exe
File opened for modification	C:\Windows\SysWOW64\sheSyncSwitch.docx	zqYsckAg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\yOckgIsU	ZiUgoYQo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\yOckgIsU\asogEYIc	ZiUgoYQo.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	zqYsckAg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3320	reg.exe
4612	reg.exe
3652	reg.exe
4916	reg.exe
4884	reg.exe
3996	reg.exe
3844	reg.exe
1608	reg.exe
2900	reg.exe
3224	reg.exe
1684	reg.exe
4212	reg.exe
2460	reg.exe
4928	reg.exe
1248	reg.exe
1928	reg.exe
4536	reg.exe
316	reg.exe
4388	reg.exe
1088	reg.exe
4016	reg.exe
940	reg.exe
1892	reg.exe
1772	reg.exe
3188	reg.exe
2400	reg.exe
1824	reg.exe
5068	reg.exe
2948	reg.exe
876	reg.exe
4940	reg.exe
3568	reg.exe
2556	reg.exe
4924	reg.exe
2856	reg.exe
3804	reg.exe
2972	reg.exe
4680	reg.exe
4704	reg.exe
1800	reg.exe
2224	reg.exe
2996	reg.exe
4052	reg.exe
3116	reg.exe
4484	reg.exe
4680	reg.exe
3660	reg.exe
2152	reg.exe
2624	reg.exe
4336	reg.exe
3188	reg.exe
3376	reg.exe
4412	reg.exe
1088	reg.exe
372	reg.exe
2000	reg.exe
1172	reg.exe
2880	reg.exe
756	reg.exe
1264	reg.exe
3048	reg.exe
1876	reg.exe
4940	reg.exe
2316	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4428	fbeaea693a1a5948798b7cac0d3c862c.exe
4428	fbeaea693a1a5948798b7cac0d3c862c.exe
4428	fbeaea693a1a5948798b7cac0d3c862c.exe
4428	fbeaea693a1a5948798b7cac0d3c862c.exe
4704	fbeaea693a1a5948798b7cac0d3c862c.exe
4704	fbeaea693a1a5948798b7cac0d3c862c.exe
4704	fbeaea693a1a5948798b7cac0d3c862c.exe
4704	fbeaea693a1a5948798b7cac0d3c862c.exe
4940	fbeaea693a1a5948798b7cac0d3c862c.exe
4940	fbeaea693a1a5948798b7cac0d3c862c.exe
4940	fbeaea693a1a5948798b7cac0d3c862c.exe
4940	fbeaea693a1a5948798b7cac0d3c862c.exe
1892	Conhost.exe
1892	Conhost.exe
1892	Conhost.exe
1892	Conhost.exe
1372	cmd.exe
1372	cmd.exe
1372	cmd.exe
1372	cmd.exe
4712	fbeaea693a1a5948798b7cac0d3c862c.exe
4712	fbeaea693a1a5948798b7cac0d3c862c.exe
4712	fbeaea693a1a5948798b7cac0d3c862c.exe
4712	fbeaea693a1a5948798b7cac0d3c862c.exe
4704	fbeaea693a1a5948798b7cac0d3c862c.exe
4704	fbeaea693a1a5948798b7cac0d3c862c.exe
4704	fbeaea693a1a5948798b7cac0d3c862c.exe
4704	fbeaea693a1a5948798b7cac0d3c862c.exe
2376	Conhost.exe
2376	Conhost.exe
2376	Conhost.exe
2376	Conhost.exe
4776	fbeaea693a1a5948798b7cac0d3c862c.exe
4776	fbeaea693a1a5948798b7cac0d3c862c.exe
4776	fbeaea693a1a5948798b7cac0d3c862c.exe
4776	fbeaea693a1a5948798b7cac0d3c862c.exe
2836	Conhost.exe
2836	Conhost.exe
2836	Conhost.exe
2836	Conhost.exe
1248	fbeaea693a1a5948798b7cac0d3c862c.exe
1248	fbeaea693a1a5948798b7cac0d3c862c.exe
1248	fbeaea693a1a5948798b7cac0d3c862c.exe
1248	fbeaea693a1a5948798b7cac0d3c862c.exe
396	reg.exe
396	reg.exe
396	reg.exe
396	reg.exe
2636	Conhost.exe
2636	Conhost.exe
2636	Conhost.exe
2636	Conhost.exe
1816	reg.exe
1816	reg.exe
1816	reg.exe
1816	reg.exe
1800	reg.exe
1800	reg.exe
1800	reg.exe
1800	reg.exe
1244	reg.exe
1244	reg.exe
1244	reg.exe
1244	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5104	zqYsckAg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe
5104	zqYsckAg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 4416	4428	fbeaea693a1a5948798b7cac0d3c862c.exe	1210
PID 4428 wrote to memory of 4416	4428	fbeaea693a1a5948798b7cac0d3c862c.exe	1210
PID 4428 wrote to memory of 4416	4428	fbeaea693a1a5948798b7cac0d3c862c.exe	1210
PID 4428 wrote to memory of 5104	4428	fbeaea693a1a5948798b7cac0d3c862c.exe	88
PID 4428 wrote to memory of 5104	4428	fbeaea693a1a5948798b7cac0d3c862c.exe	88
PID 4428 wrote to memory of 5104	4428	fbeaea693a1a5948798b7cac0d3c862c.exe	88
PID 4428 wrote to memory of 5032	4428	fbeaea693a1a5948798b7cac0d3c862c.exe	1208
PID 4428 wrote to memory of 5032	4428	fbeaea693a1a5948798b7cac0d3c862c.exe	1208
PID 4428 wrote to memory of 5032	4428	fbeaea693a1a5948798b7cac0d3c862c.exe	1208
PID 5032 wrote to memory of 4704	5032	cmd.exe	1207
PID 5032 wrote to memory of 4704	5032	cmd.exe	1207
PID 5032 wrote to memory of 4704	5032	cmd.exe	1207
PID 4428 wrote to memory of 5068	4428	fbeaea693a1a5948798b7cac0d3c862c.exe	1206
PID 4428 wrote to memory of 5068	4428	fbeaea693a1a5948798b7cac0d3c862c.exe	1206
PID 4428 wrote to memory of 5068	4428	fbeaea693a1a5948798b7cac0d3c862c.exe	1206
PID 4428 wrote to memory of 3896	4428	fbeaea693a1a5948798b7cac0d3c862c.exe	1205
PID 4428 wrote to memory of 3896	4428	fbeaea693a1a5948798b7cac0d3c862c.exe	1205
PID 4428 wrote to memory of 3896	4428	fbeaea693a1a5948798b7cac0d3c862c.exe	1205
PID 4428 wrote to memory of 316	4428	fbeaea693a1a5948798b7cac0d3c862c.exe	1127
PID 4428 wrote to memory of 316	4428	fbeaea693a1a5948798b7cac0d3c862c.exe	1127
PID 4428 wrote to memory of 316	4428	fbeaea693a1a5948798b7cac0d3c862c.exe	1127
PID 4704 wrote to memory of 2920	4704	fbeaea693a1a5948798b7cac0d3c862c.exe	1204
PID 4704 wrote to memory of 2920	4704	fbeaea693a1a5948798b7cac0d3c862c.exe	1204
PID 4704 wrote to memory of 2920	4704	fbeaea693a1a5948798b7cac0d3c862c.exe	1204
PID 2920 wrote to memory of 4940	2920	cmd.exe	1202
PID 2920 wrote to memory of 4940	2920	cmd.exe	1202
PID 2920 wrote to memory of 4940	2920	cmd.exe	1202
PID 4704 wrote to memory of 2180	4704	fbeaea693a1a5948798b7cac0d3c862c.exe	1201
PID 4704 wrote to memory of 2180	4704	fbeaea693a1a5948798b7cac0d3c862c.exe	1201
PID 4704 wrote to memory of 2180	4704	fbeaea693a1a5948798b7cac0d3c862c.exe	1201
PID 4704 wrote to memory of 516	4704	fbeaea693a1a5948798b7cac0d3c862c.exe	1161
PID 4704 wrote to memory of 516	4704	fbeaea693a1a5948798b7cac0d3c862c.exe	1161
PID 4704 wrote to memory of 516	4704	fbeaea693a1a5948798b7cac0d3c862c.exe	1161
PID 4704 wrote to memory of 2272	4704	fbeaea693a1a5948798b7cac0d3c862c.exe	1200
PID 4704 wrote to memory of 2272	4704	fbeaea693a1a5948798b7cac0d3c862c.exe	1200
PID 4704 wrote to memory of 2272	4704	fbeaea693a1a5948798b7cac0d3c862c.exe	1200
PID 4704 wrote to memory of 4672	4704	fbeaea693a1a5948798b7cac0d3c862c.exe	1196
PID 4704 wrote to memory of 4672	4704	fbeaea693a1a5948798b7cac0d3c862c.exe	1196
PID 4704 wrote to memory of 4672	4704	fbeaea693a1a5948798b7cac0d3c862c.exe	1196
PID 4940 wrote to memory of 1600	4940	fbeaea693a1a5948798b7cac0d3c862c.exe	1194
PID 4940 wrote to memory of 1600	4940	fbeaea693a1a5948798b7cac0d3c862c.exe	1194
PID 4940 wrote to memory of 1600	4940	fbeaea693a1a5948798b7cac0d3c862c.exe	1194
PID 1600 wrote to memory of 1892	1600	cmd.exe	1096
PID 1600 wrote to memory of 1892	1600	cmd.exe	1096
PID 1600 wrote to memory of 1892	1600	cmd.exe	1096
PID 4940 wrote to memory of 4016	4940	fbeaea693a1a5948798b7cac0d3c862c.exe	1192
PID 4940 wrote to memory of 4016	4940	fbeaea693a1a5948798b7cac0d3c862c.exe	1192
PID 4940 wrote to memory of 4016	4940	fbeaea693a1a5948798b7cac0d3c862c.exe	1192
PID 4940 wrote to memory of 2152	4940	fbeaea693a1a5948798b7cac0d3c862c.exe	1191
PID 4940 wrote to memory of 2152	4940	fbeaea693a1a5948798b7cac0d3c862c.exe	1191
PID 4940 wrote to memory of 2152	4940	fbeaea693a1a5948798b7cac0d3c862c.exe	1191
PID 4940 wrote to memory of 3004	4940	fbeaea693a1a5948798b7cac0d3c862c.exe	1190
PID 4940 wrote to memory of 3004	4940	fbeaea693a1a5948798b7cac0d3c862c.exe	1190
PID 4940 wrote to memory of 3004	4940	fbeaea693a1a5948798b7cac0d3c862c.exe	1190
PID 4940 wrote to memory of 3408	4940	fbeaea693a1a5948798b7cac0d3c862c.exe	1189
PID 4940 wrote to memory of 3408	4940	fbeaea693a1a5948798b7cac0d3c862c.exe	1189
PID 4940 wrote to memory of 3408	4940	fbeaea693a1a5948798b7cac0d3c862c.exe	1189
PID 4672 wrote to memory of 1256	4672	cmd.exe	99
PID 4672 wrote to memory of 1256	4672	cmd.exe	99
PID 4672 wrote to memory of 1256	4672	cmd.exe	99
PID 1892 wrote to memory of 2724	1892	Conhost.exe	1186
PID 1892 wrote to memory of 2724	1892	Conhost.exe	1186
PID 1892 wrote to memory of 2724	1892	Conhost.exe	1186
PID 3408 wrote to memory of 3332	3408	cmd.exe	1185

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fbeaea693a1a5948798b7cac0d3c862c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fbeaea693a1a5948798b7cac0d3c862c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fbeaea693a1a5948798b7cac0d3c862c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fbeaea693a1a5948798b7cac0d3c862c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fbeaea693a1a5948798b7cac0d3c862c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fbeaea693a1a5948798b7cac0d3c862c.exe

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
"C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4428
- C:\ProgramData\ksEccIwQ\zqYsckAg.exe
  "C:\ProgramData\ksEccIwQ\zqYsckAg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:5104
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:316
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncAYQMIs.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  - Checks whether UAC is enabled
  - System policy modification
  PID:3416
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3896
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Modifies registry key
  PID:5068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5032
- C:\Users\Admin\yOckgIsU\asogEYIc.exe
  "C:\Users\Admin\yOckgIsU\asogEYIc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:516
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1172

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:1892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:1372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
    C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
    3⤵
    PID:4452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKcwEwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
      4⤵
      PID:4880
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:664
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:5032
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1508
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4664
    - - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
        5⤵
        
        PID:1072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
      4⤵
      PID:3760
  - - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
      C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
      4⤵
      PID:2788
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3512
- C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
  C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
  2⤵
  PID:4056
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:2376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
    C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
  C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
  2⤵
  PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feMMUkAI.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
    3⤵
    PID:2152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:2636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
    C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
    3⤵
    PID:1816
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4436
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3528
    - - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
        5⤵
        
        PID:1508
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
        6⤵
        
        PID:2920
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biQoAMwc.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
        7⤵
        
        PID:3424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VukoUwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
        9⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        
        PID:1772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        UAC bypass
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAUUEcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
        8⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        UAC bypass
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
        8⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
        7⤵
        
        PID:4396
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4720
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1892
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:1800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
    C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
    3⤵
    PID:1244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
      4⤵
      PID:2112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqIckEoM.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
        5⤵
        
        PID:4008
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:3376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
    3⤵
    PID:4584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
PID:2624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOAokcQw.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:4484
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:4544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:1244
- - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
    C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
    3⤵
    PID:2996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuoMMQcs.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
      4⤵
      PID:2460
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:4704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qeosccMU.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
        5⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1128
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        Suspicious behavior: EnumeratesProcesses
        
        PID:396
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:940
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:4564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
        5⤵
        
        PID:4108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caswIsss.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4672
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2272
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2920
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4724
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
      4⤵
      PID:1836
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      UAC bypass
      PID:3488
- - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
    C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
    3⤵
    PID:2748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCwcoUEc.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
      4⤵
      PID:2900
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyUkYwkE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:3468
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3804
- - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
    C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
    3⤵
    PID:2188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
      4⤵
      PID:4040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgcsooQk.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
      4⤵
      PID:2152
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3980
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1128
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4252
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4716
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1252

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:4940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaQoQQAk.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
PID:3188
- C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
  C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
  2⤵
  PID:4212
- - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
    C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
    3⤵
    PID:3996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:2032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIgYMMQo.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:3912
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2900
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4916
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
    C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
    3⤵
    PID:2060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSEoMcIA.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1808
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3348

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:3468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:1600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUYsUYkE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:4688
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1444
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:2260
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4612
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4012
- - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
    C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
    3⤵
    PID:396
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1088

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:4116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:1172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
    C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
    3⤵
    PID:3116
- C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
  C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
  2⤵
  PID:4896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
    3⤵
    PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGkEEAMU.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    - Suspicious behavior: EnumeratesProcesses
    PID:1800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcQIEscM.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
      4⤵
      PID:4812
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2556
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1608
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:1172
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    PID:4924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGgwAAUo.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:1600
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2400

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe e81bb5df99824af4df653f5b58f606aa GWEBFuMuekO7LqBgRQNq4g.0.1.0.0.0
1⤵
PID:2496
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:464
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4220
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
PID:3760
- C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
  C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
  2⤵
  PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
    3⤵
    PID:1612
- C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
  C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
  2⤵
  PID:2260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OoUsIMcY.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:1928
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2704
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2908
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2856
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
    C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:3224

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:3116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:2440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEokgQUM.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:1604
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4060
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuwYYwYw.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
    3⤵
    PID:792
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2228
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4928
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      PID:3720
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3408
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
      4⤵
      PID:4056
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3376
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:3996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:3488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\geYgEUgc.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:4960
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1724
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3828
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    PID:3424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
    3⤵
    PID:1152
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      UAC bypass
      PID:3920
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4968
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2184
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:4052

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:3320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:876
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3420
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3420

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:4704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:1920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:3692
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:3652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:1244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkcAMUIk.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4388
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1600
- C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
  C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
  2⤵
  PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAYUkowM.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
    3⤵
    PID:5092
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
PID:4212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:1616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqYEEYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:4620
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3760

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:4880
- C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
  C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
  2⤵
  PID:2252
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
  C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
  2⤵
  PID:640
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4000

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:3376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCocYYEg.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:4336
- C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
  C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
  2⤵
  PID:3320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmAgAAgk.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
    3⤵
    PID:3476
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    PID:1300
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcsEcEQE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
      4⤵
      PID:5040
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:4924
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4524
    - - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
        5⤵
        
        PID:2908
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1616
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
    3⤵
    PID:4852

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
PID:4584
- C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
  C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
  2⤵
  PID:4436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
    3⤵
    PID:3900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1816
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4196

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:1824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\taEcQUgw.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:2220
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5036
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4396
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3144
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:3476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:2708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:2932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zyMoYscc.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:4716
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4852
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3720
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5108
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:2972

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:1088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUQQYIgM.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:1816
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1600
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1248
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:1124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:2628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:3804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:4968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEwQgUck.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:2972
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEwUIYkw.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
    3⤵
    PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
      C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
      4⤵
      PID:1876
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1600
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:2000
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1552

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:3144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukYIwMsI.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:2788
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1124
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4388
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:4040
- - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
    C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
    3⤵
    PID:4292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3828

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:3364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NocoMIAk.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:3236
- - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
    C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
    3⤵
    PID:4960
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4792
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2152
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4960
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:2400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:3288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:4704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juAgUMwI.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:4580
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3336
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
    C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
    3⤵
    PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
      C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
      4⤵
      PID:4108
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4308
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWYgYUkc.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:2220
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YiEksQsM.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    PID:3188
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:3568
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
    3⤵
    PID:1772
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      UAC bypass
      PID:2488
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1888
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:1000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:4612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMgEsMoM.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:3660
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2828
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4500
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:2168
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2604

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:3336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
    C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
    3⤵
    PID:3980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEokUEks.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
      4⤵
      PID:1552
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1896
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:372
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
      4⤵
      PID:4584
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yucscIEY.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
      4⤵
      PID:2152
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:3116
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4880
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
      4⤵
      PID:2880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kowckcoo.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:1800
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:664
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:60
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:4212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCAkowcc.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:1968
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1420
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2348
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:1244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4040
- C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
  C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
  2⤵
  PID:1604

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:1172
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4796
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1464
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkcoIQAY.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:4880
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5068
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3376
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqwoMgQs.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2836
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4052
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:316
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:3320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:464
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:1248
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyIUUsQo.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:1608
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:372
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3616
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4928
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vSoIssgE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:1508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dcMQEgwg.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:876
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2276
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3628
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
PID:1896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAcsoYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMIIEAIs.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:2000
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3512
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2856
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
PID:4336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmUUcMYs.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:876
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwoggYkY.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3524
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4440
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JeYEQcEA.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
      4⤵
      UAC bypass
      Checks whether UAC is enabled
      System policy modification
      PID:1444
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:792
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1772
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4388
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuoYQgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
    3⤵
    PID:3684
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4680
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwsQQkIE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
      4⤵
      PID:3692
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:5004
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4568
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
      4⤵
      PID:3188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
    3⤵
    PID:1244
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5092
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwsUMMkE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4484
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1772
  - - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
      C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
      4⤵
      PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
    3⤵
    PID:3144
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkUQIgss.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1172
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2352

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCIQskAY.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
PID:3528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3420
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsksYUQo.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:3696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oScggwAo.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:1816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAcMMoEE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:3884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:4132
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKwUUocA.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:1892
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3288
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEUUYIAs.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:3804
  - - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
      C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
      4⤵
      PID:1724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEIkYQAg.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
        5⤵
        
        PID:4584
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4336
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
        5⤵
        
        PID:1720
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1616
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqoIggMI.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
        5⤵
        
        PID:4052
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:4680
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:1876
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQogkcso.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
        6⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QykoAIMo.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
        7⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies registry key
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
        8⤵
        
        PID:3100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        UAC bypass
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
        8⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
        7⤵
        
        PID:4524
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2220
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        
        PID:920
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1824
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
        6⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4712
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
        5⤵
        
        PID:1148
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3652
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
      4⤵
      PID:4080
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1928
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
    3⤵
    PID:1600
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3656
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5068
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3772
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:3920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
PID:4012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
PID:3288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCIgkIcc.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:3628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:3224
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2112
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYkAIMcw.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
    3⤵
    PID:4968
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      UAC bypass
      PID:876
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1932
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2932
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:3048
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsAssEAE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
      4⤵
      PID:5036
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:5068
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4716
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
      4⤵
      UAC bypass
      Checks whether UAC is enabled
      System policy modification
      PID:3804
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
    3⤵
    PID:4252
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:912
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:2824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCYgMEwE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:3144
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2460
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1676
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:4916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3024
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3340

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:2112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCMMIgkQ.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:3660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2748
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4212
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2224
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:4452

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:5072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:2252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:1724

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyEUcsAY.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WsMYIEcc.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:1452
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:876
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1824
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Suspicious behavior: EnumeratesProcesses
  PID:1244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKogYYsI.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:464
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RasIoYgs.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3408
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3004
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2152
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
      4⤵
      Checks whether UAC is enabled
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1600
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:2728
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMcMgYYg.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3528
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      UAC bypass
      PID:4544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGoEUoMk.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
        5⤵
        
        PID:912
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2400
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1088
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:2624
      - C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
        6⤵
        
        PID:4988
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:2088
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Checks whether UAC is enabled
    - System policy modification
    PID:1928
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3660
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
  2⤵
  PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4672
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
PID:1172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuwMQowk.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:2296
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3920
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1608
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2272
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2224

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\veUQQQoo.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3416
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3188
- C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
  C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
  2⤵
  PID:5096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:4928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jacckQYM.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGUwQccQ.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:4212
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3028
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2024
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2460
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - UAC bypass
    PID:3524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- UAC bypass
PID:372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueEwMQYs.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:4516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
PID:3236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:3996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4720
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUQcAcEY.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1896
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1816
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
    3⤵
    PID:2724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1176
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
PID:212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiEMEosk.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:3516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3188
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
PID:2972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2180
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3452

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
PID:3452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
PID:4712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiAEoQUE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
  2⤵
  PID:4424
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4412
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3668
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWIAAUYw.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:792
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEYwkAwk.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
PID:592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2272
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DccgAIQg.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:940

C:\ProgramData\CoAMMwgg\ZiUgoYQo.exe
C:\ProgramData\CoAMMwgg\ZiUgoYQo.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1448

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Modifies visibility of file extensions in Explorer
PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CoAMMwgg\ZiUgoYQo.exe

Filesize
431KB

MD5
f698fc6810e362ebb41ac4e30dbdb2de

SHA1
a9fe5bfbb518463c0e94fbca57d1157ee823a49e

SHA256
3a24c7b2c1ca6f53b7d40aa34444bed6bcbd6051c39cacb21ef9906ee16ab97a

SHA512
3f54d8e782542188457797c3086745d8226edd745bd22c656f000cac5aa882b5ac238d6729c2f3eb280ac7ca6d6566eb94e02c90ccd7f930f289f217ee63e083

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
1.0MB

MD5
88887d81797b50122405ac94277f8684

SHA1
237446a98574d43e0745c8fa0b5728466ed6f77c

SHA256
6c1b92df1f21865513ca3b0bab83bafeb9f1ab4486e726c53eb330696b8a3d82

SHA512
6f2436d85a84e20ec7a3feac2b0304f46635155bc9ba813dc0a851ce5a21678b0835984971eaa496cb0e634fa1fa975fab34d61e72bc4f1f413c63b0376f9aa2

Download Submit
C:\ProgramData\ksEccIwQ\zqYsckAg.exe

Filesize
432KB

MD5
64863671f2c5672d0ae5f88c0913b366

SHA1
0b1601c693cf3fc9941bfad96be71a7a64681144

SHA256
efadd37e270c4ce10c90d1764d5eef5e61f4f62072e7b0fc3b4169ba1db434fd

SHA512
333f7563c273b265418c94248be8ab6a2325876c4924d080394e173ef3cd4d153afa2c2c7887c3107897a1ec1c3b58970eeea892795aaf81cf95978c4507a9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsIs.exe

Filesize
442KB

MD5
33dab2e4359d7594541fd81bd35da4c5

SHA1
d66dec9dbdb20d00a5874e4498bfe5427ba6be98

SHA256
7572c079f2e627ef84a10620344c921944986613a762166997569f67d70a9821

SHA512
1739df3b6d6f932559065bc02e6b403f1416e0468e31f91f236d509d13e4fce6a45c2452248d3ecf878468a920e09ce389128a4a2237c303e43647fed055addc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIsI.exe

Filesize
437KB

MD5
5f968cffc320b0bc8131fd3c408be0c6

SHA1
e324b3cc17765997848031df32b828db1d4daf50

SHA256
f188f8bf11802fb8658ac423c937507c54bd0bbac114788df97037042d49df4f

SHA512
623cfb83b96b1cec438e90fa564b1b7383d561bf05e82c75e368880d4fbb1333bda8ca3bbb2cc1abcad011f34cb0279ea38cf00bb79348582fdf3ab5eb5cc9fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYkW.exe

Filesize
559KB

MD5
abe51baa38bef6705cc373ff2e62c0b7

SHA1
77848ddbd8407b732cb43ba5d01004464a386036

SHA256
b7a9c7179a07ab6ddb5c821264f11ec19969ae5354f900be8ecaa98eea593c2f

SHA512
71184a8b7c7947ccdcbcda9cba0480a3f30298512cd618c663f64272a394c2bb6815530222030906682a3ec262bfd0383b8d56f9d255adbb767d1a5a3b67b9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcsU.exe

Filesize
821KB

MD5
5b52031b409bbb849342e79534a70834

SHA1
274c359b27c9d3657d7f28de6513dcc5715069f3

SHA256
6ba55cabcd6a59aef325f7e69a71e8ea4db2c634de0c9dd7c4e10cfb520a54bd

SHA512
0ec27f506693e0c876d1840f468e7bdfdf75a0d642eb537033ebfe5954d2c839dcf8fd3f2b31a9aec22a91e30f829bf358010804fab490809eaf35a57c4f046a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ioge.exe

Filesize
443KB

MD5
4788d3eccb715470688a730b1275b7a4

SHA1
47463731803f075a8d07e328b6f7f751e1ed0476

SHA256
66f4e0ad3506bd374a0c2c40b1ec3a582d865dcedf7fe2806e0f17c434d5ce93

SHA512
c2bf78726f1f01d2f98842bbed0291a9680097c7d11342b0a92e8db4601a4e6cff6a1398029fa146864c77f23fea4f9a49c232ba141903fd4a61fbb7ea55cdce

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAAC.exe

Filesize
884KB

MD5
ad56a2244627fc44fe1ee5493aa73ae1

SHA1
3abb2a31bcb76c2ebd935bcfa1492a297a4a68ed

SHA256
35bbb5594ebcf5985e9403992fd6ea007b8e4f4552fd30e36efa38a872b82cec

SHA512
5347fcfe512e0562437c0cfe809325f6a571d88cb3c17107f0d905b3d738132f9afe71a8f821818713a11b649ec4f8dab1e404ed2b323ae31cf8b7289d4999cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAUw.exe

Filesize
435KB

MD5
3dbe93c2fd512f9b186d221fa8e90344

SHA1
24b1e39d7325b71189d5ea2ae6ba980f76f4ec4e

SHA256
dd04d7135966bcd0c1772f8c928181861d0389b3da7b09360553c89da44988a1

SHA512
6e5c423eab59e60a1abd35a43ab6b69af12e86c21d86408979ae30e0a0c06ee6afb69e3ab2f6c3915209b4c2168a32697d285a70c07977b78f47db6c2c7eaacd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwUu.exe

Filesize
442KB

MD5
14fc624fff57bfb0c90b1bafadce45cd

SHA1
05f220bf91c706df2b3efe951aaaa65d37d687a1

SHA256
bb75f76a78ae67a9e5e221e568770bfe83d37bd183aa961a66b4f28a683ff07e

SHA512
b774644487810297efb4001022a13fa3e2e5f060400d2e433fa612b5085c5f5456d5b409ef23cf302c988271b2fe6e29061deabe30268d039245680f32f58078

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAcU.exe

Filesize
442KB

MD5
2dd236f591dc1de7e7ae68e0435bd60b

SHA1
6c6f38f264278033ad6a99c5be324a3781e1e953

SHA256
8dca9941750dd82f1e99998e033d67825c655bcde91c2695737f4a52c8c8d626

SHA512
fc862185086a2dd5d06aa3767bb6687e5f97c349acb7832247e2266c2c5b18adb0ea76b134bd1400dc83080fe6cafa3c4c1f64dc2f1083caf87cf184fe806dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEQQ.exe

Filesize
446KB

MD5
7ab4410977e256ec5a1b60ee44e2c5e0

SHA1
839b0f46f392a09fd4a2de0ba202ce0f3d9fe66e

SHA256
31919d2868a3d2d3c9a2f248ff2f759f5261247d9c8a9af86ffa20337a6830ce

SHA512
54944756021e7561fdb61919017f368e9aa31c75927680b6435f15003ebd6952764ce74cdbdaee2f174996266a9addc148649fb5c2486b97031bae882820893f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mwgw.exe

Filesize
501KB

MD5
de7b8c5359bf836b0ec39e2e55bb3c39

SHA1
30729622e9a5c9dee46449382607a2e2c577f25b

SHA256
ed86ceb61ed7652a7d08dd32121bd93b1903d3bbd3554ba07d14f6ae055abd3c

SHA512
d1e63aa48574b93c094d51f04b560a0765d9800651ef238184a96693cb5562877811f92a62d589e4c7ec129b904656b46a77c5a5fe1d6038c0adc37319b2e220

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUQK.exe

Filesize
437KB

MD5
a55684e206c83449032f07eb92ec90d4

SHA1
34bee6535bb9079d0a4bfeaf5303beea09e3f3fc

SHA256
6376c308fdea0fca7d8a0347776851584ac25b47cd0836ba1f790133b9bab85a

SHA512
e70c8c791ca8a18eef6f0c89f9903a8bd383091724ec8f55a369d1f7b38ad4e39391238f0dea5cc89ce9cb22a87173d7e043f000c06e902c24cfb3490a427240

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIkC.exe

Filesize
442KB

MD5
352bb4b3c8631d27f157fd510bfbd1cd

SHA1
20c73d6584429db26a7d57915721e2c57e74d0b7

SHA256
7ab51f8d93dc996fd5663d362dc24238415138624a6de5e25505e8223e99edfc

SHA512
53cda515ba9ba34b50e11dfd52e829a8dbf5e2f3fe2e97af7a23928c137af3bd5900b39ada07b94defb8ac0e7c42eefeedb7bfe51029833dbbb0d2bea3a4b087

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcUA.exe

Filesize
914KB

MD5
c88839adae48aa562849c6c589112826

SHA1
ecdc28fec3724ccf2bbf202333de4a84e6923d91

SHA256
5d5f57fc676ecaa6a91906d13e515b697eb8fa7c713aa8fbd65e0450784e5c36

SHA512
9fc4a49beb374601cb18b9e11a3fe303c961b0e3c8b84889c84d1314b018984a7433845c50743bb327bb073cac6db7a62a18d294d98a0ffcd0e53c9d59b4a9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwYE.exe

Filesize
438KB

MD5
8d4db2f8ce0ecd2eb08ae2e437ab8da7

SHA1
3184c8e140351296e02adfad26e7783b845618d5

SHA256
d75238c813bd6792cae74dbcb7e9d31d163825804d1683e65e22750bc40e1eb8

SHA512
01bcc9797d0e26eecf371915f47c73919a058719defd592eb7f843d8393c3f49263a2cb218dca1bf1f3b97e5ba113ff752c763baa45966b819ea8d0d94f991af

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkMO.exe

Filesize
437KB

MD5
b021f235dc372b87c7b8b5f458889aec

SHA1
e8f8ce27b01a1704ed22700d484e156f1481154c

SHA256
8035873baa1e58abf58b65f09c272f5598e6002d13900285f879991fbfb49e6f

SHA512
e809d99dd12e67747fbd7cba76b0bed123569ad35ebb96211a1c55be836f85456890189570dcda81cd607d1a4e5a1865d087664f97636e0cb5b25a602edd1e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAsS.exe

Filesize
459KB

MD5
c54ea5b86336548896c8001cb90d0b30

SHA1
ba13dcf80125b47b7a28a6181aa846a841fbdce2

SHA256
567442cac255317a3c1941d5ca8741406ada89f43ef295d5dba397845ec59294

SHA512
7a4c2ca24e4e2fe5c103e816c9c27d7ca3f3ad59f77a9dbc218974bb86a82fe087e41b3c07541de1824a14cfaec02b9b494543080ebeeb2da39de614596d06e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIUe.exe

Filesize
438KB

MD5
8e69fd3eda5c68c754b5469b1dd074c4

SHA1
e54ff1609a27b0a3d5536ac443f113f6b480571c

SHA256
d94be1e37866b05a832361959ce5921677999892bfc5fecc18bcc29a8349c233

SHA512
c216de18af298efb2c968dad8c7a2356e4b328131e29ed49bd610631b856c809bbb2e6b6a9df9a2d73cc836c8c43aafaf216f20fe616af579931eef84e9e7c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMMS.exe

Filesize
1.0MB

MD5
92fcfcf499ef75e472b67dd59fad101d

SHA1
97f1c221116621df4ff4b86569b73bb9ee13a2fa

SHA256
cc3be43f1ba649a62f281c8a5446f8c59507b321c6f707577d00f9ecb36d0bcf

SHA512
c6a150bd7342aaff546f450907c9aa76c77a4e8204d5a0f175e842097558d4a381465e934010758283b6890c650d070a47821cc137824961117a8c319ed9ae8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYUY.exe

Filesize
858KB

MD5
a2d539ccff412ce45d2126a32d58bd44

SHA1
7ff10f2c662a30f305ee2916a7fc831a31f6f8f3

SHA256
b03ba894bbf748be57d16c371de4a8b3f1a9e7036ab9db22c17d3ebf89ce4a1f

SHA512
8d5ad72e4c99163956f203d2f2799f95276a7f03396e82cc653f4b3a809167a5b2cd00e9aec1287258f0590ee5374c19b894f96b1fb99c97a3ac92c13a473956

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAgA.exe

Filesize
1019KB

MD5
640cd172b95f0871d88c8a82aaf95d97

SHA1
1ce1f8f220a30c1de9ad8f47c2cbd1ad94ab2fe6

SHA256
5e5cc2058626be9c8e2b2d11e4cac88f3b5476cd38c97cce400c2eb65dbfd360

SHA512
f6d390fbd40181512512612b5e5b750270cb67237928204b7952fea92899d06ee3495aedbec131cb6fdbd119cef31e46eb43da7f897fb450d5562b8de2fb4da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQMk.exe

Filesize
439KB

MD5
1d2b62a980797375ba650f1e7b862891

SHA1
c5c27853729b92f5da415b35d1b86df6012b4772

SHA256
ac79c85f24dc41bf48f0a2b82e8fd6b6e332ee5a5648dfffc785ec2ea7ce70b1

SHA512
55f131ccc6dcf1cc87ccd3eb3f54e9adc8a3491c308276c64eb5efcda8c75ced46a4debc7e2cbc3b1205ec6146af70ca63c59294eb7bcc214fec81a1b4099871

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUYo.exe

Filesize
810KB

MD5
dccb2b293075b50dc659871e64a9120a

SHA1
6b0231001a050203d87655194f644d7b9ed8a9b6

SHA256
560298fc248d48cb5e2edd04fe952bb1b9361b05388aef31c77ba755b8a3a091

SHA512
7e7155ba02abee7bd72ec71af7531f4c2acc0305f0444a1a284d9ad5a6c537b986f183cb0612c1a0491b0d92641a7e2e66314b5f60841ae329f5e1e6c94a1406

Download Submit
C:\Users\Admin\AppData\Local\Temp\csIQ.exe

Filesize
439KB

MD5
f0b141fe52d7b3514c8b88f448fc9ea7

SHA1
8ac434d7b473674e8b0ca09deadf3403b71c63d9

SHA256
8a2608e167cf1d63ceb6cbab751720358b57e917229929af485324398da7fca4

SHA512
294535487fffabc0785465da6ee2391099cc1af46c1d29f5b86035744ce52d338d70b2683ec74037a0a197cd8754a47e19e8a845612db37e85c63a8e1f2a94a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekks.exe

Filesize
887KB

MD5
32b1759dfac505351addbf01abac8307

SHA1
54343e02bcaf9d9aa45b8391bdea19e9027da2fa

SHA256
ba4743dd0de24271b6b6f8968a9427e3ea959319d9dcdc2f7efcf2ca7ed5576f

SHA512
a8287ece161e407d1cfbd199203cd51744c9f199bd2b3792f31537ce2195832378f1b81e2b941e5bda5b8db3460b5644c0a735b68798cfd2edd594f3fde39eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c

Filesize
48KB

MD5
c8d351bf2848d70bacc8c54aebe5ce0a

SHA1
f3e4789442f2bf6f76a03d2462bcdc26e9efc78e

SHA256
b0c2252a53340d411dab77569089953661edf4bbb0e87c2b4b7ab792adc9818f

SHA512
18461905567ed2e40fa29dd7ab1d6a485e0896c8860180286f5524cb4fcc75890b3dcd785163f962b2e3819f9c4bd62d353feb8ba1ba67f73011ec4b42eb2ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIgs.exe

Filesize
876KB

MD5
4f73ec550355d023ca52944ff76ace6a

SHA1
9a16e843212c41e66da746bcc72ba8bb78a2a464

SHA256
645f525cb430ea42340b89c25d37f192883d04536db730e6c2f5c38f3317e7fc

SHA512
0efa470801237153aac205977a94f8cb42d28e547bb107b204befa7283ed058fff60149af354cd641a09b00582a374fb4dc9b2db85b766695bd0f9c60fbd98d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQMc.exe

Filesize
439KB

MD5
9f7f847b81bf61f0436271a85cc965ca

SHA1
6966d17a1eb658daaa7f77771f57a68520435a78

SHA256
4d4745a103ab420f67531fede1e2e55c6fee091f55b0629c01118a73de561c97

SHA512
69e248c6c84eb849bc437785023fde90db97b870da6b0461561eedc79d3dd480d6ee1cbe6c47e33e7823b43e4ec5320b47f14330fd64dcf41a836e9c541fdbb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYsu.exe

Filesize
435KB

MD5
57703c76d1f8978159884190051bf657

SHA1
248e733784904f0fd906fcf23259b680637803b5

SHA256
b766eba65ccef6b5dc5768b4c863c69e86b0b8ae72fbdeb79a8d0668333dcd68

SHA512
a9fb5c7e52f34b306e6f732b6795b203916838c5ae832029cb8d60ec90f10a3e06e2ba9a76406e5878bb52bb4b9fe81533f3a91f4594a09908f952e853f196e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikUM.exe

Filesize
877KB

MD5
cd53afeeb5fd4e38608a861221e51c51

SHA1
6dff4b85f05bca0c4adcd5090b8ebec2cfc9694c

SHA256
416d20a0874d9619cda11a8b003280c3fa5094e7865bc36cad5ff4f5a6f9841b

SHA512
f8f82682d25dfbc19e48cc432ce819a3d22591db276787c308fbf14d94d7e4d761fd60389ffadce7589dc7bebb38ace37c2d7cc0922c765d9f98dafb81471392

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksAA.exe

Filesize
437KB

MD5
9c2bb64ea2bc3cde370c764e9369ee86

SHA1
ebd52fa395e15cfcfd735bdf16654981abf6f5c1

SHA256
9703568da1d88183bb643670f19b238379f9149cf1ae02494a4f5ba1d02eb46a

SHA512
82cc4ade6223838c042b54de6bdb27974b81a806662065421826902b0644af7bc69af6b131ad9a9cbfef0e705b9049b2d0b5a7af7e298d17779df3a1a074b926

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEQW.exe

Filesize
437KB

MD5
e9a3f6eada478775601c8e52db014f12

SHA1
1ce92d2deecda28d923fc335802344f4dea1c668

SHA256
009edc299966b58abf45cd13fd626c9b36cbccf3e749375f8d816218bafea6ab

SHA512
d7a448d2ba7dde23c11cffb4797c6a1d7819a4a2fe07d2a05b0357ab16b655c1a3f3f9887c594f769a1aeee6e7fcec400910bee05431d2dc1cb95f1855a53239

Download Submit
C:\Users\Admin\AppData\Local\Temp\moQs.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncAYQMIs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEQE.exe

Filesize
439KB

MD5
0a38e006b7279e9dd0eeb6c060f87fe2

SHA1
e04ae7b65bc253744cf6222b63ad59f40bd5061e

SHA256
0895f431ad1ec7ed5dc1ff9f8d388a9dd8f6a249324be03c2eb2f59cc63bed01

SHA512
191c8233d585f62d6604e7e4c9aab2a5334353ec1aab207caa20697f00663654b0153c660a6db5abddf2b283fee7b36701cc6cab9833853f00803f5e152884ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIkI.exe

Filesize
454KB

MD5
70af972273d8a6a389dfbb1b4c85b976

SHA1
89723474251f5c1e0d57bf9d7fab7aaea7fe58bd

SHA256
e737381aca83bcdfd8cae0ccce4726046b55bbd8993725db100cdaaa157faa51

SHA512
9bac10f21220803d2dc77b5922503706b7adb1d19c1c8161691a66f393d453c6bfb5a6de5a45fd6b775f93c9ecd4858d9eef01fcd7c7f3bdc184c771a7b3c308

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQoS.exe

Filesize
431KB

MD5
b7783a7316557958b604242dbe9848c2

SHA1
9844213e39123f84a78fb9ee41928e0ad71d416f

SHA256
b8c42c7a5625e6e7c628f5eb6290e64fa7f2013c56b2f1c4d16f42784f529218

SHA512
96feb068d44ca25b676a28b80cf8435be49c0bc6dd6a79937eb64915b8afd8bb1ce2aa890df0cf373a34bc22f8ea05a2dfa482a3147a620a00197758aa0dc080

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMMq.exe

Filesize
475KB

MD5
606dd3dd02145b32b43cc461d5a405be

SHA1
a1ecc330a22d512f39fafccd6c5186573eda8833

SHA256
a1fb0e2cb689778625bc87685f3f5e3c46b42025ba266239822ff9d5856604c6

SHA512
485a6f86d0b672e5e3bad92719d19101baf1e98e38c7717300995592aa5b051fb31c7c5315b66757c435b4aeef369eef15c9ba77f547cd01116fff5c1ed2708e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQQU.exe

Filesize
445KB

MD5
a5e08aeb5dc19e8690fa3e22ca1aca7a

SHA1
eabcb94639d6219bc44bfe0112dcfd970ed01724

SHA256
8aeb83c64ba906b174732797b7ea5eca95e264ba8543c236fb8f3099817e0b8e

SHA512
f40c62d03ec3888798c840f8824d73c3ce3a857e43e7d134df615dd9e0f79d1e8e0223049aefa0ad332ae91f8100ce6a9366f474bde33c8c926dde93bc7f1010

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQgI.exe

Filesize
440KB

MD5
e666eeb8a91424807d300ae705cdcf5d

SHA1
c3da6c7357e5a7db2252c610761fff75de96235d

SHA256
27fe39213778298918891627982d784aa20ed38ac300dc59f31f4127bb84d0e0

SHA512
53f786d02a793a618cc5a9af9818394da3097c575466597d8aaed6acb4a79692ed4901d8f3014b6b66b18a7dd8a6a8c0cdbfb1b3a4a0359c4aef461840e9b35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgos.exe

Filesize
560KB

MD5
b991a89822bfd08dfaf4bc432e81ce5b

SHA1
128245ce7eeaa59e8d2c306ee7d408f6284775ad

SHA256
4dbe44997639e927e255be9dfb692a381fde761827601e1e0ecbfe339222d98f

SHA512
cdc68fc33998d822abe74f8695b7b94585fba325ed7c290a843f8c75614dba958ad01eee294e3e4fc4c51ad957127685e89b67d4a404d99bcdd21bd29408d023

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQsO.exe

Filesize
6.1MB

MD5
876035d0d473278f3c6a2f9d3c4ea95a

SHA1
e481db0c5d813d19e29e6bf2f17e9250022f5742

SHA256
656951c9b13ad1490199dd9c454356d2fd2e6508da25722d7ec6437c93bc0b70

SHA512
1c5a9d08230d824eb9b5e5a569ed5a577d481b0854823458c722ca003827eda306014d24d3683d72a17527df21136f6ca1f143502788e847ed20877cb95705c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYsW.exe

Filesize
457KB

MD5
2e854a25e69e74ed98f85eb986807ee5

SHA1
129c9c2687e2c07cc812858c8c56686a0d31e07d

SHA256
f02feedc8b8066409a8988dcb509a09c2e6bb57ce112274a2829b2090a595934

SHA512
7536989b6ebf8873fa9f69b89b2213e1843b480397b0f2df6688b3e3ae48714d2d63919cefdedeb69cf7bcac573438985103658fc6e09b4407296c7a837d440e

Download Submit
C:\Users\Admin\yOckgIsU\asogEYIc.exe

Filesize
432KB

MD5
549274b86dc89ba1c4b1fcd5ee391904

SHA1
0440a6b902fd9a014c29397384f5e56498546f0d

SHA256
e53a6bc8faca38b0b960e43f887cdbedcc9f2f20b02d94089a1f7e732f3661e1

SHA512
9a7dcfcaa09af4d6d2c047a8bd16ce25ecd065eee178d13937630844ef0d0b069306f7807b4f5c0b1ecf5f90d27f7f647f3751828b540df84cc360b63f30422d

Download Submit
memory/396-139-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/396-155-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1244-184-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1244-200-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1248-143-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1248-127-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1372-51-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1372-67-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1448-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1448-126-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1800-175-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1800-188-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1816-179-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1816-162-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1892-38-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1892-55-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2032-876-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2060-673-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2060-784-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2376-105-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2376-89-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2488-226-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2488-211-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2636-167-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2636-151-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2836-114-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2836-131-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2996-411-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2996-301-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3100-250-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3100-267-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3452-238-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3452-254-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3900-212-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3900-196-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4212-881-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4212-778-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4416-6-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4416-101-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4428-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4428-227-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4428-87-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4544-263-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4544-332-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4704-79-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4704-31-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4704-22-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4704-92-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4712-78-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4712-63-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4776-118-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4776-104-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4940-41-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4940-547-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4940-27-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4940-483-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4960-695-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4960-593-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4988-221-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4988-242-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5096-602-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5096-529-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5104-113-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5104-14-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download