7333c1f267ddac67e00348ad7f43da843ae7f3f5ea9ad293b3a3c473b7d1f70e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2395bd0420e2da5a0488879fbe9338b9.exe
Size

480KB
MD5

2395bd0420e2da5a0488879fbe9338b9
SHA1

b50e534ab4fd248700998dc3dab030acafb3898f
SHA256

7333c1f267ddac67e00348ad7f43da843ae7f3f5ea9ad293b3a3c473b7d1f70e
SHA512

20864582ffa13ab17dcada0d306619ebaf03ebe85f7f30b967a9dc84e291bd862a5b1c5998c79a24f6919045c10c63761a75c5a217cc7c7ef1a11c544ec6d56e
SSDEEP

12288:NKwB7cXAS2USFm6LkKR0Yqmt1hPUnbGsbpnc7OM5/MS7GGAzkLXk8:NKw7xT/LTRlrhYlnc7OM5/MSKGAYD3

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2395bd0420e2da5a0488879fbe9338b9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2395bd0420e2da5a0488879fbe9338b9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2395bd0420e2da5a0488879fbe9338b9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2395bd0420e2da5a0488879fbe9338b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2395bd0420e2da5a0488879fbe9338b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2395bd0420e2da5a0488879fbe9338b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2395bd0420e2da5a0488879fbe9338b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
49	2616	cscript.exe
52	2616	cscript.exe
55	2616	cscript.exe
56	2616	cscript.exe
58	2616	cscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	kyYEowww.exe

Executes dropped EXE 3 IoCs

pid	Process
4372	kyYEowww.exe
4856	UYIQwUYg.exe
3168	DuAUYYQM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kyYEowww.exe = "C:\\Users\\Admin\\TYokcEQg\\kyYEowww.exe"	2395bd0420e2da5a0488879fbe9338b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UYIQwUYg.exe = "C:\\ProgramData\\nGsEUkcE\\UYIQwUYg.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kyYEowww.exe = "C:\\Users\\Admin\\TYokcEQg\\kyYEowww.exe"	kyYEowww.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UYIQwUYg.exe = "C:\\ProgramData\\nGsEUkcE\\UYIQwUYg.exe"	DuAUYYQM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UYIQwUYg.exe = "C:\\ProgramData\\nGsEUkcE\\UYIQwUYg.exe"	UYIQwUYg.exe

Checks whether UAC is enabled 1 TTPs 36 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2395bd0420e2da5a0488879fbe9338b9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2395bd0420e2da5a0488879fbe9338b9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2395bd0420e2da5a0488879fbe9338b9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2395bd0420e2da5a0488879fbe9338b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2395bd0420e2da5a0488879fbe9338b9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2395bd0420e2da5a0488879fbe9338b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2395bd0420e2da5a0488879fbe9338b9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2395bd0420e2da5a0488879fbe9338b9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2395bd0420e2da5a0488879fbe9338b9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2395bd0420e2da5a0488879fbe9338b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\TYokcEQg	DuAUYYQM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\TYokcEQg\kyYEowww	DuAUYYQM.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	kyYEowww.exe
File opened for modification	C:\Windows\SysWOW64\sheConvertExport.mp3	kyYEowww.exe
File opened for modification	C:\Windows\SysWOW64\sheCopyAdd.mp3	kyYEowww.exe
File opened for modification	C:\Windows\SysWOW64\sheRemoveSave.docx	kyYEowww.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4340	reg.exe
1412	reg.exe
1552	reg.exe
2144	reg.exe
4988	reg.exe
5000	reg.exe
4208	reg.exe
2304	reg.exe
1152	reg.exe
5000	reg.exe
3008	reg.exe
4840	reg.exe
3860	reg.exe
4648	reg.exe
3656	reg.exe
4604	reg.exe
1136	reg.exe
1596	reg.exe
1620	reg.exe
4212	reg.exe
3868	reg.exe
4828	reg.exe
4592	reg.exe
3868	reg.exe
3372	reg.exe
1228	reg.exe
3748	reg.exe
1604	reg.exe
1120	reg.exe
3464	reg.exe
3664	reg.exe
4920	reg.exe
3892	reg.exe
3868	reg.exe
2884	reg.exe
2880	reg.exe
4476	reg.exe
2876	reg.exe
460	reg.exe
1232	reg.exe
4364	reg.exe
2892	reg.exe
4880	reg.exe
2144	reg.exe
728	reg.exe
3356	reg.exe
4272	reg.exe
2768	reg.exe
3860	reg.exe
2700	reg.exe
2544	reg.exe
1480	reg.exe
996	reg.exe
2620	reg.exe
1228	reg.exe
4828	reg.exe
3664	reg.exe
2880	reg.exe
1308	reg.exe
2348	reg.exe
3596	reg.exe
3664	reg.exe
4460	reg.exe
4548	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2544	2395bd0420e2da5a0488879fbe9338b9.exe
2544	2395bd0420e2da5a0488879fbe9338b9.exe
2544	2395bd0420e2da5a0488879fbe9338b9.exe
2544	2395bd0420e2da5a0488879fbe9338b9.exe
4984	cmd.exe
4984	cmd.exe
4984	cmd.exe
4984	cmd.exe
2668	2395bd0420e2da5a0488879fbe9338b9.exe
2668	2395bd0420e2da5a0488879fbe9338b9.exe
2668	2395bd0420e2da5a0488879fbe9338b9.exe
2668	2395bd0420e2da5a0488879fbe9338b9.exe
3016	2395bd0420e2da5a0488879fbe9338b9.exe
3016	2395bd0420e2da5a0488879fbe9338b9.exe
3016	2395bd0420e2da5a0488879fbe9338b9.exe
3016	2395bd0420e2da5a0488879fbe9338b9.exe
1880	2395bd0420e2da5a0488879fbe9338b9.exe
1880	2395bd0420e2da5a0488879fbe9338b9.exe
1880	2395bd0420e2da5a0488879fbe9338b9.exe
1880	2395bd0420e2da5a0488879fbe9338b9.exe
528	2395bd0420e2da5a0488879fbe9338b9.exe
528	2395bd0420e2da5a0488879fbe9338b9.exe
528	2395bd0420e2da5a0488879fbe9338b9.exe
528	2395bd0420e2da5a0488879fbe9338b9.exe
728	Conhost.exe
728	Conhost.exe
728	Conhost.exe
728	Conhost.exe
636	2395bd0420e2da5a0488879fbe9338b9.exe
636	2395bd0420e2da5a0488879fbe9338b9.exe
636	2395bd0420e2da5a0488879fbe9338b9.exe
636	2395bd0420e2da5a0488879fbe9338b9.exe
3028	cscript.exe
3028	cscript.exe
3028	cscript.exe
3028	cscript.exe
408	cmd.exe
408	cmd.exe
408	cmd.exe
408	cmd.exe
460	reg.exe
460	reg.exe
460	reg.exe
460	reg.exe
2336	reg.exe
2336	reg.exe
2336	reg.exe
2336	reg.exe
3172	2395bd0420e2da5a0488879fbe9338b9.exe
3172	2395bd0420e2da5a0488879fbe9338b9.exe
3172	2395bd0420e2da5a0488879fbe9338b9.exe
3172	2395bd0420e2da5a0488879fbe9338b9.exe
2884	Conhost.exe
2884	Conhost.exe
2884	Conhost.exe
2884	Conhost.exe
996	2395bd0420e2da5a0488879fbe9338b9.exe
996	2395bd0420e2da5a0488879fbe9338b9.exe
996	2395bd0420e2da5a0488879fbe9338b9.exe
996	2395bd0420e2da5a0488879fbe9338b9.exe
2336	reg.exe
2336	reg.exe
2336	reg.exe
2336	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4372	kyYEowww.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe
4372	kyYEowww.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 4372	2544	2395bd0420e2da5a0488879fbe9338b9.exe	91
PID 2544 wrote to memory of 4372	2544	2395bd0420e2da5a0488879fbe9338b9.exe	91
PID 2544 wrote to memory of 4372	2544	2395bd0420e2da5a0488879fbe9338b9.exe	91
PID 2544 wrote to memory of 4856	2544	reg.exe	93
PID 2544 wrote to memory of 4856	2544	reg.exe	93
PID 2544 wrote to memory of 4856	2544	reg.exe	93
PID 2544 wrote to memory of 3228	2544	reg.exe	1149
PID 2544 wrote to memory of 3228	2544	reg.exe	1149
PID 2544 wrote to memory of 3228	2544	reg.exe	1149
PID 3228 wrote to memory of 4984	3228	cscript.exe	433
PID 3228 wrote to memory of 4984	3228	cscript.exe	433
PID 3228 wrote to memory of 4984	3228	cscript.exe	433
PID 2544 wrote to memory of 3980	2544	reg.exe	1393
PID 2544 wrote to memory of 3980	2544	reg.exe	1393
PID 2544 wrote to memory of 3980	2544	reg.exe	1393
PID 2544 wrote to memory of 5028	2544	reg.exe	1392
PID 2544 wrote to memory of 5028	2544	reg.exe	1392
PID 2544 wrote to memory of 5028	2544	reg.exe	1392
PID 2544 wrote to memory of 4504	2544	reg.exe	1391
PID 2544 wrote to memory of 4504	2544	reg.exe	1391
PID 2544 wrote to memory of 4504	2544	reg.exe	1391
PID 4984 wrote to memory of 4300	4984	cmd.exe	1390
PID 4984 wrote to memory of 4300	4984	cmd.exe	1390
PID 4984 wrote to memory of 4300	4984	cmd.exe	1390
PID 4300 wrote to memory of 2668	4300	cmd.exe	1389
PID 4300 wrote to memory of 2668	4300	cmd.exe	1389
PID 4300 wrote to memory of 2668	4300	cmd.exe	1389
PID 4984 wrote to memory of 4836	4984	cmd.exe	1388
PID 4984 wrote to memory of 4836	4984	cmd.exe	1388
PID 4984 wrote to memory of 4836	4984	cmd.exe	1388
PID 4984 wrote to memory of 3324	4984	cmd.exe	1387
PID 4984 wrote to memory of 3324	4984	cmd.exe	1387
PID 4984 wrote to memory of 3324	4984	cmd.exe	1387
PID 4984 wrote to memory of 2100	4984	cmd.exe	1326
PID 4984 wrote to memory of 2100	4984	cmd.exe	1326
PID 4984 wrote to memory of 2100	4984	cmd.exe	1326
PID 4984 wrote to memory of 720	4984	cmd.exe	1386
PID 4984 wrote to memory of 720	4984	cmd.exe	1386
PID 4984 wrote to memory of 720	4984	cmd.exe	1386
PID 2668 wrote to memory of 3628	2668	2395bd0420e2da5a0488879fbe9338b9.exe	1164
PID 2668 wrote to memory of 3628	2668	2395bd0420e2da5a0488879fbe9338b9.exe	1164
PID 2668 wrote to memory of 3628	2668	2395bd0420e2da5a0488879fbe9338b9.exe	1164
PID 2668 wrote to memory of 4208	2668	2395bd0420e2da5a0488879fbe9338b9.exe	1382
PID 2668 wrote to memory of 4208	2668	2395bd0420e2da5a0488879fbe9338b9.exe	1382
PID 2668 wrote to memory of 4208	2668	2395bd0420e2da5a0488879fbe9338b9.exe	1382
PID 3628 wrote to memory of 3016	3628	Conhost.exe	1380
PID 3628 wrote to memory of 3016	3628	Conhost.exe	1380
PID 3628 wrote to memory of 3016	3628	Conhost.exe	1380
PID 2668 wrote to memory of 4364	2668	2395bd0420e2da5a0488879fbe9338b9.exe	1381
PID 2668 wrote to memory of 4364	2668	2395bd0420e2da5a0488879fbe9338b9.exe	1381
PID 2668 wrote to memory of 4364	2668	2395bd0420e2da5a0488879fbe9338b9.exe	1381
PID 2668 wrote to memory of 404	2668	2395bd0420e2da5a0488879fbe9338b9.exe	1378
PID 2668 wrote to memory of 404	2668	2395bd0420e2da5a0488879fbe9338b9.exe	1378
PID 2668 wrote to memory of 404	2668	2395bd0420e2da5a0488879fbe9338b9.exe	1378
PID 2668 wrote to memory of 3504	2668	2395bd0420e2da5a0488879fbe9338b9.exe	1377
PID 2668 wrote to memory of 3504	2668	2395bd0420e2da5a0488879fbe9338b9.exe	1377
PID 2668 wrote to memory of 3504	2668	2395bd0420e2da5a0488879fbe9338b9.exe	1377
PID 3016 wrote to memory of 5020	3016	2395bd0420e2da5a0488879fbe9338b9.exe	1374
PID 3016 wrote to memory of 5020	3016	2395bd0420e2da5a0488879fbe9338b9.exe	1374
PID 3016 wrote to memory of 5020	3016	2395bd0420e2da5a0488879fbe9338b9.exe	1374
PID 5020 wrote to memory of 1880	5020	cmd.exe	1372
PID 5020 wrote to memory of 1880	5020	cmd.exe	1372
PID 5020 wrote to memory of 1880	5020	cmd.exe	1372
PID 3504 wrote to memory of 4724	3504	cmd.exe	1053

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2395bd0420e2da5a0488879fbe9338b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2395bd0420e2da5a0488879fbe9338b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2395bd0420e2da5a0488879fbe9338b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2395bd0420e2da5a0488879fbe9338b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2395bd0420e2da5a0488879fbe9338b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2395bd0420e2da5a0488879fbe9338b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2395bd0420e2da5a0488879fbe9338b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2395bd0420e2da5a0488879fbe9338b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2395bd0420e2da5a0488879fbe9338b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2395bd0420e2da5a0488879fbe9338b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
"C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\TYokcEQg\kyYEowww.exe
  "C:\Users\Admin\TYokcEQg\kyYEowww.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4372
- C:\ProgramData\nGsEUkcE\UYIQwUYg.exe
  "C:\ProgramData\nGsEUkcE\UYIQwUYg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:3228
- - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
    C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
    3⤵
    PID:4984
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LyQcAEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:4308

C:\ProgramData\ocgAMwYo\DuAUYYQM.exe
C:\ProgramData\ocgAMwYo\DuAUYYQM.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:3628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:4296
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  PID:528
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:1468
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euwskEwI.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
    3⤵
    PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMcAMUsY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
      4⤵
      PID:4120
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4504
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4724
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1328
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iioYcAsY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:1836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:2852
- - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
    C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
    3⤵
    PID:460
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:532
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:3840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwcYUoYM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4548
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:3008
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2904
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5000
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1908
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:940

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:2336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:2336
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:1344
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:5048
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2792
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:1372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4692
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcIYEcwo.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:836
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Checks whether UAC is enabled
  - System policy modification
  PID:2144
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAEMMkQk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:536
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2620
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3656
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2700
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:4220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:3236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQccMcUM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:3608
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3988
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5000
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Adds Run key to start application
  - Modifies registry key
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:4840
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3484

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:1464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
    3⤵
    PID:3160
  - - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
      C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
      4⤵
      PID:3100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
        5⤵
        
        PID:4260
      - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
        
        C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
        6⤵
        
        PID:2628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4608
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:1592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2468
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
    C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
    3⤵
    PID:4988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWUoYIUs.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
      4⤵
      PID:5000
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4264

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:3868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:2220
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:1680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:4504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:1836
- - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
    C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
    3⤵
    PID:636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
      4⤵
      PID:2296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SeMkoogg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MyosMIMI.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1516
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      UAC bypass
      PID:1752
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
    3⤵
    PID:2372
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3628
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3868
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcMgAkQk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2884
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:728
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2268
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:996

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:1620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:3768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:664
- - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
    C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
    3⤵
    PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:2904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:3656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3664
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:3552
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4988
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:4260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
    3⤵
    PID:4576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOcYwAUA.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:1448
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1072
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4576
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:3040

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:5040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:4508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:5048
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
    3⤵
    PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
      C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
      4⤵
      PID:4576
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1516
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:1228
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:3656
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:536

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:4572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vSskIkAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:2220
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:728

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:3860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
    C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
    3⤵
    PID:3028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:664
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4304

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:3552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUAQwcgc.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:808
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
    C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
    3⤵
    PID:4608
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4988
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4308
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIkkUooc.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
        7⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
        7⤵
        
        PID:544
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3748
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:4544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:4868
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:3980
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:4640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYgcUwAg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
    C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2376
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3464
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3008
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4520
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:2908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:5040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:3852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQcwgcUI.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:2272
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4340
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3464
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:1484

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:2288
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:1752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2120
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoYAggYM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:2144
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
    3⤵
    PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
      C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4528

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:3820
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:464
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4340
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUooIUgk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
    3⤵
    PID:3548
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:1144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:4584
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3608

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:2784
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:3952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3656
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:2528

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:1752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1596
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:3952
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqEoEogU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:3008
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3172
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1008
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4444
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:3864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4900
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:4664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:2908
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
    3⤵
    PID:4212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:5056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heQwQoQM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:728
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4988
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3676
- - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
    C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
    3⤵
    PID:3596
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3820
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1536
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      UAC bypass
      Checks whether UAC is enabled
      System policy modification
      PID:1072
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:2892
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGUsAssM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    PID:4880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQooQAgY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1308
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:4628
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3664
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
      4⤵
      PID:448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
    3⤵
    PID:1604
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:3500
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3596

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGIAYoUY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:2272
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4608
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4040
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:2784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:4432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcoocMAg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqIoQEsk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:720
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3324
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4300

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmIIIYck.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:4916
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4920
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2144
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4208
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:1400
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:3820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqMgowYM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:464
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3008
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1120
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2892

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmUcQAsY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:3500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egcwkwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
      C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
      4⤵
      PID:3696
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        Modifies visibility of file extensions in Explorer
        Checks whether UAC is enabled
        System policy modification
        
        PID:1604
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
    3⤵
    PID:3040
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2120
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3040
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mSYMgcYw.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
    3⤵
    PID:3952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwwQwAYA.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
      4⤵
      PID:3820
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xikIAQYw.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
        5⤵
        
        PID:1120
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:4944
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3172
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:3820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOYAUEEI.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
        6⤵
        
        PID:4580
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1020
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2620
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
        6⤵
        
        PID:2908
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEYkUQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
        6⤵
        
        PID:1592
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:5056
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:5000
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:2908
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
        6⤵
        
        PID:1596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
        5⤵
        
        PID:1592
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2144
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
      4⤵
      PID:4264
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
    3⤵
    PID:4868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
    C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
    3⤵
    PID:4868

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:3484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKkYwsYU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:1596
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4944
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:408
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:920
  - - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
      C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
      4⤵
      PID:4664
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
    3⤵
    PID:4628
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1464
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3028
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:3528
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:4944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMwkoQAI.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:3664
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4880
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4476
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4508
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWAYkMsE.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:4576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwMYQAgM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
    3⤵
    PID:4544
  - - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
      C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
      4⤵
      PID:3952
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
    3⤵
    PID:920
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2436
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4088
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4220
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3664
- - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
    C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
    3⤵
    PID:3392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3656
  - - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
      C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
      4⤵
      PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKAgcIEs.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sskYkIAk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:4692
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1448
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4308
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiEQgYAg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:4504
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4648
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - Checks whether UAC is enabled
    - System policy modification
    PID:2468
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:464
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4836
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - UAC bypass
    PID:3020
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:1232
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Suspicious behavior: EnumeratesProcesses
    PID:728
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:4516
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3860
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3544
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
      4⤵
      PID:3016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCUwYAck.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
        5⤵
        
        PID:3768
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:3860
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2188
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:2876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5020

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:4924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4116
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:1136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEcoMoAU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:808
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1308
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:5084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\haYQUcIY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSwockcM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:1904
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DycMUQQI.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
PID:3372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUEUQUMg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:1448
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4828
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3580
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cekQEAIM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4880
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2024

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MiAEgIEE.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:3656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYswQocU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:2940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- Blocklisted process makes network request
PID:2616

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcUwQkkw.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:464
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3160
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4604
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3496
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUkAcksk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:3028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiMMYQAg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:2220
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3356
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4040
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4116
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:4572
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
    3⤵
    PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQccIooU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:3580
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1904
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2880
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKIcEgAE.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:5040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roEMQEgI.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:4404
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2768
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwMkkAYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
    3⤵
    PID:4576
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaYsYgEY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
    3⤵
    PID:3576
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4264
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3484
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4828
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:808
  - - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
      C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
      4⤵
      PID:2784
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:5056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgowcMUc.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
      4⤵
      PID:2468
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3500
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGMgAkAc.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
        5⤵
        
        PID:2188
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sewoogAY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
        6⤵
        
        PID:3596
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:4496
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:540
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4840
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
        6⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2372
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3716
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:4120
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
        5⤵
        
        PID:4996
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIAQEMIY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:1604
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3392
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1592
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2144
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2628
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOsgoYYk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:4444
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4608
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:3608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsgEYUsY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4212
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XysYgYcs.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:4988
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3596
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2908
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAQgkIMU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
    3⤵
    PID:4580
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:5040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGMsYcIg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
      4⤵
      PID:4088
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2436
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGMgscco.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
        5⤵
        
        PID:2468
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:4576
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:1828
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:1152
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
        5⤵
        
        PID:3664
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2032
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
    3⤵
    PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2852
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:4116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygcYYckA.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:3220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKgsosQM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYkcUUgE.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:4088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGUgEokM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:3552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eowUIgQA.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:4988
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2300
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2700
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4220
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - UAC bypass
  PID:3892
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3356
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIsIsokw.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
      4⤵
      PID:3356
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3100
    - - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
        
        C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
        5⤵
        
        PID:2164
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
      4⤵
      PID:3768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwcIYUUk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
        5⤵
        
        PID:4088
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQgoUUYU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
        6⤵
        
        PID:2296
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1316
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4040
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2708
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:4716
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:2880
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:5000
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        UAC bypass
        
        PID:1448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:4264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSIAcoMM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaQwMUAk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:3952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Modifies registry key
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zaMsQssQ.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCYcYcUg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:3464

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMMMwUsA.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIsQUgIg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:2336
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4988
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4576
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:1552
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:4120
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAYIkQIU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BaEYsgwg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYYAYEoo.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
    3⤵
    - Checks whether UAC is enabled
    - System policy modification
    PID:4648
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:408
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4116
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1412
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:4260

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:1464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqgwsAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:4460
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1752
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
    3⤵
    PID:3528
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
    C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
    3⤵
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:3100
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:1720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3920
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:4088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4508

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:3768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIUoAoks.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:3544
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:528
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1800
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:2268

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imwgIQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSwckcgw.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1552
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- UAC bypass
PID:2768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCoMUwkM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
- Modifies visibility of file extensions in Explorer
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4460
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:4480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsEwUsEE.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:3464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- UAC bypass
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:720

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:3152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSEUcUcc.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:3100
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  PID:3324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
  C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3016
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:4548

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECYcsIMU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
PID:2336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgQwkAsw.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:536
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4952
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3840
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:3920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGcsskYk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:3528
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3040
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3596
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYYMQgYs.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:1344
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1608
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1232
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:3988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWEosQYs.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:2320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3868
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:2884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swQogAMA.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  PID:4068
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1800
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  - Suspicious behavior: EnumeratesProcesses
  PID:460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsUAcssc.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3576
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:856
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:720
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
    3⤵
    PID:3320
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1328
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSAAQgow.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:4572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
PID:1008
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:2784
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:1380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piEIccAU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
- Checks whether UAC is enabled
- System policy modification
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3596
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- UAC bypass
PID:3008

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:1464
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3324
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - UAC bypass
    PID:2328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:996
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMsUYsMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"
1⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
PID:2884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:536

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\assQoAok.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGsgcwsk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3504
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:404
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4364
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCUMMYgE.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""
1⤵
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:5016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2908

C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2668

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:4504

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1516

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- UAC bypass
PID:3172

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- UAC bypass
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
1020KB

MD5
afba4922f12866409477f39f927959d2

SHA1
fe1b32e9dc52b5a70c4c601955f4778c48f23212

SHA256
ae08308c07d22aa959c2acb0a8f605b3506c1c71913e7a25f46e8de933cb6837

SHA512
de810959ad7eefe5bf78019e7c0f03ae4864431d6d78188897c42f32cb8f566728ede2a7dd3934bffd12099d77e838cd4cb214846728574a2db8708a64b4a339

Download Submit
C:\ProgramData\nGsEUkcE\UYIQwUYg.exe

Filesize
433KB

MD5
2ef6c25adb4034631e1bb80bed6b9b09

SHA1
a828ee8b08df2c0b36790b73a2ef8b62be5262b6

SHA256
b3bf4f0256cfa0e9c5a5dc794108267ccbb7b046500461570bfbaf9130f3c63d

SHA512
d223485495a88b89b177b0570e77a361f0a8db84f8490716926fd5cd0f64d4d50e2e2f5544aa60c8f44bbfdc2c3f5a03d6e83dc2054a2dde43ccc32892c86fda

Download Submit
C:\ProgramData\nGsEUkcE\UYIQwUYg.exe

Filesize
98KB

MD5
a33eb62fc4ed553881c16fbf2c3aab17

SHA1
7d53000e63431bdc3d4812b362b07177c3da7cfc

SHA256
e122876722e7ea64fbcd086316231a3e77bb649ff6facd7950326e5787f59960

SHA512
b4311d1a43718204181e0379f27e8d54eae2e839f33fcf17562c1a375408abd95c7f2884af2b26cbe9de96b196f85e70f1cb3ab6047c668a4a0ffd5b50c88edd

Download Submit
C:\ProgramData\ocgAMwYo\DuAUYYQM.exe

Filesize
65KB

MD5
1a6143fdafd09a88a62e81718f405132

SHA1
bd829220ed1d9ad6a31f3b9ed32b75bee994294f

SHA256
0d09522ed1a311df90ae76a8eb5d28c2a642241ce4491738e4ed5a71f2cf96ff

SHA512
14b82fa1da687ec8ffb41b363d9e5f1aad944977bcfe5e1e47ad889c488d8128a12c3a85b8268eabc4a91a89941bb910c0de332dfafeb5c0d4e72c964f5ab35d

Download Submit
C:\ProgramData\ocgAMwYo\DuAUYYQM.exe

Filesize
92KB

MD5
0a2c7425ec521462a620f3bf7a79fd31

SHA1
3bf6dcab315ca2014c6e9eb85f93e140df7f71b6

SHA256
6741ac7ed5df7423a7a19314cf28ffb64c181c2066954f2a7bd7b031ef4a2286

SHA512
e8c8cdf08d10dd60b23c87e01e79a57e8133417be8c9bb88e5c7875ffc5ee118f93d77840a177b5d04eeecdeb4e5141fd4cfdef34e18b11d35644086cc811ca7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

Filesize
440KB

MD5
a2b9d78ee237462eed4d8c335ca5429a

SHA1
6f9c932dc27ffcf77dd4903cd7ef2fcce65dc1f3

SHA256
5e3bd8eed8141f21b4211a58da4877e44eba3bc933db195cc429fc869c10e717

SHA512
8833cab90baf9c484755bafdab87734f4fbb74670876127f404248ecc2900bc4f91a5643534832521c87933f7495d41335890f636045c0256ea0287d2957bf3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

Filesize
438KB

MD5
906fe1e1dc0073775d254ba7a46fe55b

SHA1
f8f1dc5702564818510a5cbbb20bf25839b5529f

SHA256
69d77b1d28f43337f32d2d7f9bca5ac6261ae983aea034f71cbe026999984c38

SHA512
a3005a2d7cdea8f29a6cfa9c0f46c1abc5aeef427674edfb41b8d5732fc3767658274bae1f644b027fb3abb3387301d01fd44dbe74844762cc9ae0d9b6d7dcf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

Filesize
435KB

MD5
0d89230264d89d78d4cea806cde2885b

SHA1
f2377ac6b7781b13253888ae730a81f28dceb37c

SHA256
7ca747dae3a821405f1e9e98265a95221c3aa3eb0c026f08b75195b206137cbb

SHA512
938f5cfba6b06caa796681777284f33c249b32d5553dddb8321da46ccd5d04ff9c8d727de7cb20c27ba2618b11202fa93f4c934df4645efd71e112596242c511

Download Submit
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9

Filesize
48KB

MD5
5bbeef2274e18d8837659aff869d8f05

SHA1
203f71f7353bca2b6f6802acfe7c7f39c1be4a48

SHA256
f120cb4f7f7539412edf4e4c4fca3b5666e2dfb3196e8460584fd6c9a073265b

SHA512
72212cfdfd61b802f3dc0854223d975260392dd4e78b8bbe0ca8783ee6bc8c71bf35e45e971443cb86f7a361c485bcdc8c464c83d64e31253b1c56d34ccfab9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMYK.exe

Filesize
433KB

MD5
ca78a46840a5808bfed264af1f2514c0

SHA1
8529672b100af6afe8202a93c7a60ce68d77f4a0

SHA256
f1c794cb012e1d54e45ad1624bf5378bb2fc08da3d50ff2b2b21a72f62f1dd0b

SHA512
83ef292e52469d94bc309f7843bc17106e257b8bc7c77bfb3c54d0a0d8e6af8d870977fbc86577e452a4612f736348819ea26b9fb0db0007d900a164f4b6b731

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWAQ.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIgy.exe

Filesize
886KB

MD5
043d3b765f25e2b112f12af225e17692

SHA1
7416f3a3c5fe220b3011b113ddfd7e0cfdae9fde

SHA256
8855e900343a584bbff6433e861480aea37119f15ecfce104037e31cea6bb3fa

SHA512
247c89cdc0c9527068d6e8e77fb81d3c9c54a04d9c6b9c71f6978225d54d58fb3627fc45161a72c7e9518b5b70b81f18b261b6e9ae91eb0638e17ace962ef416

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkQY.exe

Filesize
5.5MB

MD5
d8ba4b614a234279461515ea76df265c

SHA1
cdae0e6431bacdbc6215cf7e5c6ce0f7ee93091d

SHA256
ebe5473b53c1ad145c2e18dab5757185c8f1cdcd7599b27d3133929f96be8f45

SHA512
b88a4089912ba9193d99bed3d973b0a3827c074cea3b622ccf06658d6e6626e7643c146c28d7bb9236260e0e5ea16f83ae6c9c2ae5a16fe8d1101552faf74d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIAO.exe

Filesize
1.0MB

MD5
e3a96da978fa60138d87c15d62470bfe

SHA1
2d606edd98254e75a0a8fd7a0dd65376fe7393ed

SHA256
fa6e6f801f59dbfc26522353bde6acd6de90932d9780ad72bbb8fe267166b249

SHA512
35168803b55cc4255ed117e7658a9fb0a1e505fbb2c5b6146c8aa7335c715fd83524826f28f00378273186fba1004ec292c8f5cffff9dc5de76639d93b839e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIIa.exe

Filesize
445KB

MD5
3b4e17e28571a2c91adf56e2ba78e276

SHA1
8fa1540544d91b9a6fa3603f441bce4adbb1e0d8

SHA256
292641afac54c21abdf148e23dc86fa2c7ac9e1831ef53711243cfd7d08fffa5

SHA512
3a60c8cec3faacca6a576d8704409f94ce26eaafddd676c9b3ca85960317901ebee7bfcc18b2f2bd05ad9d2113c17ec4d9b103b325c5b576ea20e6c90c6fab43

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMwG.exe

Filesize
436KB

MD5
5890607d2f7ca66201affd0cd8086613

SHA1
feb562198ae0c25272ce2fb1a4f873cbe14de5ed

SHA256
0a1d2ec9415ec16de7cfefb07d460a426dea5bf7339d8058e9eca875619ca8a8

SHA512
d1d19d25c28d28a2caedf19ef9dff036096555631a409e40e1470913b31533cac5015178406fe26906b5f38cc468a49903829d3de91f7ab37788ebfb837aac4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQoq.exe

Filesize
474KB

MD5
9c9be72612395bbffe41ad9f3d88d73c

SHA1
ff5119b9254dc706d4bb96ca81feaee4c5dc0bfc

SHA256
8d1631275dec6b5bb65a588c3b64d09d0da5dc266e962afce316fd684652c495

SHA512
45d417d0a9b30fc8492aa65fb8019d71f38dcc7e4b4bec432b9b3a86ee92ddcec8d78a5675945e7c4df7c80390aa726bd3c349a00684494766dc5541c687daba

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYEK.exe

Filesize
442KB

MD5
9a581aada835731bf9b3676b4cd3480d

SHA1
f8ba802c654213ff7e7b3ccd01ce2431d1ac06b4

SHA256
6b7c28ac058e1c2aa6dfa26483b566cd494343edef0fa40110ad5cb2153cf815

SHA512
e457b93f91d0fd967c148c7cc769eb3ac9ec9fd97699fda72ebc6f7601c34e45abb330304dd76a72e9e82e8c2dc1c5feac908eafcdd7e260fbe973083f010c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mswu.exe

Filesize
435KB

MD5
b97dfc3e1339aa54baeeb30a1cc3db90

SHA1
d28bba8642cb3319b5a960873b12d60f998118d7

SHA256
6867d066f0b995266d1e5f93b23fe0f781501a9e24090711f38beb1993571439

SHA512
549b1c7c21a0196f48c37a19671c32d4004adcfb5377b7a72084e444b7a46aca4a6d9bc1a0eb35d8c62b3d18e0a6fd3d22a4d5b95a2cd541d3c3587cbc2f66a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYok.exe

Filesize
438KB

MD5
be2dd275b871824b81b945d24876e17c

SHA1
a10c3c4001a7de647b8727304016069a5ff8623e

SHA256
6bd56d3a91941eac6b6cf42af4e978c8d5bfc0a1cabb45eb6e4184b17c2e2185

SHA512
7305b95a0870f96d39d0b7159a6fa16c18a308109133dd27ea1eb2411b719929f2597c219922edd7b0d85d5a0d04e2708ecd6eee369c889997dabcfda835539c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUkU.exe

Filesize
499KB

MD5
196b7ff22bc08ae47856ff3c18d6e7ab

SHA1
b94fbf7cf47156c1075f2cde8667bb5adbdb3d10

SHA256
83d54c041bf98b78f0d119e305e700728eb1c076dc9b49dd402f68f41b65e4e8

SHA512
6c21f06a1013ea26b6327b62487117b5b282ade55f4302c05c58a0fcd76f18b259c6e611bef490b9135fa0de9e26ba332c3a9b0b6f5ecd78a36c0627f74cea58

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcYi.exe

Filesize
443KB

MD5
f3deedfe54ac9c6fa2ee6b0e7b4bd790

SHA1
420264c8e9730000d2cf9b95e7247de7f193fd00

SHA256
0d0b20adce5e19f245f553ea6996ef9d3aad17cbbf12ed474dfcefcc659a8bf6

SHA512
b26626061a409b365459b0dc85bf658797cfdda88129d3ad0aae9cf509b9529172f78befcaa4877e7e942152720bf998b3cd343130825d38b2e34008ee0ddd67

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScUA.exe

Filesize
886KB

MD5
611bd9035422adccf681beff15f6e098

SHA1
81952571e32a62a51004fbf78bedbd2f13ed670c

SHA256
372159c1975d3b27ab374225ed1fa0b9eddff08a9c7c160afc00e23f3d446e7e

SHA512
accfc2cdae666a60eea18785b01a60881a61b6e85caf403dd1993732e0385a57f37cac2a048c8b9bc76b446491c111ff3ecef1ae80a69516a31d4b3f85c2f89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwQc.exe

Filesize
441KB

MD5
26b24f261db6325c67543f1481e6c0db

SHA1
6c64f5f7b1563c6954b467311ac98df7df361723

SHA256
b9ebc128aa225f2863d2105e23e81abb3f2b02d6f7d52f1a910cdbfcf18f4a56

SHA512
0ea9f146ddd2ef1b94426ba88a70d63b88d4ff1834be1e930d23c94963b8c500a8f8b9b75a2fd27839b23f6da3e22718c3f58af8601aa47b53ee02380b685e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAws.exe

Filesize
445KB

MD5
eeaccfa1193eb82480e23c056115862d

SHA1
0e28b1dfe639a7fcefda1e151dbfed602f08d725

SHA256
18c14300e1a59f5ad78dc8dc93f726991ad1f81f54c6a48a529d043a682424da

SHA512
027e016640e15682f6eae99b50645967d033af4fcbcf5ca1859815917d882ad840841d651d149b3721327636c42f49e138431edd68c8adadbb2ec44090fda121

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYcy.exe

Filesize
441KB

MD5
bdd637d264c521bbd59c89e5d1a00006

SHA1
d4e5be2e51c0ab7fc2e597b6aac584c63f5bef98

SHA256
88c2a8d11b55e268e9487b262c062d1aa450cecb947117549bcedcd4e4175b68

SHA512
a349f539c8c354c824ecb3a36bdb6fee7ef761ed5d9c3546029be94fbbe2abdc5d882812bb5de34656475b8353ae5d07a3f32ef1537ddd58b445706c212be73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUYi.exe

Filesize
435KB

MD5
5df81072709685c3be408ba249683479

SHA1
6d51dfea01002f66f7b5909b018c0a3fe3178027

SHA256
0e80898a35407adb1ddce95496b421ad00975971b3916e8a56471cbe103b294e

SHA512
1df8c7d0092ce80a5b537c9f73821fd80e9e9c45568b0b7d902ed3bf5e2f2e9bfec77e49edc15bfbef5749e615d6f6d2158bd00322d8780afba397504cd0803d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAwe.exe

Filesize
450KB

MD5
16ce72bf4821645fcd6a9b80ce48e676

SHA1
32c9a2acf791b6ffe4b5b7263144c448d94af426

SHA256
386afadef0b9c55e6d393bfd57a5f40a383cfaf556a9a2fe58c7e037cdd2dce9

SHA512
cecfbea05b7ab81dcfe524a5b2cfc4ef5cbcf1a2853e96408adcc9d4c42a5a83b90e8f1c5d415f9bc63fe7c6e0171750f802e67591206633fb7e53190a1581b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQwW.exe

Filesize
434KB

MD5
f56f38d2fbcb6970326d8990dc1bbedb

SHA1
90baf48c05dee0dd37037f4a30d447aba9d29d7c

SHA256
23c564ecf268c5b73b920ce3a4df25bdb687f420c26743875a2c790a46d23e99

SHA512
5bcad82338d02d5050e9df884e8c99316bf01cb2565f4379e26ad5811bcca17a5f13fb56910298cab0df19008d6ff7af55523bb775611f1f590cd3f29517a326

Download Submit
C:\Users\Admin\AppData\Local\Temp\accO.exe

Filesize
461KB

MD5
0c59c69afaa2b3bcc350425a4008ed46

SHA1
387e69019885872ce3c475efeebf35c42216f4d2

SHA256
e733a264b59f347946ab6dda0d41b7196fd206a1314357dda7911fa9278b400f

SHA512
8094c14632f14caab932f97719292938ced849c6da58f56b2c4c386eaa392a65ceba9e9c03b45ba0e4d9986477640dc3284a06de815f3c0702e32a8ee9615f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYMS.exe

Filesize
889KB

MD5
d67a66c3ca863715eae647d46434e5dd

SHA1
67731a4ac2af8214a9568287cb0f95e77ddebc13

SHA256
1f68c48b73afc5c16c307d504c7f14112113ca31554023271c0bd9bbe0728f3e

SHA512
b5e2b92cefc6481d924e606be94c34a50fa31dfc1fdc708a5eaa9836932c97640e4791c462dddf66217dc476f9168a6825412645e5afb68b7fc2eb44945a973b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqIoQEsk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\gooK.exe

Filesize
809KB

MD5
dd149bb89c85eb63f46b83b8c0f9506b

SHA1
e955f5b803e7a0952db4bcba6f5b7908f5f39f70

SHA256
d623a7df3f445107722231c54f6be73daab4bdb36da7b3185c63d86e035e333a

SHA512
2c555762dc90fb0c22a3b65ecfc6f4fd2d29aad8e40944803b3063083e184d792c2960a9542a025ce776a02fcb25824e3e0e47d196943a40a16595c4fef5288c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kssm.exe

Filesize
440KB

MD5
c5163fe9584d6dca6162e6e3f6254e51

SHA1
b5edf1226630fc256aa52e21b77b8cb2bdcc4d7c

SHA256
689532af087f4b203e7cd585a7ed28b6a2f4eee2b4c7e55d7d55be7ead4a2f1a

SHA512
4522bebf65eaffde0a1ec7dd1f3441b358319c6687ba6d72a8539ae23287a03ae6c6d2526278e70fb9123b860bee236c27df057c337ef885e829b80de9fd9883

Download Submit
C:\Users\Admin\AppData\Local\Temp\qskS.exe

Filesize
1.0MB

MD5
3a5d0d3167e52152dd62cda15d0bb553

SHA1
59500b455aad3bbeb5e4c19757df910c869db7da

SHA256
3e488e72dbc17fbc9300d24e4c83370349007a4fd733be439aad772edffcdde4

SHA512
3864b76f4fd4196c0307cdbb4b17c882b35b5d1bacf0f72efbed70cbdd6f8993d890d4c8b03c7716ab953bfba764d8991e1892083d16a7b483d732827f4d73a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcgi.exe

Filesize
1018KB

MD5
7d1811e2e97b76e3b9ff56a9437b96e5

SHA1
a035a2a45a9b10a24039c1461cc9d9afe958c48f

SHA256
2c18a403c26b08f86bcbebdeff5ac0225a30d793cad5474f35a98dc046f8ed17

SHA512
72b739731b0a05c56017fcd7f1675c4049be10198da922c7187077c9ad6e5b92713b28f9ed3e47c15e85e06470141f67f1b97af9b69dfa9a9e97402fe27f9d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEAu.exe

Filesize
436KB

MD5
e7579fe640ba97a260b3736a39c9a678

SHA1
a13cbf71d09718f1e29eebe4346f48440030bc5d

SHA256
a906038952b8034fc097db7cce963218668676af5890eb0ae71a36f7c8e58ec9

SHA512
9944fdb8b6e6149971a891a1bcb8313fe703f5ef305f8de4b4c59f55e35654c9710f11ffce03d1f366118c8b9b5ab6751f7cfa5cffa21a0878e64b5b6057db9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMEI.exe

Filesize
565KB

MD5
46d60f0b255cb6270dda9f823fba5647

SHA1
1230337cc7d052ccbe56d1de9c45ebfc5c31556b

SHA256
66ec7c61de4f6d62f096b5655934d61205a2cda74fe523cfb4c3298db5190806

SHA512
0b18534de8fdcc42583ba3517d9e4b3a49207306e059a8b8ecc119c0816ce9044f2cc73817e9c92564e5fa910ba63cc022f534d09eca67071bb8ee497d704a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywsS.exe

Filesize
874KB

MD5
ffa6ff4d010d10f478cc8ea248d7be97

SHA1
3fa04ec7e4b1544f7060957d9a9fb43ad54a0a6c

SHA256
ad7fa4feb797dbdcd1cdc25b9b19ce5c72d2c7b43e1a03197e31070f4122dcc3

SHA512
285a5409daf5722f49c744954ab10ebaaa0ab15e51be227c212470f551b4c42175263b4fad42e7d9c72b0f0860630e66246ce48dcf2225bfa07a79a4a56b44b6

Download Submit
C:\Users\Admin\TYokcEQg\kyYEowww.exe

Filesize
432KB

MD5
1e864b04eec2bfd8d1c2e766e2ad0417

SHA1
a7bf1a09b513cfcb2ff7faa7aeaf981db55b187c

SHA256
e1a70e77539c27fbf2253e20cd0d7336157c1e5fa21201eefd6c3704bd4606b0

SHA512
5a08ea477850d30ac397263bf8d32a6d6aebc8adf0ff51b8236f741e4e653555f1cdc35b6d93c741ee924757ff300a01fbbe618cdd5b7d2de67843a51cba9a29

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
6.1MB

MD5
02675480c13b31d24c8ccd7aa3ba7df9

SHA1
0d1639f9327526807c2ad2a9f79dea77f998ad26

SHA256
0afbd34590498ebdc6723a88efbf376555e22e086ea2ee13544ea9404c50e175

SHA512
1bfc4031a13e4d099c8563ef3ebcbac896e5f7938a45e1479f58f0af115956a10c6b49bc76b1c8fc5c453ca13ddb2f064a21966b896c344b6d6e6852a8b0f255

Download Submit
memory/408-117-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/408-127-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/460-143-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/460-131-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/528-79-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/528-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/636-308-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/636-87-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/636-321-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/636-104-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/728-75-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/728-91-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/916-263-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/916-276-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/996-175-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/996-191-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1008-253-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1008-267-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1464-272-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1464-285-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1720-229-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1720-245-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1880-50-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1880-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2164-317-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2164-330-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2336-187-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2336-203-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2336-155-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2336-139-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2544-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2544-214-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2544-99-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2668-28-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2668-41-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2884-163-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2884-179-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3016-40-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3016-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3028-116-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3028-103-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3168-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3168-129-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3172-151-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3172-167-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3324-294-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3324-281-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3596-299-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3596-312-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3840-303-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3840-290-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4088-218-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4088-199-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4364-326-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4372-115-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4372-8-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4608-257-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4608-241-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4856-130-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4856-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4984-31-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4984-21-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5048-213-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5048-233-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download