9f295a560a6f6bbcb879b4b82f21be49a9999d225b5b4590cae813e7deec4a0a

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2024 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ce596544d6f2d45726a9266aafdf3eb.exe
Size

488KB
MD5

1ce596544d6f2d45726a9266aafdf3eb
SHA1

96b6e49c6623f1a9c7f88abb1d932a411f39057f
SHA256

9f295a560a6f6bbcb879b4b82f21be49a9999d225b5b4590cae813e7deec4a0a
SHA512

f7a2a8b2401cfb77acfa529b34aa3b6f719f9133659fbb4e8ed33cfc4a554cf8548a62681401f221a7544bb8e695dd8d673b78623259cf1f670deb5bf16e4715
SSDEEP

12288:aek47H03da/B2XOOqo6CC0ZFVxSozcpGh8gtIiyNHs:aP4g3k2XO7CPzxBcc8g

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1ce596544d6f2d45726a9266aafdf3eb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1ce596544d6f2d45726a9266aafdf3eb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1ce596544d6f2d45726a9266aafdf3eb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	sihclient.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ce596544d6f2d45726a9266aafdf3eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ce596544d6f2d45726a9266aafdf3eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	DllHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ce596544d6f2d45726a9266aafdf3eb.exe

Renames multiple (55) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	pGEAEkoI.exe

Executes dropped EXE 3 IoCs

pid	Process
1496	GgkgYEQc.exe
896	pGEAEkoI.exe
1064	ikIQIswo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GgkgYEQc.exe = "C:\\Users\\Admin\\nAYIgoUw\\GgkgYEQc.exe"	1ce596544d6f2d45726a9266aafdf3eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pGEAEkoI.exe = "C:\\ProgramData\\gEIAwgUs\\pGEAEkoI.exe"	1ce596544d6f2d45726a9266aafdf3eb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GgkgYEQc.exe = "C:\\Users\\Admin\\nAYIgoUw\\GgkgYEQc.exe"	GgkgYEQc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pGEAEkoI.exe = "C:\\ProgramData\\gEIAwgUs\\pGEAEkoI.exe"	pGEAEkoI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pGEAEkoI.exe = "C:\\ProgramData\\gEIAwgUs\\pGEAEkoI.exe"	ikIQIswo.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ce596544d6f2d45726a9266aafdf3eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1ce596544d6f2d45726a9266aafdf3eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ce596544d6f2d45726a9266aafdf3eb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1ce596544d6f2d45726a9266aafdf3eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ce596544d6f2d45726a9266aafdf3eb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1ce596544d6f2d45726a9266aafdf3eb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\nAYIgoUw	ikIQIswo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\nAYIgoUw\GgkgYEQc	ikIQIswo.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	pGEAEkoI.exe
File opened for modification	C:\Windows\SysWOW64\sheReceiveResume.zip	pGEAEkoI.exe
File opened for modification	C:\Windows\SysWOW64\sheSelectRename.gif	pGEAEkoI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4112	reg.exe
1676	reg.exe
3924	reg.exe
1216	reg.exe
3992	reg.exe
1832	reg.exe
3236	reg.exe
1800	reg.exe
4800	reg.exe
4052	reg.exe
2224	reg.exe
1332	reg.exe
920	reg.exe
760	reg.exe
3244	reg.exe
4984	reg.exe
3532	reg.exe
1336	reg.exe
5112	reg.exe
1916	reg.exe
440	reg.exe
4600	reg.exe
3632	reg.exe
4052	reg.exe
1084	reg.exe
3232	reg.exe
3572	reg.exe
4400	reg.exe
3720	reg.exe
4588	reg.exe
3212	reg.exe
3236	reg.exe
648	reg.exe
1504	reg.exe
2380	reg.exe
336	reg.exe
3004	reg.exe
3152	reg.exe
5028	reg.exe
5112	reg.exe
648	reg.exe
4500	reg.exe
2168	reg.exe
2144	reg.exe
3424	reg.exe
628	reg.exe
4932	reg.exe
1560	reg.exe
1876	reg.exe
2616	reg.exe
2236	reg.exe
3680	reg.exe
3572	reg.exe
3152	reg.exe
3572	reg.exe
3292	reg.exe
3844	reg.exe
4572	reg.exe
2844	reg.exe
3440	reg.exe
3728	reg.exe
3172	reg.exe
3408	reg.exe
4056	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1208	1ce596544d6f2d45726a9266aafdf3eb.exe
1208	1ce596544d6f2d45726a9266aafdf3eb.exe
1208	1ce596544d6f2d45726a9266aafdf3eb.exe
1208	1ce596544d6f2d45726a9266aafdf3eb.exe
1336	1ce596544d6f2d45726a9266aafdf3eb.exe
1336	1ce596544d6f2d45726a9266aafdf3eb.exe
1336	1ce596544d6f2d45726a9266aafdf3eb.exe
1336	1ce596544d6f2d45726a9266aafdf3eb.exe
840	1ce596544d6f2d45726a9266aafdf3eb.exe
840	1ce596544d6f2d45726a9266aafdf3eb.exe
840	1ce596544d6f2d45726a9266aafdf3eb.exe
840	1ce596544d6f2d45726a9266aafdf3eb.exe
3468	1ce596544d6f2d45726a9266aafdf3eb.exe
3468	1ce596544d6f2d45726a9266aafdf3eb.exe
3468	1ce596544d6f2d45726a9266aafdf3eb.exe
3468	1ce596544d6f2d45726a9266aafdf3eb.exe
1828	1ce596544d6f2d45726a9266aafdf3eb.exe
1828	1ce596544d6f2d45726a9266aafdf3eb.exe
1828	1ce596544d6f2d45726a9266aafdf3eb.exe
1828	1ce596544d6f2d45726a9266aafdf3eb.exe
2240	1ce596544d6f2d45726a9266aafdf3eb.exe
2240	1ce596544d6f2d45726a9266aafdf3eb.exe
2240	1ce596544d6f2d45726a9266aafdf3eb.exe
2240	1ce596544d6f2d45726a9266aafdf3eb.exe
1332	1ce596544d6f2d45726a9266aafdf3eb.exe
1332	1ce596544d6f2d45726a9266aafdf3eb.exe
1332	1ce596544d6f2d45726a9266aafdf3eb.exe
1332	1ce596544d6f2d45726a9266aafdf3eb.exe
4924	1ce596544d6f2d45726a9266aafdf3eb.exe
4924	1ce596544d6f2d45726a9266aafdf3eb.exe
4924	1ce596544d6f2d45726a9266aafdf3eb.exe
4924	1ce596544d6f2d45726a9266aafdf3eb.exe
1456	1ce596544d6f2d45726a9266aafdf3eb.exe
1456	1ce596544d6f2d45726a9266aafdf3eb.exe
1456	1ce596544d6f2d45726a9266aafdf3eb.exe
1456	1ce596544d6f2d45726a9266aafdf3eb.exe
3212	reg.exe
3212	reg.exe
3212	reg.exe
3212	reg.exe
4628	cmd.exe
4628	cmd.exe
4628	cmd.exe
4628	cmd.exe
1688	1ce596544d6f2d45726a9266aafdf3eb.exe
1688	1ce596544d6f2d45726a9266aafdf3eb.exe
1688	1ce596544d6f2d45726a9266aafdf3eb.exe
1688	1ce596544d6f2d45726a9266aafdf3eb.exe
4124	reg.exe
4124	reg.exe
4124	reg.exe
4124	reg.exe
792	cmd.exe
792	cmd.exe
792	cmd.exe
792	cmd.exe
4324	Conhost.exe
4324	Conhost.exe
4324	Conhost.exe
4324	Conhost.exe
1084	reg.exe
1084	reg.exe
1084	reg.exe
1084	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
896	pGEAEkoI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe
896	pGEAEkoI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1496	1208	1ce596544d6f2d45726a9266aafdf3eb.exe	90
PID 1208 wrote to memory of 1496	1208	1ce596544d6f2d45726a9266aafdf3eb.exe	90
PID 1208 wrote to memory of 1496	1208	1ce596544d6f2d45726a9266aafdf3eb.exe	90
PID 1208 wrote to memory of 896	1208	1ce596544d6f2d45726a9266aafdf3eb.exe	91
PID 1208 wrote to memory of 896	1208	1ce596544d6f2d45726a9266aafdf3eb.exe	91
PID 1208 wrote to memory of 896	1208	1ce596544d6f2d45726a9266aafdf3eb.exe	91
PID 1208 wrote to memory of 2392	1208	1ce596544d6f2d45726a9266aafdf3eb.exe	93
PID 1208 wrote to memory of 2392	1208	1ce596544d6f2d45726a9266aafdf3eb.exe	93
PID 1208 wrote to memory of 2392	1208	1ce596544d6f2d45726a9266aafdf3eb.exe	93
PID 1208 wrote to memory of 5060	1208	1ce596544d6f2d45726a9266aafdf3eb.exe	95
PID 1208 wrote to memory of 5060	1208	1ce596544d6f2d45726a9266aafdf3eb.exe	95
PID 1208 wrote to memory of 5060	1208	1ce596544d6f2d45726a9266aafdf3eb.exe	95
PID 1208 wrote to memory of 1832	1208	1ce596544d6f2d45726a9266aafdf3eb.exe	96
PID 1208 wrote to memory of 1832	1208	1ce596544d6f2d45726a9266aafdf3eb.exe	96
PID 1208 wrote to memory of 1832	1208	1ce596544d6f2d45726a9266aafdf3eb.exe	96
PID 1208 wrote to memory of 4436	1208	1ce596544d6f2d45726a9266aafdf3eb.exe	99
PID 1208 wrote to memory of 4436	1208	1ce596544d6f2d45726a9266aafdf3eb.exe	99
PID 1208 wrote to memory of 4436	1208	1ce596544d6f2d45726a9266aafdf3eb.exe	99
PID 2392 wrote to memory of 1336	2392	cmd.exe	101
PID 2392 wrote to memory of 1336	2392	cmd.exe	101
PID 2392 wrote to memory of 1336	2392	cmd.exe	101
PID 1336 wrote to memory of 3440	1336	1ce596544d6f2d45726a9266aafdf3eb.exe	102
PID 1336 wrote to memory of 3440	1336	1ce596544d6f2d45726a9266aafdf3eb.exe	102
PID 1336 wrote to memory of 3440	1336	1ce596544d6f2d45726a9266aafdf3eb.exe	102
PID 1336 wrote to memory of 1332	1336	1ce596544d6f2d45726a9266aafdf3eb.exe	108
PID 1336 wrote to memory of 1332	1336	1ce596544d6f2d45726a9266aafdf3eb.exe	108
PID 1336 wrote to memory of 1332	1336	1ce596544d6f2d45726a9266aafdf3eb.exe	108
PID 1336 wrote to memory of 2616	1336	1ce596544d6f2d45726a9266aafdf3eb.exe	104
PID 1336 wrote to memory of 2616	1336	1ce596544d6f2d45726a9266aafdf3eb.exe	104
PID 1336 wrote to memory of 2616	1336	1ce596544d6f2d45726a9266aafdf3eb.exe	104
PID 1336 wrote to memory of 2464	1336	1ce596544d6f2d45726a9266aafdf3eb.exe	107
PID 1336 wrote to memory of 2464	1336	1ce596544d6f2d45726a9266aafdf3eb.exe	107
PID 1336 wrote to memory of 2464	1336	1ce596544d6f2d45726a9266aafdf3eb.exe	107
PID 1336 wrote to memory of 3744	1336	1ce596544d6f2d45726a9266aafdf3eb.exe	106
PID 1336 wrote to memory of 3744	1336	1ce596544d6f2d45726a9266aafdf3eb.exe	106
PID 1336 wrote to memory of 3744	1336	1ce596544d6f2d45726a9266aafdf3eb.exe	106
PID 3440 wrote to memory of 840	3440	cmd.exe	112
PID 3440 wrote to memory of 840	3440	cmd.exe	112
PID 3440 wrote to memory of 840	3440	cmd.exe	112
PID 840 wrote to memory of 2624	840	1ce596544d6f2d45726a9266aafdf3eb.exe	113
PID 840 wrote to memory of 2624	840	1ce596544d6f2d45726a9266aafdf3eb.exe	113
PID 840 wrote to memory of 2624	840	1ce596544d6f2d45726a9266aafdf3eb.exe	113
PID 840 wrote to memory of 2844	840	1ce596544d6f2d45726a9266aafdf3eb.exe	119
PID 840 wrote to memory of 2844	840	1ce596544d6f2d45726a9266aafdf3eb.exe	119
PID 840 wrote to memory of 2844	840	1ce596544d6f2d45726a9266aafdf3eb.exe	119
PID 840 wrote to memory of 5112	840	1ce596544d6f2d45726a9266aafdf3eb.exe	118
PID 840 wrote to memory of 5112	840	1ce596544d6f2d45726a9266aafdf3eb.exe	118
PID 840 wrote to memory of 5112	840	1ce596544d6f2d45726a9266aafdf3eb.exe	118
PID 840 wrote to memory of 3712	840	1ce596544d6f2d45726a9266aafdf3eb.exe	117
PID 840 wrote to memory of 3712	840	1ce596544d6f2d45726a9266aafdf3eb.exe	117
PID 840 wrote to memory of 3712	840	1ce596544d6f2d45726a9266aafdf3eb.exe	117
PID 2624 wrote to memory of 3468	2624	cmd.exe	115
PID 2624 wrote to memory of 3468	2624	cmd.exe	115
PID 2624 wrote to memory of 3468	2624	cmd.exe	115
PID 840 wrote to memory of 2868	840	1ce596544d6f2d45726a9266aafdf3eb.exe	116
PID 840 wrote to memory of 2868	840	1ce596544d6f2d45726a9266aafdf3eb.exe	116
PID 840 wrote to memory of 2868	840	1ce596544d6f2d45726a9266aafdf3eb.exe	116
PID 3468 wrote to memory of 4632	3468	1ce596544d6f2d45726a9266aafdf3eb.exe	124
PID 3468 wrote to memory of 4632	3468	1ce596544d6f2d45726a9266aafdf3eb.exe	124
PID 3468 wrote to memory of 4632	3468	1ce596544d6f2d45726a9266aafdf3eb.exe	124
PID 3468 wrote to memory of 4444	3468	1ce596544d6f2d45726a9266aafdf3eb.exe	133
PID 3468 wrote to memory of 4444	3468	1ce596544d6f2d45726a9266aafdf3eb.exe	133
PID 3468 wrote to memory of 4444	3468	1ce596544d6f2d45726a9266aafdf3eb.exe	133
PID 3468 wrote to memory of 2480	3468	1ce596544d6f2d45726a9266aafdf3eb.exe	128

System policy modification 1 TTPs 20 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ce596544d6f2d45726a9266aafdf3eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1ce596544d6f2d45726a9266aafdf3eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ce596544d6f2d45726a9266aafdf3eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1ce596544d6f2d45726a9266aafdf3eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ce596544d6f2d45726a9266aafdf3eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1ce596544d6f2d45726a9266aafdf3eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
"C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\nAYIgoUw\GgkgYEQc.exe
  "C:\Users\Admin\nAYIgoUw\GgkgYEQc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1496
- C:\ProgramData\gEIAwgUs\pGEAEkoI.exe
  "C:\ProgramData\gEIAwgUs\pGEAEkoI.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
    C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3440
    - - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:840
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        8⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        10⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        12⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        14⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQYMUcws.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        14⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\moMocAMg.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        12⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWAQIUAs.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        10⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:4900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcAoIIgA.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        8⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4444
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUYokAco.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        6⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4860
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:3712
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:5112
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2844
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuUYMkkw.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
      4⤵
      PID:3744
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2972
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2464
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:1332
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5060
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1832
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKkkkEkc.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
  2⤵
  PID:2304

C:\ProgramData\vMQAgkUY\ikIQIswo.exe
C:\ProgramData\vMQAgkUY\ikIQIswo.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IswgkMcE.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
1⤵
PID:3760
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1832
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3408

C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyQYsgQU.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4648
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3548
- - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
    C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
    3⤵
    PID:4324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
      4⤵
      PID:4388
    - - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        5⤵
        
        PID:1084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        6⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        7⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        8⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        9⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        10⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        11⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xckowEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        12⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        12⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        13⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        14⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        15⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQUgkQQg.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        16⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:4904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKMogQAU.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        14⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:4032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        UAC bypass
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkIAMYwY.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        10⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiEkYwkE.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        8⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:312
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1556
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        7⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        8⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        9⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        10⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        11⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        12⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        13⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUAgsQAI.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        14⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGYAwcUU.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        12⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:5028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        13⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOUsUcks.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        14⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies registry key
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        14⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies registry key
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcEwwcUM.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        10⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkcAcggY.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        8⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1436
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:3004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQMwYMgo.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        6⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:5112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUEEEEAU.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
      4⤵
      PID:4532
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1868
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:3540
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1916
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:5028
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1060
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
  2⤵
  PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
1⤵
PID:3176

C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
1⤵
PID:3212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
  2⤵
  PID:3372
- - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
    C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
    3⤵
    PID:4628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
      4⤵
      PID:336
    - - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        6⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        7⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        8⤵
        
        PID:1808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        9⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWEQgskg.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        10⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        10⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcQIYwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        8⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        9⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        10⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        11⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        12⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        13⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEIQgEwE.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        14⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        14⤵
        
        PID:3236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccUUYAko.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        12⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYAkgcUA.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        10⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:4508
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psoIIAQk.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        6⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4728
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:3632
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3292
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsggQksA.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
      4⤵
      PID:5076
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:752
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4060
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3212
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4940
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1428
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4328
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgAIYwwQ.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
  2⤵
  PID:220
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3320
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4772
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3540
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2844

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv F5xJH4CoAUeREmfirkWgng.0.2
1⤵
- Modifies visibility of file extensions in Explorer
PID:3764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1724

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
1⤵
PID:1832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
  2⤵
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
    C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
    3⤵
    PID:4864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
      4⤵
      PID:5000
    - - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        5⤵
        
        PID:5068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        6⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        7⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        8⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        9⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOsEYAko.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        10⤵
        
        PID:5108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        10⤵
        
        PID:1988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGYUsEUk.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        8⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:3408
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiocwoIc.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:792
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4824
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:880
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqsgIQYg.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
      4⤵
      PID:1876
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
1⤵
PID:4980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uowAMYwg.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
  2⤵
  PID:5020
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:648
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3708
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
  2⤵
  PID:4972
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3572
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1504
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4864

C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
1⤵
PID:4592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
  2⤵
  PID:3172
- - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
    C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
    3⤵
    PID:2224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
      4⤵
      PID:1972
    - - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        5⤵
        
        PID:4728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkgYMQsM.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        6⤵
        
        PID:1252
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:220
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1008
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3228
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        6⤵
        
        PID:1592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUoYcIwM.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
      4⤵
      PID:1084
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3548
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2464
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4620
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcIkYocE.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
  2⤵
  PID:3760
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3152
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3416
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:464
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2144
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcsQQAAw.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
1⤵
PID:3548
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
1⤵
PID:1080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
  2⤵
  PID:4588
- - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
    C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
    3⤵
    PID:4984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcAUMYEg.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:5112
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1676
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:3440
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkEswgsA.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
  2⤵
  PID:5032
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
1⤵
PID:4444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
  2⤵
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
    C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:3348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
      4⤵
      PID:1444
    - - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        5⤵
        
        PID:4632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KowkUMAk.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        6⤵
        
        PID:1472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loEEUYwA.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
      4⤵
      PID:4572
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:3152
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2272
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3704
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQUsMgko.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
  2⤵
  PID:4140
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4940
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3572
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1228
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYsgAAog.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
1⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4400

C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
1⤵
PID:4060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
    C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
    3⤵
    PID:3632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
      4⤵
      PID:2624
    - - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        5⤵
        
        PID:1760
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKAUAgwM.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        6⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4764
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:844
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1676
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:3720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auwUMsws.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1228
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4056
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1080
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:1832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYswIsoU.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        6⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        7⤵
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        8⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        9⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        11⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        12⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        13⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukkgckMc.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        14⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        14⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:1436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWQkQgsU.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        12⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwIgcocA.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        10⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        UAC bypass
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        UAC bypass
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\geEEUoEc.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        8⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        UAC bypass
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3424
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:5104
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:5024
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:4052
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4612
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOsMcgAw.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
  2⤵
  PID:1560
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3360
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2864
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3548
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
1⤵
PID:2844
- C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
  C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
  2⤵
  PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIYwUcAc.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
    3⤵
    PID:5104
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4304
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:3924
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3316
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:760
  - - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
      C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
      4⤵
      PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
    3⤵
    PID:1292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4632
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2344
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4588
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
  2⤵
  PID:2740
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1876
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3292
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
  2⤵
  PID:848

C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
1⤵
PID:1972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
  2⤵
  PID:648
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4952
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4124
- - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
    C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
    3⤵
    PID:1916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
      4⤵
      PID:2152
    - - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        5⤵
        
        PID:2472
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        6⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        7⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        8⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        9⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pygAQwkk.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        10⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:2168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies registry key
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwgoUsgw.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        8⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:3212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3720
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fowUIAMw.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        6⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2360
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Suspicious behavior: EnumeratesProcesses
        
        PID:4124
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4592
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\towYkAck.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
      4⤵
      PID:3252
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4500
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      PID:2876
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3816
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAgoAEEE.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
  2⤵
  PID:3992
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1808
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4600
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1752
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:440
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
1⤵
PID:1096

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe bc981cd8219dd3cfe349f283ce540b7d F5xJH4CoAUeREmfirkWgng.0.1.0.0.0
1⤵
PID:3960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
1⤵
PID:920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:220

C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
1⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
1⤵
PID:1352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
1⤵
PID:3028
- C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
  C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
    3⤵
    PID:4620
  - - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
      C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
      4⤵
      PID:1220
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        5⤵
        
        PID:4592
      - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        6⤵
        
        PID:3216
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2844
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4612
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4336
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEEkgwII.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        5⤵
        
        PID:920
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:3360
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSkQMwwM.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:2344
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2140
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:1432
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3236
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      UAC bypass
      PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugcQUUUg.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
1⤵
PID:4764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4864
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:868
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1276
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
    3⤵
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
      C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
      4⤵
      PID:1208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        5⤵
        
        PID:464
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1916
      - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        6⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        7⤵
        
        PID:2904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        8⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        9⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        10⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        11⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        UAC bypass
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYcEMogw.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        11⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        Modifies registry key
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        Modifies registry key
        Suspicious behavior: EnumeratesProcesses
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buUAUgQE.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        9⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcMQkYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        7⤵
        
        PID:2480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:2140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies registry key
        
        PID:3532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgsMAIAc.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        5⤵
        
        PID:1992
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:3464
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:1800
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:1352
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\toYcoEoo.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2732
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3504
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      UAC bypass
      Checks whether UAC is enabled
      System policy modification
      PID:2168
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:1252
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3316
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3680
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4800
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1216
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3292
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
1⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
1⤵
PID:3524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Modifies registry key
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1472

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:416

C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
1⤵
PID:5032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
  2⤵
  PID:1096
- - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
    C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsQgQoMI.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
  2⤵
  PID:1008
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:848
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3360
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1808
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4856
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
1⤵
PID:1172
- C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
  C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
  2⤵
  PID:3204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
    3⤵
    PID:3628
  - - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
      C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
      4⤵
      PID:3668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3532
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3200
      - C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        6⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb"
        7⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb
        8⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        
        PID:1396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AowkoEUE.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        7⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoQUYswg.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
        5⤵
        
        PID:3680
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        UAC bypass
        
        PID:3924
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:2360
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:628
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4052
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIIYkUYc.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1472
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2728
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:3232
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bykcIMAI.bat" "C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb.exe""
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:868
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3560

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4772

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1436

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- UAC bypass
PID:3680

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gEIAwgUs\pGEAEkoI.exe

Filesize
170KB

MD5
efeb2de63fdd495f0e7e9d399502089c

SHA1
0c65d58fa4428ad70d4848ee212a6659e27a6b91

SHA256
1938ff19809037f72a10f2c95c35db07afdd55d9362d66158a4e3e783d92b162

SHA512
baab04d9263582f5c4c957f0815a624f8172b92d44bfac511fc38a071261f92df879e59218d22b0b7a3c8aca2af4756c49d082081de2b6c5d4940ef54699bdc7

Download Submit
C:\ProgramData\gEIAwgUs\pGEAEkoI.exe

Filesize
297KB

MD5
6efe2e8e5aee9f8322f3f46e13e7b6c5

SHA1
a20e8e720b932bca0d93b2ebc8f1750a0f1926b5

SHA256
4c303901296928f775c546f18e5092cdd1cf4865e98bb0ca37147e2d329ccbc1

SHA512
edf26c41775abfa4f5a9a43721f2d4697e581bf85338420b503b80b4d5eb4ac4d31cea83b5ead9ec3f1adc12692ef1389868eefe2bbbf05c4d32a556fde1aea5

Download Submit
C:\ProgramData\vMQAgkUY\ikIQIswo.exe

Filesize
128KB

MD5
a4cc5b8419d7d15c7ca0c5b65b33b508

SHA1
258e3f77c2b87e589c2b042a20dcd914a7770f3d

SHA256
560c5bbd60d1825c6e928369efece2100d2da51bfc7f71fa721bf90ec42eb29f

SHA512
c72c0ee5406811944a76da2160a4d8d376b93f81ff4cfa7879dc474b8e9c6b14c79c8c887a557461d46dd7d6552c0a824ea526ffe6f75da730ef639958501615

Download Submit
C:\ProgramData\vMQAgkUY\ikIQIswo.exe

Filesize
82KB

MD5
254b484d3f3c270b1b06838051c514c2

SHA1
50e2bf236594a7abb18f4cbe8f15ad21c11e5f4a

SHA256
f82b275b08aad035217a30a083948d7d7e5910f35f63822abfaebfe508fdd160

SHA512
eafe380d53f1ee50f17a3bda57c75bf494805b86cf25466d509d06d23b43d96d05b124e7a4d05ea55c7d80eb8f70dc5d9f43d42026247466aa8171a26455ac0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ce596544d6f2d45726a9266aafdf3eb

Filesize
48KB

MD5
35cbde129d22ad6080dc8fed0fd3e185

SHA1
e29871c61fe34d7159cf12daa543e1679f3ef63a

SHA256
eaed558d6439df7f6172277ad993c778b631aa73ffce8cd9619b525ff92a2265

SHA512
009e3a9714454ae0b0ea87d391dd42583a390ce74d249a0421318dfa8af27e98d4cfc625f1923304a177a6824210c687f522082783c9920beeba3ab078ae2f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aokm.exe

Filesize
211KB

MD5
9b9cb85ced1bda426185f17ac5972fad

SHA1
12b96de566a8fdd68b52a5856e2ded347e92a908

SHA256
5b29293ae7a5881b65da5d65ebf6ae132e223aa7e97dc270cea124a2919793ad

SHA512
e2d0bcf7263aa1b8907b36fa814be6636c69e5b2b3409b1236c945018ca3f8997ffeb1580961e121cabcb38d5d4a1199d939c4e51becdd4669c9485a6c1e7605

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsUM.exe

Filesize
209KB

MD5
b0bd721c984fea30315c09931c4bf557

SHA1
0d6972ca1569d63999de771ae2db9ca89a0ae5cb

SHA256
c7191e0f92bf07b30f91e80859456d53604506ce2de932dc5d0c319809cf3590

SHA512
a40db357e4d527841058884d1a8f559da5e0c4a4e11d73700686a806d03bb13a453398b7b4378e218196c7b98e5acac0e1b1b96a0c8efbf5c9bb5f2733c7d370

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwcM.exe

Filesize
479KB

MD5
4c20f5412fb6996f24df564c2700e2e9

SHA1
0f54dbac8b86208e819a579685c034748c93dd74

SHA256
9bd1f27d7e0d8c838e3669e291dcf8a6dbdc3663584ab66f9bdf11ce4a4dadaa

SHA512
9e57b57dc95f053cbff55d88453eb8f2b2ca91763f33a7a622b8acc7cbfec58eaf7d4cd974ac459f87f7bd8d2d99e22de4498d1aab10e87f047a7c0970c57668

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYsw.exe

Filesize
289KB

MD5
c1e72f001aaf2511cbf6665254f40e46

SHA1
3485d9623f245eb61812f06c93c357bdded76841

SHA256
c067fa51e351b6de95dc5d2a5211dd009bd7bb510b9101e190dcb7d0009a1416

SHA512
7e67e0b56549e8b361e41596233f879b7e9554dd480de866cbf4fbd9c1ff26478cfbd361096fc77c3eac61c0302d65dd5497a30edf59a959f103169e0099cdfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\BkUC.exe

Filesize
509KB

MD5
026018e632cdbd03c18615d6dbf091a4

SHA1
32d576c2c26a432252adafe5f3532b2642aaaff5

SHA256
2e42a10b5d1189712f6cc908e3c6a326d2439484ff102adc5509428d617f4e26

SHA512
801c62cdcb85c1f07c8d1717057ea376e3f8dd525ee3af492cb6000647b51b1f20429dfefedfedade98d1a3f15e2807199049c356219a6887c874885d8091447

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQUw.exe

Filesize
282KB

MD5
498b64c207d319927f097e9383b4cadf

SHA1
5d096e596abb7d0dff53a7b90f1f56ce101002a1

SHA256
4d75b53cdc5a4281c1833978f6e384b37ab0f8a6bc759d209af46f448836fdf3

SHA512
9d3627cf1fdd6c2bf9965061dd89f011d9152fd48d2fa0203992d923b1a044bc546e2d92528364d4c9270abd4c5bdc679b9dc825d4b5ccbc19204417ee4213bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQAm.exe

Filesize
234KB

MD5
221095a30d4e20fd9e662164695d5a1d

SHA1
ac05138a0e730c677b43eeb8343a8609d03fb924

SHA256
43037b5880731b8de3081ee81f2f3db894bd442af25adef18f8ec7056296b700

SHA512
e7641fa01de535d670313ef93a02901e3b9b94a402332f05252c23a0d072b46f3e45e6a4043ae17528be8e6c70f0ec5d7883be00a67f7de5a4a37537dc1ca85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcQs.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgYs.exe

Filesize
354KB

MD5
183031ce1e1f362a6e538184704f1bf6

SHA1
aacf4613eeddca1fb03db53a01b3b44f2d44bbad

SHA256
baba9c5e620a2e5f83ba47b74e7a07ca1eda03dd24cb94e5447d3f698862b11d

SHA512
23c60fefc300a54b02b5e361d854d2f49e390e92cf4271dafad0f7fa8eab8b5bd111cadb62ece6577f7d13c3820ef808be8d79bec7e08e9765f6514197460453

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMES.exe

Filesize
462KB

MD5
ca2109a002a53f29a0c404d7c17422df

SHA1
bcabb72c0cf133b46f8086e0d5f9bafb5652acd5

SHA256
601ccc13471184a03ef123d25df2602806888e62b319868cd4f990dd02876c4e

SHA512
9ddd9d15faa476f6f8678ff1cf2ad458783797fe65e3f2e22a2b5cb60cd5d2a3eaa0e9e89803eeaa2e8fd351a98df52418bef45b6693eb14e77c7cdd5b28a47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gogs.exe

Filesize
61KB

MD5
7eef60401fa86efe82cc3f4a4240b94e

SHA1
b80fb9785b59de5605f57c6ac2602fa2ea4da89d

SHA256
0e2a499460148ae615cf5ff8ecc773ce530b5b9c41c432ee5f12da76c72a3aec

SHA512
c21c2e0d1776928ee6293a675ccb252d10437d91fd13bef71beecb8e0336e1af7dce0a3dd3ad9b8b747d32cbe9955f571d5d8028343773b94ff0be489e2816a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgUc.exe

Filesize
185KB

MD5
6190bac1e594cbfca377abaa09b5c603

SHA1
1b8c28b281c5558169fb803f6e33cc226aebfd20

SHA256
257466a64a1837a37b89ad6642c1884f62d0d515d1fcbd93e9521fb8b3c6f6b5

SHA512
8f24eaeb8e132ed48a74fad7e7af1bac437b7fffdaf55a77ed2af700b5b6bb4d4809899551a075e5a987011149548d3d08ae1df155ba4a559a271679af6f1e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAcm.exe

Filesize
449KB

MD5
c9ea450cdeaccc90de0af464a26aba08

SHA1
2997308c4e2ef38037a7bac1f81b143684aaa6e4

SHA256
7ac12bc66802cb7771b3cf1d6c86044d23f18836b04ca70cc7a38192a35c2ec4

SHA512
678e4a2da4569e747d728e49e410378aa2aea45bc3e002089b2c4bd48510388f1378a2427a78a54cc21aa41323f52b0884990d81c3ad7ffc0a4724928eb195b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIoM.exe

Filesize
388KB

MD5
1a916460c5709ef772341e7e240ad90c

SHA1
19f5395dfcfddbf09f6f6ac8d0c9a88787cafdf8

SHA256
c24b9fed943c1526c169f23f35c5e423fe1f5e9c6db03b129b280fa6da0a8cbd

SHA512
f77e3342238a122fa1e5ed0e9d2c554541367e37ece3fca31593e20d8a1a21b97a6bd2cc41397f93070cf13439eab6d3ea8016ec5431e083501e5d33166fceef

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgsS.exe

Filesize
150KB

MD5
bdb70a2a296c3abe6b5a79eb6633c941

SHA1
0bbb5ef3093e001a1d5de2fbc213360af38ff685

SHA256
f1e50146ff877791140ff85357c0ce23c331cc61f83c9ed406fb8b6e46f513fd

SHA512
0461108f46226456cdbe73964a80c32733f40460aa0014103704c0cdaf9eef22e0de0623f0830bd4df36fe9d21815da8d70c9c3907803f3e8d82ca2f675282f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkEY.exe

Filesize
245KB

MD5
a82fd2edf39cb1e8b4ce917ecedd9ae8

SHA1
6ddd1363f0bc93573f5bd1e0ca8e919e5b016a6f

SHA256
5b94b1ccf0794674066693658402b135da5789f6b666f9d22b0ec2af494b5f0d

SHA512
9732cac96fb9699ac41c5c40a8edd7e17439409915c63f39f19537f4cc0eecc1d6505eed41ff86dec4bccdad7000b84c8c27e2a249b371c0e875ee13459a6a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kssi.exe

Filesize
560KB

MD5
d0e777f6997977149d610c9aa200a749

SHA1
e5944560a83e3f689fe2082bb652dddf7d10a258

SHA256
880f314930e57b0be377650f0ceed8e5b4c4319f217be9716590b76f6a40b945

SHA512
2f3f435cf444d195de6ac0b1dcecd622489e358b3cf5509d33693451d99299aa406c5e3b5678103b114116d375f99be08c642b1159d48f8cfc61a9f5ba92c6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\LAAC.exe

Filesize
383KB

MD5
e81385675b820abe6b8fcf320a893b74

SHA1
59c8a37d1b0da39c470c1ab3349862f444644d93

SHA256
52427a40d64368928173e13357e024d52f2832c17f0254ae90ebda70ef216481

SHA512
450ab260f63671535ea482fd0e6b8ebbe651adb80e6c3ed485ed9afde1dbf73142446da5dbd0ed3cde29194c65d5860e73231a6b68724be2637d659844b2fb1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIwu.exe

Filesize
185KB

MD5
d1e1384c364b34c2870583ec35e66204

SHA1
81360d55d31fa0430f7337feface056b07bd3fc9

SHA256
a971b0ae410f5692a20e1fed1820724fca039b4892be1ab134389c0e70f5bd20

SHA512
ab8b991742dfce4eeead82c0c95c0e4beb7245d7519cbf34e17065acff23e57493a8df376381ef2b2c8f3d7d2c7f505b1bfecd859f2a72c4c3850eab59b58639

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQQg.exe

Filesize
122KB

MD5
29eeb51c63dcba538e1bd298c48c76ba

SHA1
a9d2374a4c5bbe7d7ca3605f8acca1c7fb07b275

SHA256
1f3428b0e94bf64d073b06170c655b583cc3c656bb251bfaa7948b6a3c8059de

SHA512
cad7e4519368b46e6dcc2786a68dcc7884b7e9a32860e98c18605029b82e153c001f119ad78bec4c5e46db10a9f911721a63901b58c315b0955956cf10ae553e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkIW.exe

Filesize
437KB

MD5
e45a4e5fb9a6bfa581bbbd78a4555ad3

SHA1
3360bdd141deba0fc32584eb36d9abe8a93b831d

SHA256
3795370625ecf4e1a78a2632ef6ee667395e6bd69a86fa64c0726ba2e921f7b4

SHA512
be11dadcc932ce7421f31fa71c89b47a50b0545cf079d12c2e4e013b4bddce576c490b786ace12370a71b6527380056321088a9372753335db8a418b940e3d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQsG.exe

Filesize
139KB

MD5
aa0699b91f08296c6382ec0ef7d85245

SHA1
01b867d5ace7c926d2ac3465466896bec01b4ccc

SHA256
0da007a11907659c6dea8299eb5537cc1a21953c5ba4deee384a0d4aedfb2d3f

SHA512
4fabc4851068f7697f305a085ff93a73a28b00827d09dccc593d8506e459d13991afe5bc1b8b567e5f6debea5bf7b7c618c2136b7da564872e291c0ac63f9116

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkcG.exe

Filesize
359KB

MD5
f17366458bab2c214d2ec8e2a4975511

SHA1
1479bcc332feeffec03106907910cb7af196eba4

SHA256
953f3253bec2d52165adfe0cfd2999eb23216378580e46ed317309bc5ab7794b

SHA512
73336c655d88a9cb4b0f5541e7190709ee1d253d60eca0fae6e3f5b4b41350842d3df2fd37a0b5401ba483ded8f5c0490cd210ddf84044757f0a2568e40fff64

Download Submit
C:\Users\Admin\AppData\Local\Temp\OscE.exe

Filesize
2KB

MD5
ec7121f4a9366f28feaa55feb9dc1789

SHA1
81268afb04b63b5708da212e6cb0fdc23f70943c

SHA256
fb33555701bc5d11fb28bd2aed50ff4b8ee956494d27a37e613c2c460192fc77

SHA512
7966cb69cc1eea05ac2260c768983cde5c5ee9ba0d875670a159d4f0c3093f426fbc17248adebeb7733c24f2fab45f76cdc90de2f1a933e70461b444208f4e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\OuUYMkkw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PEQw.exe

Filesize
529KB

MD5
a38eee3bd78d945f3950a97465f58815

SHA1
096ad549be1c42d1597f1ce4be5315043fb703cb

SHA256
1e68f4429cc870f7e3b08530e5e6c40e423de46cd35c328740a92f7b213c937e

SHA512
b6935ce514ab27db74188944f4d67e17cc7daaf999d9d26d826c56ed594ca19f0b7444935f0ac2ea57facdf97cde7c4674459f24d231a239db47752f3d1f38e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMoc.exe

Filesize
456KB

MD5
fb6a54ea9e95243ef87d85a5cd7e49e8

SHA1
12b4b865ced6022c59aa4dac108fd1857e108409

SHA256
d4165f01995fb4e5b595691cc93fc2540ed7dc14e9e5f5d728f06162907a5614

SHA512
2a3d8337d087334964443c14cc85ecad29f46cb24133b5bec100cfde08aaf8271e92f004dafa46eba5e7ea5f0444d352e618aadd5b2e10be1ece8e25bbfa2a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\PsUy.exe

Filesize
437KB

MD5
420aa6d848df97fe02604a3e53aeddd7

SHA1
516094d20f174dba093898d6e27e3ae6b502eb3e

SHA256
5f8f9d4f65ef7e7aae81ad7a485119e51bdcc4d8ea946f5e2456b7951d8f300f

SHA512
2529419712217ce14daa827030dea533a0d7dd5b0f76f0391572806424d155790a973d8e0be6025d747300e5069f033346ae809575a584a1699bba82f557cbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsYK.exe

Filesize
580KB

MD5
98e6bbb433956a179aae8688c43d3340

SHA1
89667e853caa0c71f60af9928171bf1919ec30dd

SHA256
a1d86024ee6bf9e6b46791783f9e8a0b62bb0eb53e14c2d54aef48188feff121

SHA512
ff3f0b5759d5370527f330b8d39238771546f97db2e8661099fd6b4acab51f41c896e1f6a7f36a67e08ddad9a048dc4b0c94af7d7d2d8dc75b4bc5724ccd76f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgMu.exe

Filesize
4KB

MD5
e82bfc7190821c3757fbea5e8b1a5358

SHA1
f3e42a591a28927fca8e5a83a29c66dac1733dcd

SHA256
0f829c5acfa3387164e5804a1a9527d232dae6798cf4ba60e1d4f7b847d9e7e4

SHA512
43485f45712ca83e84d1e10ae3244820e1156a364720d4d050cd7e7d969873ad29141b9c102fef15784fd8f104a2c205addc55d5680c863861433e6b72a48893

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoQS.exe

Filesize
441KB

MD5
c81566047f9dd1225bfe716e9c405d08

SHA1
7b764288e98cfff80b0106143c72d5610c657821

SHA256
0b8437109876149812aca19dadfdfc51dc3a861ed6e2f3b3f9bc4703cb0efd89

SHA512
3fd7a120748d1d89dcd6856a44277842d1737188e633d6bd63b319e0284a308edd9a9f74eacd70d898f26280a756f97ff680057cb967f37649585b453cac33b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEcg.exe

Filesize
389KB

MD5
e322dbd4aff089265899315705908168

SHA1
b5293108e5f9f2b6a398b5c19b309b8fe6e80caf

SHA256
b18011cf38c6ef5f9ac892493bcd8ff93b97dc8a057eeda0b99b41a1adfc07bf

SHA512
daec59d212369bb2801a6f47799b4eb93e36765e5f4d01718af830fc076f81f8c0fa9313ce357a7dc7a3fe6548fc3f42ce31ae63558d393078984cd4cae1543f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQgu.exe

Filesize
438KB

MD5
333e5bf8d88e21220e1c74f108f1086b

SHA1
0d6b1a15fd73b04d912fc0ad3d18ca6dc4ee8a6b

SHA256
0614b13ccb6b768b503649284fca5d89cd386462f1f831b1d6f0025f76f3a0c5

SHA512
135b38b5c23c3bb2eed7adc363942fb2e3000fb636f751a85a41cb9ba9d3ad46e65d91d41b6ae2a8b5b150c21ffd3b0b0bff1c8e1c14930edc0b9079d796b43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SckQ.exe

Filesize
407KB

MD5
cae845f398ddce6de68c8b2ff68abc76

SHA1
7fe78b22ee67fc94294a44d7160ba0d5874d6ac2

SHA256
365fdca51630c25cfc66c41a60d8cfcc863ab33b7dd8db5dc5e4a9fbbaa07906

SHA512
34d59da3fa42e381caa045fb39c65287f70ca0856afd428250627ee54e9bfee4eada132d8aae99bc28650df94815a9a015fe3ba5bfb866ed985856c8f172c6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TIIa.exe

Filesize
892KB

MD5
42bd4c7e4ea9f4856272c22aa268c9dc

SHA1
559e5f4b4b06e5c0de7c3106977bc45414e193d7

SHA256
cd8822eb1209c37c08c294774716be7dc71e84b6c6ccc7a33d25c0cb68238f33

SHA512
6892ad0be3696b1b9246be2850c2a0c635316333ba64eb17c4150b0b72d5d8adacd8f608e8082b7f4062d2079f6b6053adabd3c08a7c4e57b3b654158892a2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMUG.exe

Filesize
87KB

MD5
67bf207603825594f0ddf2eab3782229

SHA1
fa452baa9b031c7038fcb6f28e0bc3b2bc5a7b07

SHA256
2dc3735efb4974cadecba86abc823e05f0fb0d7d1860d4a6da45d6bba5370324

SHA512
dea32926bf0e3f6068a971f0ac217aeb9968459db2ecd35ccdc193286f2393ea00468a4a3869da520b4be0afff1763b6c31fd6221e214b3d3d345b90c850eeae

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgcY.exe

Filesize
275KB

MD5
974f741dfd121969438b87e9a7804628

SHA1
a0d283bc83ec7faaeced5849f90fb736a5f4908b

SHA256
715486519724bd5a4b1df5aba77c16d9079103b5cc5bd9a9d0269c2dd71692f5

SHA512
b84135268a0f2eb88b20c1298f29a8aabd53cbbf7c620c09c2e40a2092a196af472ef77a0bada6129a4fd964a7e8d191dc7520108304063cced470099432df16

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUQA.exe

Filesize
558KB

MD5
53faca2fc00e48ac8f02228c125e4241

SHA1
976cd27441039d1fdcc0f9f8dca034a4d3ef9368

SHA256
6957675fe7c9890bc59ddc41c2cd9a045e0ea3afbc2826da5e9f93f3cfd2b946

SHA512
7dfc7a89cccae1cbd7579bb29b37c2907e834184a28e36f64812656dbba3366c1f15c1d6ce06db69f8d41c15f7af0e534ffb25d9846731528755a6e1365fa8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ViYY.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIwc.exe

Filesize
435KB

MD5
6521d4f4885445551d425590627c5434

SHA1
58dca448220ac746b152a92e23a75fde6190831c

SHA256
e2dfacdad0638546c7c4dc45b572dc35ff2e31c9073cacc769864f9b9aa7d3b3

SHA512
3791cbf2131d5660b7e9792e7d0b4cc77e82579b55dd931f065c23f1a599b1617a2d1f21f596435f55537383f5c03410d4e86e702907501fbbb5c340771d50df

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMgs.exe

Filesize
141KB

MD5
c2603bd393ce3d88832f738ad5c9ac9f

SHA1
1148e650155f27ee4b5807be542da2e3371efc7b

SHA256
13583c9f93c8b2e89e4ccdc7ce3cdbddfdfd1fa9596c67d84e73906d8bca31ac

SHA512
02f153df315f5edf7d2da3742034538a79ff6f104d2ab0aa9c7e3969cbb2cdafd916e5b1adc5c97e94f07221cddaf9bb54a9d6b8d1c30eadee28b4adc0b610a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgwM.exe

Filesize
228KB

MD5
bed93cb7de823d3016b1c498ef77436e

SHA1
4d29dfa3f58199bb0cd3e1264490d11a1fa1ef11

SHA256
a8ba5af8ef4bb50c6a354a08d99a6831c3a6c45210750bf75eae40d20c51ddcd

SHA512
69626a93636906d4680f34a92856f5805fc0d84a42b0fd8ff90dc3958bf87aa459f31292adc3a5d859b83d19dc1367d5cbbd6cf335b91af47f3efa1a100212ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQsQ.exe

Filesize
129KB

MD5
996b5fe3363811beedd27cf1aacbb91b

SHA1
6ffc32e4ccf267430321c9614d79a04fbb327859

SHA256
4365833c1338ac9b7bf07dca58608425447adda213f66dbc26575636fe8796d5

SHA512
54e32eedafebdeb2d5cf95563ebb7a8f3618d0d07e1a5ff3aa1bfda2228bd0245d9141d34407c9109699d02008cd013c2df67b50e9a2480c51ea753db513c0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQss.exe

Filesize
296KB

MD5
1ea9ad01bfed6672d06f84381aa4498b

SHA1
79530a7c54f5f964ded2f2098c018db4a4dc01cf

SHA256
696b7c19c89ce98107f2673a0a2d195fa62dc8039e902f8e9abca030116d1e6a

SHA512
585c420bf77158aca613fbc8a58858b9265b2f63846d10c11bf133e21bd24e0a0355f0ca3a478461044da70898ff591cd1fae2760b100c6a26168ae733990fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZsYO.exe

Filesize
372KB

MD5
3a08b02c1584215d3283a4f8c64831f4

SHA1
0a80750cc7617061e93ad0478ad0011aa13bce36

SHA256
827298cc919301bec8153a3bb73a73a732657d5de8fc2ac46283f70a8852c210

SHA512
d7ebcb786032accfa7049f1facf7972cdb37320fbbc0cbec5fdea55c5d62ae6488867264b2c65aebd676912e39f81c9598ee242fc1568c780f16e15ea7594baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgUc.exe

Filesize
418KB

MD5
42c8363cc2029c3ee6ea1c483549bc0d

SHA1
70036611a3663df1a656571af7ff97dec9a4f505

SHA256
d1516465af59067e6149d6d9ba41db2fdbce04235e97372314b527667f21f3f8

SHA512
97aebe5414c217549ed8e7d00fa93fe7cf52782cc9441f506c3276931a9b41bc6a9c6082b75a939bb0a91faf2e5b0b332a3c6f0063d9af7e4b69cc152655418a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAEA.exe

Filesize
267KB

MD5
de41ba08433aa977d9a459fc94969c58

SHA1
27ea0c9c59431d090c0454e026215c9d32a675bb

SHA256
4415ffffe9f3b435872f0e2dc47345b513ca786868b6de56f6cf5760d34f6932

SHA512
20e9b008cc4622cb96f3f5fb73a94251366d2b83afbf49e34ab175585d9767bd3398d87726f91cbabcc638bdd7be977bf53007c3190ba0f20633ccf5fcd35833

Download Submit
C:\Users\Admin\AppData\Local\Temp\dssq.exe

Filesize
440KB

MD5
b623a5496942645009040a4ac12a04d2

SHA1
724718a553696e5e216cfe4b746e61b1aa3f0a40

SHA256
857902518a1ac2e07595839608730322b66d6b422bacb6c8ff7401d2f1827185

SHA512
bfa7c4d1ffb973bf1446dca896c5d623e0ea09d32c1205f262c326364c74f55b0b683a8f8c79a8ace159f5d6612884489cc3ddb448a3ee986092883868bac577

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwgO.exe

Filesize
326KB

MD5
37686384f563993ce54f86085aa5c78c

SHA1
92f44ac0238ab1d01028523861cec2add6247c56

SHA256
4e32f5d606657ae602b50cbc209e19aa058416b2c2ae09cdfe63d7b54dd07193

SHA512
b2bed207845740d4574439f1f6c4d365a3292c56e25bc79bf7fae7c25653fe11212241c1fc5ff648f283a9601b3fccaab140a390a998e7e1c1a2cefb3e450daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIQi.exe

Filesize
139KB

MD5
74d01c888922678eaaa1ed41ddbf95ae

SHA1
eb21efc45589a0cc73971ea9657133fdbdbf68c3

SHA256
687da3dd35459e79412a40382350d1eee22759b76d4df705422368907611c900

SHA512
6d4806ced9bf15846f04f0d1f46a71a99239b2bcc2c1a6cd5e7c5e9b6dc43bf6dc4d7fda691cd52cc466abfac1878b709083068e01e6fcc6169433c23965f30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewUA.exe

Filesize
416KB

MD5
6e332d681f8dbc3488b240ad0ac428a7

SHA1
c9f4ae6f0b6ffc7e214a6f09ed1866dc08d80198

SHA256
b8f1304585a8edcefde7499ea53b653de60376da0af08675940d49d0ff14524c

SHA512
daa5eb45415b2bf1f21cd8aff74216f40ed49064c7a9c8f4f228c9cb90f1ddfaacb88d3f8d34f35bb0b110694bec6760655030687957b94cd5c266de28fec9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fEUY.exe

Filesize
399KB

MD5
d41ab8951116e709bb9ce66222490685

SHA1
d14b7805fe67559b6ceadc4c4797739f66745c2a

SHA256
be26973af7d3e86359ef51749770ec9522a6f09590c5fb00e1f4ed9e12e3d844

SHA512
66ed719c21510df633a30bdf7d97477e22d9c5a2a885ccd786691b977fb028a118028643271db604f276c285f091cc9c41e3a38aa5eb9c1b2dd2c6c3111ba833

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIUy.exe

Filesize
464KB

MD5
ec079edbbc1692090288b048da8e1651

SHA1
4875a56aa3c5a7a6ae9ac178dcf32482eb10c65f

SHA256
b882e3f882eae8940c55707e7509dae2e2664bd4a8b8264fa3396638c26004e9

SHA512
b5e79733fb42dca6c69f6257bf2429b2684dff55b5cac31b23f8aeeea55342c422aff678803ccb0aac589e7a4794182a9874dcfb5377d16aa3150795b83d93f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYky.exe

Filesize
438KB

MD5
81790a1ec49e4b7d821d809512f9a801

SHA1
7df4b41e395db745e1d110e60dbd22bcba516fc3

SHA256
70e429e9424e2f8baa2419ba81cf13940389782bf99abbf253234502bf63d8cd

SHA512
a00a082173fe4462988be8d0cbba0c6be9ac531929983626dc7c7760515cd41198d989362237e102f691f9793fb1e41b4a4485e79c8832211372f64c0810e7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUYO.exe

Filesize
329KB

MD5
97811151ff56c99263093b623e2e105c

SHA1
58e6fdaf2d36a7e4429f762e39c5f909f1ec9185

SHA256
d061d76c5877f438180aedfab4e93d1e7f840bd5f57ac724023d0ba15ef4d3d7

SHA512
539858051fa5ecfa275c62cede509b11cb1e061dec8f7b8e98b0ac750c19bdbeca79ec3ef9a39c8835d4c4b70d125b74d68780c617b9b0c91e29cf553e429eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\icsg.exe

Filesize
66KB

MD5
a251fd6c334226b54636417754226456

SHA1
0fa00a5346fa423656b7a7b0ecbdb33e81f76c96

SHA256
f08ebf0c2ba7db9c9943ff88c17598795f04b2bff5e97b3da5b0dd876774a186

SHA512
e91efa80680abae88899fa7520f1fe0cf68a660a4a51c6c533c5f570ae672fe72b6f548d9a34106c51dcd50802f276a819001dd07e0514ce16656a50bda01b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\igAS.exe

Filesize
64KB

MD5
3945ace57680ca5779f47f3e64dc1770

SHA1
407632ca42bf318a10312b55dae882ad31e483f1

SHA256
bdfe33174e69adc54086750e6500d30065b62f373cedb5e4fb5a41bc3a9ec36f

SHA512
593c182ab46027bd1c569ab87be3e09a282f4782423c7b335edb3d86cc4638477438ecefa440992b2fcf11744916fa3abc2e3472061b4204842bd407321931cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwUY.exe

Filesize
401KB

MD5
3f381343d27dfdb28f08117cf89955e9

SHA1
72581d07d8c384105549513f23e07784908d9fe0

SHA256
2f112d3d27fa14b7335c8a43cfc945f84a60a92f64650af02d9d8f52f99a92f1

SHA512
7d9a4ec2efa05ab07ab033f8b77216915df5940acb480c521967f084b67fc882858097ff803531cfda6f0da14eb8742092c3f2930fadd47bb291b54142939799

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAoq.exe

Filesize
523KB

MD5
a06ca7bb6016b2d44c2026919537dd3c

SHA1
397d611bf6ad88f809c673df275d42f04a0a99a0

SHA256
63779bf937f460a7f49ab068241d18281e422bee0895afb48ea76dac708f3625

SHA512
ffc87dbfb0a678a2673509b248bba03f4b7e5d9c0294e15b6e1e72ef82e6e420db3d96fbe29988e42f37e2708ad9c7bfec5f3435669c333fd5af3662b97e44c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYAo.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\loYe.exe

Filesize
442KB

MD5
6534ee633a50a9a96abf3794474fddc5

SHA1
296e3ef769e4e0d6a950fc3396d95207c0fa498f

SHA256
b4c72f036ebabf7d35b172aad8ef503cb28e944e45e691cc44deb544a6bfe3c1

SHA512
6c7e91ae7af8c90e01a921c3b1fd7afccd655a72a1c83c1885d1d1751df7775956ead8c5b2ad400018cab664ef7f58c3e430b3c6ed1023a9f3150c6d274b0ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\loka.exe

Filesize
437KB

MD5
5ede06d5b4fc3339d0c2ca20d9ad22c3

SHA1
12784b5e49cdf619648a206041156e159fa51bbd

SHA256
3fc20bb692f1ad392363402348285e6cb87c07903038cf7395a661d11638f8f5

SHA512
dfa774a52e0516e23a2997f40c0926e5afdd2dfdd2af6e983dc9c95a508cbbf0e4715c01fff5a2d34c65d9b51ef5e5f425b47d2308c7a3c6a57ce1d3e4604ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwsQ.exe

Filesize
438KB

MD5
af2097c9fc2a46cde5e183b1d4acd618

SHA1
7a1cdc4e7c59feb0263ba373caf82baa7d855b63

SHA256
8d4498b56a35c4a51341b5cfe448de07032c6f2a84edc3c2e9ab5b9e8be5107b

SHA512
7d5def9ba8823edd9cb44b807fa68e89935405e526d4295482136f6ac09bc61d45ec23155419677ca89e42dc20c8299bb8f2496b929401e09ec410ea55b93fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscQ.exe

Filesize
89KB

MD5
48c343a5c3ae0d1b07ac7abd331a78dc

SHA1
79e2b996c23f07f0c35849c869d0175076ebaecd

SHA256
7415923f7bc7fb48f571636e7cc111671f10d0cdadb9d6258147cd09aba7b964

SHA512
4d33146b8ab14ece0475169cd63dfd4b60309a29fe8934ce42f91c9c109780c62eec24781606c59db7fc5cc85bc79bb8c3c2f11ec3b1f1613e3e672404b06d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYAq.exe

Filesize
462KB

MD5
4b9dcafc2f1edf6ab15070a34f325a2a

SHA1
4c9b4309c67422754e952dea39dcd9982c90f712

SHA256
e2c2b202b78b708149cf641b0ea40f89a6bdc8df46a97712a28d8068bc7e375d

SHA512
f6576fb120ac0ba7190f8c1b091e90aa79435b1774d3dc04148e68388274b4c412fff82837de399f17d716047f76272f995f054af147e87b8cb5ca0f3454ca7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooEY.exe

Filesize
935KB

MD5
6fe7cfaaad0181b3f1c24e04e33e042d

SHA1
26c327623a960834bae2798a5fe3c55cd9e8daf5

SHA256
f30908b7b7dfe80461094422eb34b4ff717b0766b58aef64ac8d22e1deaf651d

SHA512
4055bae652a3b40bbac10dee09d67cb6708be59a7e4739ee84b3fad13781dda650913d8ddd00332aaad8a982d6118ba23c84dd6a9e247b54fb68ff01949f73c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgwG.exe

Filesize
441KB

MD5
cb6efd1acdaed1962643305b919affb9

SHA1
bfab06afc1bac6d2164cf3849b524c232f6e0ecc

SHA256
3e2f5888aea556f5dc92c8d5bb05c3177c8ef72efdc300f3d16eeebc27e7af84

SHA512
d2317d03279695951dd4bcf879b6fdee178039749aca81140a2db18840a819e29c2b87d9db7c705cebc3b31dcbe3fce382c8286389cfd56d6f7681d3cbb9a939

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkou.exe

Filesize
1.0MB

MD5
f78892d3f08216dc20c8e0319b1534fd

SHA1
52f977467b7d002ffb74865b8b7db63051024c10

SHA256
5fd49c63f0d46ce937f0d276c7758ce78fb4c425c84d7e79a9c3dcd25951735d

SHA512
d3171ae9365a85c09b1e4727dc74bb7cdc24036d2bc2e49f3126ca518a38f1c998c2b2257815637e4537549e809a5cbfcbf014d8f3343e71fc1e9dd327aba1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIQQ.exe

Filesize
62KB

MD5
ae69e598a0a6d8356fd7e9d6a409bce0

SHA1
c7a122ae732ad9c8969ed7fc56b2888902e06e14

SHA256
cc988902a3b78cace934ac0721311c610b6b9c61477f5a7f6d63a934f2587ad6

SHA512
894afcc70384c1e10eb172db7af4a2b82fd88c46806cb7d37e661f426e0db368fe4a7e024b06da962185a7b91908c21c66a25fb759e5ed2831417e2989a8a07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\twgS.exe

Filesize
201KB

MD5
6757d3f4af2c5d85704ab364700bc852

SHA1
4400e9f11ead00574700662bf3fcf13fa46360d1

SHA256
89945b6d4e1cc96c37b4435b05a024c44bb52845398bcade23c64d281e747f78

SHA512
514fae78667744f40b747569a259627dea92564fd188f99bddee306ec8120da561865bac911fa2709100fe1dcadce9d6bf8ecad9c26913cdd412c029b183b907

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIsu.exe

Filesize
447KB

MD5
d98abb93c66c4b8098d0385bc9197e12

SHA1
44cd95de238083f1ebd3c324a16628f84088ae63

SHA256
83b0b53814dba895314ac7096a01483895529960fd8c6d140a8b8eedb44ca7a0

SHA512
02b9884f3d1fb8bab10b96cc681eb88866327eb7a731bef7c6d4082e53fd5a76a37dde928486bb98a33fcfa5e915aa6e27fe2a81d593dc78bd8c285950ba6b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcki.exe

Filesize
67KB

MD5
77df2893f7a0f78ce96a474fd1570fad

SHA1
7b7bd352d2318f6d448d02de5e3b94cd5bc8a826

SHA256
75816119be2f7871d6a51d6491e9a99178e8fbd8f061aeb861b735c43810ba1b

SHA512
cd2e10541f186be75849698ce07be844d806767d1c6ad99030841a887b2d9031ff24e5421d9a185420c02ce42485433e8b2d860d0aab533e8667100a3bad5064

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEck.exe

Filesize
222KB

MD5
909d823be7fc0ca8f52535584da4038a

SHA1
3163ace54161df9b7a2d64591049ff8417997141

SHA256
10baa9661cb80bb6762e8bfea17a61e82d79313fd0213331a24fda5362b4c046

SHA512
4d171eddeea9c8378b9f5b3095fb3ee49dbf9cf5f0f78c47d812b08818e52e7ea379269c46789bb4b42721942a5fd5228da9c8a2834444ed65580e57bb5b8cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcoi.exe

Filesize
291KB

MD5
0fe5460e728a1da02ae500f49d0fdc16

SHA1
8d13dc422a977d388f9df641dccee62ff1dc9c14

SHA256
70daf73378079a819f700b1b7401a4981f963a726b51d868bb797caea6dae884

SHA512
b193066e65a17c20525fa726d791fa49ed9e189ea040b8c6aac08b65e96e83e8aeea5545fba320d20ff61cf8ad29cf6f60ea2deca2703bf650cf91fa8126ff4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEEE.exe

Filesize
67KB

MD5
375a57d8766a1917778045cc8c372ce6

SHA1
e663eb11bdaf77c70655cdb9e2c64dc69cfa1f88

SHA256
1d911e796d083daa8edaf608b57b85545fcbaff5af2bcce30d08f30827af459a

SHA512
3e8965f96b9c1302f74dce838023dbce4c73519c0b48e2297df235a1ba5354b666fad611e38031a3108043c371c5d1d7f0ab941ae0e1948060ff4c83af2f0f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQoC.exe

Filesize
17KB

MD5
0e3dd4f93f8f53f8f3f3ae6e10319690

SHA1
277b8cdf5fa5f5eb493acc507cb982b36c71e488

SHA256
6d81d5370ba7ef0ee9e51f394ece62c47cc9941d903448d3640311c71f5873b1

SHA512
545121cdc086c9de074c84e1f062280e3234726361ff1aab02d8403833e36c502bcdebdc8f4267406de29a432981856b0b902fd73e73a389564d6edea0d7672c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYcI.exe

Filesize
399KB

MD5
ba4dd5d4059185fa60178c3e10b9832e

SHA1
bacbe6e8d26a791861deb99c94f558a12fc3fc16

SHA256
7cf5167573d98bfee9e43d706a672c8ecc7fc0184944de325bc144d85bc7587b

SHA512
32404560834668d170265997a262c40cd16c561c0bcf8f71218a78fadd3b90841bb65fa56584aad16e12fc1550d9c64cc34dcea42262229c982bd67d3d3c3380

Download Submit
C:\Users\Admin\nAYIgoUw\GgkgYEQc.exe

Filesize
185KB

MD5
f89a1f5ecff20db912a1c16057d5ed8f

SHA1
6b2c45c32a2925ce3cc97d3e26260d7f0986036c

SHA256
7b046b376d4f588cac4cca3e237e5c97ea221345a14be168654f6bad0a040438

SHA512
f822c99193f215b196d1fe9a5bf0a0e0d5f6913f3ff2456d12f2646f90535ea7f332d39b05ed3b8c625c1d93b51a7f8937686e11420683994867a5a5c4bc8673

Download Submit
C:\Users\Admin\nAYIgoUw\GgkgYEQc.exe

Filesize
229KB

MD5
3f3bb8c991cdab72f02836b512337546

SHA1
5ddf59e9b9860c4a407f6402ca0e3805ce3d17b0

SHA256
9cc294509f19f806dc3ff99c0464beb23de6271bd9b09649959024f7e7e58305

SHA512
0e01df6d3310e78d1851f1767768e62997084b2be301aa33e0c7584fd8466b93f9b6ba29fcdb8a2d61e741096db48d0dd7c8f300b45c9beefd790af2a847f1c2

Download Submit
memory/792-207-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/792-194-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/840-34-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/840-42-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/896-12-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/896-64-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1064-79-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1064-17-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1084-222-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1084-230-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1208-35-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1208-0-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1332-104-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1332-91-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1336-22-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1336-33-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1456-132-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1456-115-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1472-557-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1472-520-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1496-43-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1496-6-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1640-325-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1640-287-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1688-165-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1688-182-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1828-78-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1828-65-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1832-670-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1832-721-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2240-80-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2240-92-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2336-234-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2336-242-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2388-1026-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2388-964-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3212-133-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3212-145-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3468-56-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3468-44-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3524-1171-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3524-1122-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3712-1061-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3712-1079-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3868-1214-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3868-1236-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3960-397-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3960-452-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4124-195-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4124-186-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4324-206-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4324-218-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4628-144-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4628-154-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4632-618-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4632-659-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4864-778-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4864-814-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4924-116-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4924-103-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4980-1330-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4980-1293-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/5068-906-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/5068-861-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download