83d9f46be24d7fab8cf6c404a887ae7bff60a22db9ccf38e3ec15527330b0098

Analysis

max time kernel
19s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202401067ea71f3346da281548954a6193115bbdlock.exe
Size

111KB
MD5

7ea71f3346da281548954a6193115bbd
SHA1

bffec7b366c1d4420c5083a14c3665651747ddbe
SHA256

83d9f46be24d7fab8cf6c404a887ae7bff60a22db9ccf38e3ec15527330b0098
SHA512

8d7b05b72fe21178bf0e3cf2d9e7198e6979cf9cf6494499b4665e55bc9b598db51d421fd081f791dd6c4e8877ab7f6bcc4a1a0d3a16b9b3ca251b36fd974fe7
SSDEEP

1536:MfISW0+aQKJQw5u+6hpPBE5UtOvE7i0FfImfctcZ0PU15A6VPel8F6jcY2Ft19p1:Mgp0wogpPBVGENImkeZP4vjcY2Z9p

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	202401067ea71f3346da281548954a6193115bbdlock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	202401067ea71f3346da281548954a6193115bbdlock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	202401067ea71f3346da281548954a6193115bbdlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	202401067ea71f3346da281548954a6193115bbdlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	202401067ea71f3346da281548954a6193115bbdlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	202401067ea71f3346da281548954a6193115bbdlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Renames multiple (53) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
884	WIEMIUgM.exe
2788	mugwMgMM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIEMIUgM.exe = "C:\\Users\\Admin\\lkwEgAgU\\WIEMIUgM.exe"	202401067ea71f3346da281548954a6193115bbdlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mugwMgMM.exe = "C:\\ProgramData\\ZCwMUEEs\\mugwMgMM.exe"	202401067ea71f3346da281548954a6193115bbdlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mugwMgMM.exe = "C:\\ProgramData\\ZCwMUEEs\\mugwMgMM.exe"	mugwMgMM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIEMIUgM.exe = "C:\\Users\\Admin\\lkwEgAgU\\WIEMIUgM.exe"	WIEMIUgM.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	202401067ea71f3346da281548954a6193115bbdlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	202401067ea71f3346da281548954a6193115bbdlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	202401067ea71f3346da281548954a6193115bbdlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	202401067ea71f3346da281548954a6193115bbdlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	202401067ea71f3346da281548954a6193115bbdlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	202401067ea71f3346da281548954a6193115bbdlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	202401067ea71f3346da281548954a6193115bbdlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	202401067ea71f3346da281548954a6193115bbdlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4952	reg.exe
980	reg.exe
2692	reg.exe
936	reg.exe
4528	reg.exe
1232	reg.exe
4480	reg.exe
3428	reg.exe
1232	reg.exe
4268	reg.exe
2308	reg.exe
4944	reg.exe
4072	reg.exe
1352	reg.exe
3276	reg.exe
3340	reg.exe
1680	reg.exe
3604	reg.exe
2800	reg.exe
4040	reg.exe
436	reg.exe
4116	reg.exe
1740	reg.exe
4480	reg.exe
1696	reg.exe
4040	reg.exe
1756	reg.exe
4980	reg.exe
564	reg.exe
2220	reg.exe
1468	reg.exe
3484	reg.exe
2280	reg.exe
1260	reg.exe
2316	reg.exe
3644	reg.exe
2108	reg.exe
4496	reg.exe
432	reg.exe
4528	reg.exe
3128	reg.exe
3500	reg.exe
4732	reg.exe
2128	reg.exe
4480	reg.exe
4832	reg.exe
3012	reg.exe
2732	reg.exe
2680	reg.exe
1620	reg.exe
2944	reg.exe
4412	reg.exe
1520	reg.exe
2608	reg.exe
2612	reg.exe
4100	reg.exe
4732	reg.exe
2764	reg.exe
1108	reg.exe
4052	reg.exe
2980	reg.exe
3456	reg.exe
2524	reg.exe
3988	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1664	202401067ea71f3346da281548954a6193115bbdlock.exe
1664	202401067ea71f3346da281548954a6193115bbdlock.exe
1664	202401067ea71f3346da281548954a6193115bbdlock.exe
1664	202401067ea71f3346da281548954a6193115bbdlock.exe
872	202401067ea71f3346da281548954a6193115bbdlock.exe
872	202401067ea71f3346da281548954a6193115bbdlock.exe
872	202401067ea71f3346da281548954a6193115bbdlock.exe
872	202401067ea71f3346da281548954a6193115bbdlock.exe
1696	202401067ea71f3346da281548954a6193115bbdlock.exe
1696	202401067ea71f3346da281548954a6193115bbdlock.exe
1696	202401067ea71f3346da281548954a6193115bbdlock.exe
1696	202401067ea71f3346da281548954a6193115bbdlock.exe
4832	202401067ea71f3346da281548954a6193115bbdlock.exe
4832	202401067ea71f3346da281548954a6193115bbdlock.exe
4832	202401067ea71f3346da281548954a6193115bbdlock.exe
4832	202401067ea71f3346da281548954a6193115bbdlock.exe
1120	202401067ea71f3346da281548954a6193115bbdlock.exe
1120	202401067ea71f3346da281548954a6193115bbdlock.exe
1120	202401067ea71f3346da281548954a6193115bbdlock.exe
1120	202401067ea71f3346da281548954a6193115bbdlock.exe
4228	202401067ea71f3346da281548954a6193115bbdlock.exe
4228	202401067ea71f3346da281548954a6193115bbdlock.exe
4228	202401067ea71f3346da281548954a6193115bbdlock.exe
4228	202401067ea71f3346da281548954a6193115bbdlock.exe
964	202401067ea71f3346da281548954a6193115bbdlock.exe
964	202401067ea71f3346da281548954a6193115bbdlock.exe
964	202401067ea71f3346da281548954a6193115bbdlock.exe
964	202401067ea71f3346da281548954a6193115bbdlock.exe
4524	reg.exe
4524	reg.exe
4524	reg.exe
4524	reg.exe
4740	202401067ea71f3346da281548954a6193115bbdlock.exe
4740	202401067ea71f3346da281548954a6193115bbdlock.exe
4740	202401067ea71f3346da281548954a6193115bbdlock.exe
4740	202401067ea71f3346da281548954a6193115bbdlock.exe
2636	202401067ea71f3346da281548954a6193115bbdlock.exe
2636	202401067ea71f3346da281548954a6193115bbdlock.exe
2636	202401067ea71f3346da281548954a6193115bbdlock.exe
2636	202401067ea71f3346da281548954a6193115bbdlock.exe
4124	202401067ea71f3346da281548954a6193115bbdlock.exe
4124	202401067ea71f3346da281548954a6193115bbdlock.exe
4124	202401067ea71f3346da281548954a6193115bbdlock.exe
4124	202401067ea71f3346da281548954a6193115bbdlock.exe
4024	202401067ea71f3346da281548954a6193115bbdlock.exe
4024	202401067ea71f3346da281548954a6193115bbdlock.exe
4024	202401067ea71f3346da281548954a6193115bbdlock.exe
4024	202401067ea71f3346da281548954a6193115bbdlock.exe
2088	202401067ea71f3346da281548954a6193115bbdlock.exe
2088	202401067ea71f3346da281548954a6193115bbdlock.exe
2088	202401067ea71f3346da281548954a6193115bbdlock.exe
2088	202401067ea71f3346da281548954a6193115bbdlock.exe
1348	Conhost.exe
1348	Conhost.exe
1348	Conhost.exe
1348	Conhost.exe
1624	Conhost.exe
1624	Conhost.exe
1624	Conhost.exe
1624	Conhost.exe
4956	202401067ea71f3346da281548954a6193115bbdlock.exe
4956	202401067ea71f3346da281548954a6193115bbdlock.exe
4956	202401067ea71f3346da281548954a6193115bbdlock.exe
4956	202401067ea71f3346da281548954a6193115bbdlock.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 884	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1454
PID 1664 wrote to memory of 884	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1454
PID 1664 wrote to memory of 884	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1454
PID 1664 wrote to memory of 2788	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1453
PID 1664 wrote to memory of 2788	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1453
PID 1664 wrote to memory of 2788	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1453
PID 1664 wrote to memory of 1556	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1452
PID 1664 wrote to memory of 1556	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1452
PID 1664 wrote to memory of 1556	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1452
PID 1664 wrote to memory of 4544	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1451
PID 1664 wrote to memory of 4544	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1451
PID 1664 wrote to memory of 4544	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1451
PID 1664 wrote to memory of 4520	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1450
PID 1664 wrote to memory of 4520	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1450
PID 1664 wrote to memory of 4520	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1450
PID 1664 wrote to memory of 1104	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1449
PID 1664 wrote to memory of 1104	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1449
PID 1664 wrote to memory of 1104	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1449
PID 1664 wrote to memory of 388	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1448
PID 1664 wrote to memory of 388	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1448
PID 1664 wrote to memory of 388	1664	202401067ea71f3346da281548954a6193115bbdlock.exe	1448
PID 1556 wrote to memory of 872	1556	cmd.exe	1267
PID 1556 wrote to memory of 872	1556	cmd.exe	1267
PID 1556 wrote to memory of 872	1556	cmd.exe	1267
PID 388 wrote to memory of 432	388	cmd.exe	1019
PID 388 wrote to memory of 432	388	cmd.exe	1019
PID 388 wrote to memory of 432	388	cmd.exe	1019
PID 872 wrote to memory of 1328	872	202401067ea71f3346da281548954a6193115bbdlock.exe	1444
PID 872 wrote to memory of 1328	872	202401067ea71f3346da281548954a6193115bbdlock.exe	1444
PID 872 wrote to memory of 1328	872	202401067ea71f3346da281548954a6193115bbdlock.exe	1444
PID 1328 wrote to memory of 1696	1328	cmd.exe	1442
PID 1328 wrote to memory of 1696	1328	cmd.exe	1442
PID 1328 wrote to memory of 1696	1328	cmd.exe	1442
PID 872 wrote to memory of 1184	872	202401067ea71f3346da281548954a6193115bbdlock.exe	1441
PID 872 wrote to memory of 1184	872	202401067ea71f3346da281548954a6193115bbdlock.exe	1441
PID 872 wrote to memory of 1184	872	202401067ea71f3346da281548954a6193115bbdlock.exe	1441
PID 872 wrote to memory of 4492	872	202401067ea71f3346da281548954a6193115bbdlock.exe	1440
PID 872 wrote to memory of 4492	872	202401067ea71f3346da281548954a6193115bbdlock.exe	1440
PID 872 wrote to memory of 4492	872	202401067ea71f3346da281548954a6193115bbdlock.exe	1440
PID 872 wrote to memory of 1680	872	202401067ea71f3346da281548954a6193115bbdlock.exe	1439
PID 872 wrote to memory of 1680	872	202401067ea71f3346da281548954a6193115bbdlock.exe	1439
PID 872 wrote to memory of 1680	872	202401067ea71f3346da281548954a6193115bbdlock.exe	1439
PID 872 wrote to memory of 1308	872	202401067ea71f3346da281548954a6193115bbdlock.exe	1438
PID 872 wrote to memory of 1308	872	202401067ea71f3346da281548954a6193115bbdlock.exe	1438
PID 872 wrote to memory of 1308	872	202401067ea71f3346da281548954a6193115bbdlock.exe	1438
PID 1308 wrote to memory of 4884	1308	cmd.exe	1360
PID 1308 wrote to memory of 4884	1308	cmd.exe	1360
PID 1308 wrote to memory of 4884	1308	cmd.exe	1360
PID 1696 wrote to memory of 3968	1696	202401067ea71f3346da281548954a6193115bbdlock.exe	1434
PID 1696 wrote to memory of 3968	1696	202401067ea71f3346da281548954a6193115bbdlock.exe	1434
PID 1696 wrote to memory of 3968	1696	202401067ea71f3346da281548954a6193115bbdlock.exe	1434
PID 3968 wrote to memory of 4832	3968	cmd.exe	1433
PID 3968 wrote to memory of 4832	3968	cmd.exe	1433
PID 3968 wrote to memory of 4832	3968	cmd.exe	1433
PID 1696 wrote to memory of 2344	1696	202401067ea71f3346da281548954a6193115bbdlock.exe	1432
PID 1696 wrote to memory of 2344	1696	202401067ea71f3346da281548954a6193115bbdlock.exe	1432
PID 1696 wrote to memory of 2344	1696	202401067ea71f3346da281548954a6193115bbdlock.exe	1432
PID 1696 wrote to memory of 3712	1696	202401067ea71f3346da281548954a6193115bbdlock.exe	1431
PID 1696 wrote to memory of 3712	1696	202401067ea71f3346da281548954a6193115bbdlock.exe	1431
PID 1696 wrote to memory of 3712	1696	202401067ea71f3346da281548954a6193115bbdlock.exe	1431
PID 1696 wrote to memory of 3988	1696	202401067ea71f3346da281548954a6193115bbdlock.exe	1430
PID 1696 wrote to memory of 3988	1696	202401067ea71f3346da281548954a6193115bbdlock.exe	1430
PID 1696 wrote to memory of 3988	1696	202401067ea71f3346da281548954a6193115bbdlock.exe	1430
PID 1696 wrote to memory of 2680	1696	202401067ea71f3346da281548954a6193115bbdlock.exe	1429

System policy modification 1 TTPs 22 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	202401067ea71f3346da281548954a6193115bbdlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	202401067ea71f3346da281548954a6193115bbdlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	202401067ea71f3346da281548954a6193115bbdlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	202401067ea71f3346da281548954a6193115bbdlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	202401067ea71f3346da281548954a6193115bbdlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	202401067ea71f3346da281548954a6193115bbdlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	202401067ea71f3346da281548954a6193115bbdlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	202401067ea71f3346da281548954a6193115bbdlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
"C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAUQksYY.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:388
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1104
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4520
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1556
- C:\ProgramData\ZCwMUEEs\mugwMgMM.exe
  "C:\ProgramData\ZCwMUEEs\mugwMgMM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2788
- C:\Users\Admin\lkwEgAgU\WIEMIUgM.exe
  "C:\Users\Admin\lkwEgAgU\WIEMIUgM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:884

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:1348
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  PID:1752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1844
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2780

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:4524
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3428
- - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
    C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
    3⤵
    PID:5056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4428
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  PID:2040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4136
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4004

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:4312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3968
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  PID:4832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:1476
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  PID:3340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiAgsQYo.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:936
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:4276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4048
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  PID:4496
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCoEYsEM.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:3652
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiUsIgUU.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:2312
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGgEEsEs.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:548
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3684

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:624
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:100
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:4820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:4660
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2984
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3032
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:4588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIMEkAwk.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:5056
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCskQokg.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:848
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2388
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:2800
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:548
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4800
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ioIkEIAc.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:100
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:208
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:3728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:1696
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3180
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  PID:764
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  PID:440
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  PID:3428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcYgQcwg.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:936
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIcAIkwA.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoQMsQIo.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
      4⤵
      PID:2532
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4044
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4228
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEMUcQQY.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
        5⤵
        
        PID:716
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:3704
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:1260
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2404
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3428
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
      4⤵
      PID:3112
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:1096

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:3512
- - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
    C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
    3⤵
    PID:4424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
      4⤵
      PID:3780
  - - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
      C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
      4⤵
      PID:1728
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:436
- - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
    C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
    3⤵
    PID:2360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
      4⤵
      PID:4424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2444
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1016
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4424

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2768
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgQQEwAg.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:4464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGwkkcco.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
      4⤵
      PID:3520
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
      4⤵
      PID:2320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yeIkcAAw.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
        5⤵
        
        PID:2308
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:640
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:3604
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
        5⤵
        
        PID:936

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:3508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:1180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4428
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:1352

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faYMQwoU.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:3076
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:216
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2792
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueIsYYgQ.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:1520
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2108
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:852
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:640
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2608
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:4124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYUokYgw.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:2884
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2312
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:1692

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CckQcoII.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:432
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1260
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1108
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:4044

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:4952
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:4076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
    C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
    3⤵
    PID:4004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4072
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4732

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:952
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  PID:4480

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:4732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:2840

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:3704
- - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
    C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
    3⤵
    PID:3056
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  PID:2280
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:624
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1180

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
    C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
    3⤵
    PID:2460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
      4⤵
      PID:2608
    - - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
        5⤵
        
        PID:2104
      - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
        6⤵
        
        PID:3732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3616
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4252

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2308
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  PID:3644
- - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
    C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
    3⤵
    PID:3504
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:5084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4424
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYcUcQUU.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:936
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:3504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkQgwcAI.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2108
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2400
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msoIYYUg.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
        5⤵
        
        PID:4036
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:3428
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:1976
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:3500
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
        5⤵
        
        PID:4424
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWQcQkYg.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
        6⤵
        
        PID:4004
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4052
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2128
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:2692
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
      4⤵
      PID:1964

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:1108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQQMcgEU.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:1800
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkokEokk.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGYMwUsg.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
        5⤵
        
        PID:1016
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:1976
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4780
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
        5⤵
        
        PID:1504
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
      4⤵
      PID:1308
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        UAC bypass
        
        PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
      C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
      4⤵
      PID:1232
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4124
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:440
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1104
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  PID:852

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:3400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcgMYQgk.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:4496
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1740
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2764
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:3732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKQAkgoA.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:2356
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:2800
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2708
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmMkgAIE.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
        6⤵
        
        PID:4388
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2780
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3780
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:2208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
        6⤵
        
        PID:1900
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
      4⤵
      PID:2780
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:232
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3616
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYMMIUgo.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
      4⤵
      PID:2344
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4040
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2444
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2220
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2024
    - - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
        5⤵
        
        PID:4052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
      4⤵
      PID:3616

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:5084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:4504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DokwcwcU.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:3140
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3076
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4052
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:3336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nooQEkcw.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:3616
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:724
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4528
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:3180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKoEEEcE.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:3140
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3500
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4528
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:1844

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:4944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkEYcgUA.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:3504
- - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
    C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
    3⤵
    PID:3428
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3076
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3428
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4980
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4072
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAkUwwoI.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:3624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASgcwcQk.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
      4⤵
      PID:3732
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3604
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OawYYUsk.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
        5⤵
        
        PID:2400
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:1180
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmUEEYcI.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
        6⤵
        
        PID:1108
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3856
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:452
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:4040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
        6⤵
        
        PID:1096
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:1104
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:4952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
        5⤵
        
        PID:1696
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
      4⤵
      PID:4528
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:624
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:3180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1756
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuIgUEUM.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:4980
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4504
- - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
    C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
    3⤵
    PID:4128
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3128
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:4424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2780
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3392
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HecEYIco.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:3140
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1180
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCUwEIMs.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
      4⤵
      PID:3176
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4056
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        UAC bypass
        
        PID:440
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2084
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:5048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
      4⤵
      PID:4268
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:2768
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4076
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  PID:4464

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMcQssIM.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1756
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:3112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuMcUIIg.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:3180
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:440
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:636
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:4528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSIEIUAw.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:1756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwUgwggU.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:2840
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1740
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAIcwYIw.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:396
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIwIoscw.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1352
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2980
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:436
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIgEQMAg.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
        5⤵
        
        PID:232
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2128
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3500
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:2980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
        5⤵
        
        PID:3180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UswYMIgg.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
        5⤵
        
        PID:4264
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:3576
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4272
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
      4⤵
      PID:3216
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:1504
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4944
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
        5⤵
        
        PID:4304
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:2580
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RikIMIYA.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:2716
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:3624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4736
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMAgkUss.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:4304
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2608
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3500
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:3644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYwMwUYY.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
      C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
      4⤵
      PID:4980
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:2104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqwIwsQs.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
      4⤵
      PID:4072
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:1520
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3056
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2400
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
      4⤵
      PID:952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaEssMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:2308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWUgsgMA.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:2128
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGMcwsso.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4732
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4528
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4044
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWsoMcIY.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1696
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOUQUcEE.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:4044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeMwkgQE.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:1700
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1308
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4528
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYssUgEM.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCEwMIsQ.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:4952
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1308
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwAcIssI.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4064
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:724
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - UAC bypass
    PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:1468
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3032
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:3508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCkkUMcI.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:4044
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2584
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2108
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2708
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:4716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEEcYgsY.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYUYQkUM.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
    C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
    3⤵
    PID:1624
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
    C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
    3⤵
    PID:3988
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2984
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:4756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYkEwsYM.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:2220
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiUMgwsU.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:2264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwQQswsA.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:5004
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4736
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGEgoUEE.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
        5⤵
        
        PID:4740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCoMoQkU.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
        6⤵
        
        PID:1644
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1676
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2460
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1384
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
        6⤵
        
        PID:4240
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:4944
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
        5⤵
        
        PID:2408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:2732
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bckAcYIc.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
      4⤵
      PID:4044
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2328
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2304
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4812
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3180
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1388
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMAsMUAA.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:4780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiQMswII.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:4072
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3112
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1976
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIkcYgso.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1696
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4052
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:4264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKYQccIc.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:4128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQEgEYkM.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- UAC bypass
PID:3112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:1696
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkQkQAQA.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:1696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZskccgIM.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMEUUkoo.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:440
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:4936
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3108
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3652
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1476
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4716
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIEYYAkg.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:1504
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5056
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2768
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4304
- - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
    C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:2444
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkogkEoM.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSwQMscE.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:3728
- - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
    C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
    3⤵
    PID:3260
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3988
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAcswswk.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:3064
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
      C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
      4⤵
      PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:2692
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:1932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQIIAIkE.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:2800
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:3764
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2944
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2388
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
    C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:964
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Suspicious behavior: EnumeratesProcesses
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:1348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGUIQYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    PID:3484
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:2024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:4004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iyIUoIUs.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgwQEAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgocYwYE.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiccgwEo.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:440
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:2984
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:4268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:4428
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIocYsEA.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2768
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4276
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      PID:912
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4716
    - - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2088
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
      4⤵
      PID:2732
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:556
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3456
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5076
- - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
    C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:5084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:3764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIwIUUYs.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GeEYYcoo.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkUEYMEk.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:4272
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4496
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - UAC bypass
  PID:208
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:3728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:936
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIwggcEI.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3456
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4832
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:3428
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4272
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3060
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:2792
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3728
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:4024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:5000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiMAcksE.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:100
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
    C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
    3⤵
    PID:852
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgEcEcUA.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:4480
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Suspicious behavior: EnumeratesProcesses
  PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCUQkEsg.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:4064
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2524
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:4500
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2944
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:4024
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAQAUcEQ.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:4136
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2796
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2360
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2168
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1696
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEkQsIgA.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3788
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
    3⤵
    PID:2000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCYgUgsY.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4492
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2980
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
      4⤵
      PID:1900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgcQooYI.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:3624
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1388
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4732
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYcgYkQk.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:4048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgAUUgos.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Modifies registry key
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3576

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMIsEIIU.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:464

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2000
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  PID:4480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2608

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:3216
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:980

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:4276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4040
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsYgsgoE.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4452
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4940
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:852
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3276

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:936
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOMAUYoE.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4732

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:1328
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1696

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 8994c99dbf01802604804af54b34a08c rPOIkCvDfESBkxv1eqUJXA.0.1.0.0.0
1⤵
- UAC bypass
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSsQgwQw.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwAIYwos.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:2332
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3624
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - UAC bypass
    PID:4276
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2944
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:220

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:2056
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2524
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwAAgcEA.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:4040
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWcUUEgY.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  PID:2680
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:3988
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3712
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:2344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3484

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:1384
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIEkYcsk.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:2332
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:1608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIcwcwQE.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2692

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYMUkwgI.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1308
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1680
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - UAC bypass
  PID:4492
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1680
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:464

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:2656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4884
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAgYQYMg.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:4776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3340

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
PID:1348
- C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
  C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:4024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- Checks whether UAC is enabled
- System policy modification
PID:100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWIwcAUI.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2636

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWwMQMUA.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:3260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- Modifies visibility of file extensions in Explorer
PID:4056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:5076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgQIIgos.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:2332

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- UAC bypass
PID:3624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqMMEUwE.bat" "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe""
1⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock.exe
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock"
1⤵
PID:844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:1520

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- UAC bypass
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{17316079-d65a-4f25-a9f3-56c32781b15d}\windowsdesktop-runtime-8.0.0-win-x64.exe

Filesize
722KB

MD5
757b635ea5e71c4d8f6407b15afb01f2

SHA1
56ce0e134b0690960a535f7a6de644f85299d600

SHA256
7227377acbb1cf1cc409a8c09c05c6251d2ba9943238f230e356c696fcafd2b8

SHA512
d3fa94f58c9ac1e5d448ba3e70557616db31a9b88787388da2d826589a2a416aac34b1f205dbacd63fa2922189d528a95a0451ae18d190da2a8fcba1520fb483

Download Submit
C:\ProgramData\ZCwMUEEs\mugwMgMM.exe

Filesize
109KB

MD5
a307e33fc5867c83fc6dff0629a588d1

SHA1
c34d261d6d82abda016e76a61fdc461248f649c2

SHA256
ab80395b385593daad4690fc391c219aa20a142cf5a27e22a0f4745321ced4b3

SHA512
ea5f036c166d124a68865b175b8762036dc7a40f50c5c18a3d13b11c6447736c4d7fc300fb93c705b2500820fc1a4431741d672c198db0e1c4cd3b4b0894e5dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

Filesize
127KB

MD5
9839bf7f49508a5d828f2572e793e7e6

SHA1
7362131834182398902cf6bec5aea6a5453d966a

SHA256
2289330a909aea8354588b8b9a2a8d1b59005ba15f11eba032c78c44bc91f629

SHA512
5f7cb731511de9dd91c3cf7c68c86c9a471b2ecbb70e7eb10cf817a1ad2196b5f0d495839b226dee87c1115ac2c5b336a7eaea3b278c696af9a249a64f062ec5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

Filesize
113KB

MD5
0ee6e933ec5e54df13bf122a8859d552

SHA1
918271dd91a61eda2d01411cbf67b8e56746ec76

SHA256
b1c944579f5f7dd4f35e3da64907664efc82821dd29e34fdd6455a5a9d68255e

SHA512
2659cc2203dd0ff203edf007d64d2ba4f9ef4c9108b1797172de7d72ff1908bb7549a5b10a2406af2223973f836d919823b254d840ecd0b091f6ea4ba8501272

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe

Filesize
111KB

MD5
70a85d853b0dd30e92fba04cc9b28cc6

SHA1
3c888b442e028770916c371e9026c7f2df9e1feb

SHA256
521f6d582904dfc6ca8a7d85d4c986a0e60191359a4b39c856c1da099f1fb192

SHA512
a03cd986b526c09d378b03d61a9648ead1ae7d48a393b9535032632db821dc6de54ffe9da8c421de8a38b4be17dfe15a46ca3bce5e1c04b10768a23cd4cae0b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png.exe

Filesize
110KB

MD5
474e763fc5d4f8c4d170dae6e423bb3d

SHA1
1fae91fd5cd7c3d8a81f17525866baa33b8e5d2f

SHA256
9758640411ad830cc58155078638d1f4b97c8392437f25e82e96afe613f0c79c

SHA512
1c401a541be9e39ec78247bf50b5db718ef430683d84475fe6a88ffadebcdf8356f4d21926c9dd17497ebb28f5e27cfee4f06fefd5a44d76d727545bc071c130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png.exe

Filesize
110KB

MD5
ea12fa7bddb61c3f41de741241fa03ef

SHA1
2103115b11460deed87808f3ba42f02a89d0757f

SHA256
c5609cf02236bab921689940797a7a15d9e886810e32fa0efd2a11edab648686

SHA512
0923a795e1857ce3ad5fa33eacebcf25d63932d21f028ab94490f8b2dc5ce7d2c67fc7e9e6b2cad5ebf6c26a4af480bee125aff877c3f176786c04d40afc2b85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png.exe

Filesize
110KB

MD5
4f88290688637316243f4ed5d92dfb81

SHA1
f48cffe8e26387929578331fbd78334b15b53f6e

SHA256
cf2b3a928231c8f79d83b701f0ebdb6498be9173d08baf3c3078c92381bd5c93

SHA512
7fd888b01d98745998e616a5889ea5d536d9e0b560d8d8fc11558ac1c45e3eeb449290582857fd35dc0f321382568719df4e60c39f41752d4adf267f753e1c0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

Filesize
111KB

MD5
393154d6326acf5de9e7b9a178538128

SHA1
9ebce5613716cec1f508f8911d58ddf7c5cc6e33

SHA256
0627417208d68154834d6544df5bcdbf8a0f864615c90174a8d2656f1abc3b1b

SHA512
f0f2ad3fff9692b3c06d1a506343caa40f86ef2e88a07cac43957a3b77306d3f91ab79bed884f33dc09d2aaf9b0a6e189f6d9ef196d652aae1b76cfc39e38486

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

Filesize
113KB

MD5
31f117dbe732edc901e59891fee51c3c

SHA1
c3c48ca3d5208691729e0e7ca4491ae91d56822e

SHA256
0c34fd46e490ff1c4ab944cf5988373255e37a1ae711f28c3f08b502963058ab

SHA512
e26aa588ea15d065d2b7ebffeb430e6936bf14e5e85b550ff6526e0818afb2b88c09c02534107223b63b833fc91c46ba18b4fd1ef828691af3288ca490b37e74

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

Filesize
111KB

MD5
c47042342c3b9cd3874af6bea5b6b661

SHA1
6936ea8b026bfc540c383597e6c3a330a39983d7

SHA256
ae4476ed9d93b0f260f37086303432c19c07852eaa3b7ace6fe50e35d77d8ebd

SHA512
59c3b5897c332ff26309858142e70e1d650c5dff7ead67f187a679e93b9ba01ca708b2e898828333e62e430436aa0776ed1f72a449b653b87127a9e690562750

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

Filesize
112KB

MD5
ab5e3af44961bbb26fb903058122e1d6

SHA1
15cd5e505f241b624ae5478d8dbd866c46799478

SHA256
4de0fad4840d52df6a9ac401ba8290c6e44092f2a1c74d0cdac943c6eb5f6ebb

SHA512
3e21768aeac5aac5cccbc01425b3f845cdb0913b3bcafbe19d1ad87ae6ab94d1f9f57e94d077836344bbd272a72b1e0b0e589672237e1a4f27df68ce1470d186

Download Submit
C:\Users\Admin\AppData\Local\Temp\202401067ea71f3346da281548954a6193115bbdlock

Filesize
1KB

MD5
29c399d2467ae9540e459d333227a38d

SHA1
a8e2103ce9487dcaacda72dff2625d77181d82c0

SHA256
37484901eb40eefa846308e1da3ff6f240ea98f769a2afc3cf4fdba00327ecbe

SHA512
e9ea4e4a6d6cdf0191691b511965643de66a275125a97e6c3c5a6df549623c307ac386a729faa7b41e23b6e05c2363a803f3990c38af9fe5c0901d216c547906

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEEK.exe

Filesize
117KB

MD5
8cd827bb5473ec78ca299bf4ee686d68

SHA1
a08bc393beb2cf66fbc614aba15759e0fab7bcd6

SHA256
f7fda02e4aaf953dada40c2140bb772826a32e72ba36e09158d27d39e2e21edd

SHA512
612f4f32bffe088adb12dadcb05356d53702d11fcb796c2f5ab12fe813d2ff0700938ba7ae0f188c618425870df07ab0bddeb8bbee9f5e82cc8aae19ed730093

Download Submit
C:\Users\Admin\AppData\Local\Temp\Csws.exe

Filesize
110KB

MD5
faf7ec8234b345b440bc547108c93577

SHA1
7e3f4f1f6ee582705a5e94b1445bcde3df0ff2a1

SHA256
295e1a283094c7221ccc9f0007c74d44bf8e93ae457bc7c66bd9d82729306e7e

SHA512
52d62432fc4b7b2d4c3700f11f94ff35ca0f422081170dff71f1492f4c4697a3fe8c98d2e08109eb256275b992b1b12adb97c6052949552f041b7f3d1c7163f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsMY.exe

Filesize
722KB

MD5
156618357b53bcc5b7450e377d2e1592

SHA1
f4b210c8516112e7ce80ac6ff2fdb8055bb69536

SHA256
019492be7a98e5e98cb9253f07e510549ed88c4a6981e65d21f4ce463613b6e2

SHA512
526392cd2d26cec1befd2b13d1c689b97b01d10ed160eaf9154868b9ead4815283949b40d72075f59c27e0d1ce9da93b60df61f24016843989b5792be6fbfd15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ewwg.exe

Filesize
116KB

MD5
733107f3be89ad584ba11531e340c965

SHA1
56dd1da106957f859a985c59c6ac41b681cb61ac

SHA256
37165290b21814f8ca46c26cd3b907163fd714cf7299014892253a7d04cdda87

SHA512
279a71f7a956d90fad398c3b9aae71a171566e550f3d2c4a38684433a50e1cb68e26a76d87c470e2206da91001a881bf2b13630756e1dbd29bb6c6912bc79f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IokK.exe

Filesize
139KB

MD5
fcd10a5c975c44fe211748dcb5050e2e

SHA1
eb11ff7e74f18458765dcc934f0e04566a45cf71

SHA256
522f93bfd4eb6d00a66b9d349471c5e8c689e23a7637408dd1833abad89364de

SHA512
b90ad12a10f0d68d6d5379c1a5bb1f2414f5983c9c1d2ae124733ddfeb0b484a6cde6421fdcf2d05fa6ab4fadea0faded873030a2fb970259973ba3a77849786

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwEo.exe

Filesize
125KB

MD5
46b12d65f8c3e5574466dbfc8e3ac98e

SHA1
e0728ff79cb3564b4aba9d919c2c910f44ae1266

SHA256
367ee64a2a82534234ddbb049d66a858c407edfc7decf75ae9a1b8f9e2ff07e2

SHA512
40e145429a04bcbeb44ccb1d7d1a27f65e3b6a1983a21fc2e311c22a5cc1ff293edeb684492428b3558f53e6c88e1afc90288b49d413b10aae418c8d06792342

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwe.exe

Filesize
114KB

MD5
b1053597caa34667536f5816002763a6

SHA1
53f497519ea6caa7c180cab439edab84f9d44bdc

SHA256
7968201770ebbb3cfe575003b18c4b9fd9884a34967b0d5c789b16bdb0ba1305

SHA512
51c797ec374a2277dddac70606a6337e646d42d6b8eccad254ee10802f1d5b292b1d0678bcd450e295ba384554b3bbb0a36c7673c132386bdb4c852d5e98fe11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgom.exe

Filesize
111KB

MD5
2f4940720f7e24b264af7e9b8e62f4e6

SHA1
6aebac26e1ec49cd3732a20609cbd45cb4a3ba43

SHA256
905dd9f61dcb0e972558ccf9ac0afe1c351fe8daa69d30d6184a54caae107b3d

SHA512
57aae0d565a62a5e2e009598acdbc4ea6fdd50327c9c0cff6650efd4db0363f3346509302edaeca5a177cd4a652f7b6bbc005eba0af7249bca89c33459b65e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgoy.exe

Filesize
111KB

MD5
875da143bb0a7c1cc5d244b50b765a4b

SHA1
faf4ab64266bbd06994ca927044e59c978d17d25

SHA256
13b78585c01f53ea8ec8d1ee981b800385a35f29f101637623aab4ae34c6d07b

SHA512
3a3fab07fd408b80d4f5a09e87a381fc14278f943399897581d99179cfb1bc7bc0e72853c9eb4916cd36e97a6a2f83c4e982b79bbcf91428715230dc45289c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkQA.exe

Filesize
111KB

MD5
b5ba893e00b02da4365b85d7c3d3a5d9

SHA1
7b86c46b96933d38ff43f76758f12b160f619ec0

SHA256
b52d5e51bd32cce08f7ef06ae2774d119c436b8212457d1e6ec8fdc658837a94

SHA512
b73bb2cf28dbd1eef83c1f8d2898a40e785426ef8fe09f0ce33db4aee24e06d7abf8a51b9ea543ebfffa24c6bc39275dc889a9e85103fad7eb0e1b09973a2daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUkK.exe

Filesize
112KB

MD5
bc8730ac7640630c41c3aba31339a300

SHA1
fc2524f23ec427a7e931f2bac7da09397f5e5403

SHA256
4711a7fd44c7d32d1a799c8c6d55be6708cc9d8e9bbd5241df9ef39a817c520e

SHA512
b894f87a8086eed9bc17bd7daf4b4505e6c289726c0bdc7ec1f6623e4e91e0d2b0bf2ef4a1b4d7d3eb596682d37470126b93f402290a240f4fe01f17b9a839f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEou.exe

Filesize
512KB

MD5
2a0bc39ecf2249da7dd4261af31615c8

SHA1
452cfc9f30594ed797a8aa3921cf15c06ac89b27

SHA256
8812e5b393c1d97f589cf28b868c344b27e3cbdea77608920c9ee0a427e8c719

SHA512
de0f5f17fd5d037aac7718b63ed2aef135bb3bffb7b62304108c28acfe820ca73397e6a5a7606b4c8a1d2ae4e8c48c130e4db090fca1aa434e96c69a4ed3d9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAoM.exe

Filesize
120KB

MD5
a2a7801e1b8bf0d42560ed77af5967b3

SHA1
d1f306fc9b4356cbdce90cb9326fa708a9cce862

SHA256
1487fb980e98e4a88c81da25d753461dd2dd582123ae8d1f0d0b67be6e1f93b3

SHA512
d604c7babc98386b3c206997874c00353160b0fb1383f02ef1e93789ce50bfb456b1e46518dcd015a3c1989e1ebbd74d7311c4ab8bb365a555ecab2565e8e074

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMQi.exe

Filesize
111KB

MD5
d6d47cb143e40418e364c9e515467505

SHA1
a0db37e261c11e23bfadc997058b9413d39ef7d1

SHA256
9abb9f51f8cfee110ec000f7655a41c35733503d638cf953d409564605398e44

SHA512
96989a81fcf3577ca7c3ab3ce3bde4fb37daa1948b03364f7b6020ecb7dbc3cc610b4202842f8d2cd82121e28b115d5f52ff7d8f57827b78e2d6a0ef4e78554e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEYa.exe

Filesize
137KB

MD5
ecfa774b32f16033931b8bf44c34a6ab

SHA1
bd2a65070067a3de544a903ffe8b86f6a44ffbe2

SHA256
64431857339b38e52bf689a39a3c59bdde7c023dd80f6523326c0faf375a8eaf

SHA512
dd39ca536a96195b87a75c3bd0caae19e394772332446d61ddf494d1fb648947a7cd93f7c250c84d0866b2f8886c80428d4838f121fffac9682ea22b02721cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEow.exe

Filesize
118KB

MD5
bd82f607443b3987a9e40cc90daff62a

SHA1
02b0e99f4322fb052e4be4d6aaa89cb5a2f6aeb4

SHA256
a63915cd4bb6c5795435173f04fa0057f708e2965d24d72e8d709a048b9edb7a

SHA512
2cc79991fff21486cd7318abc9c25f1dedee6f526e013efedac92089791c4773a905b8b7b1e7bbc6f6dcfe44e463a22f857361148905f27f2dbad3d0b46ff41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAYi.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQQe.exe

Filesize
113KB

MD5
9beff155bff0e7dcb14ac902c3270a7f

SHA1
c3686afbcabf121ea879e2c490245d9c7688e29a

SHA256
8b9ac92ba3084d8d1b02f568ba846c0f9b451115abfabf11174231e4f468a023

SHA512
e748db41ebd6972ae8e68eb0f09360806704cf53deeb809bbff53be87340c02f4e32802f8b1f5a0c51fae53b52a8b1ee3d485633e8f763402a540936e0cb30c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsAK.exe

Filesize
565KB

MD5
6e03a84153bc3c9d8e4942c0690d39c7

SHA1
3c6faf39b061dcf3b5e2d9ed44235635758dd87f

SHA256
58b63d36929dea07a76df79684b6160cb2bb9698c8c9f027cbd5cbc45c17a7e8

SHA512
abe69afa7f7c7bc336c3319c008f04e81dae399d4b49485c292fa7a64bf76d05308973e5df48d004765bbe470b8bacbc0a014486b12dc11b6ea9ed9ec8aa0999

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEsa.exe

Filesize
112KB

MD5
6318d1cc46e546979c552e0ac503aac6

SHA1
097f07926e6f4af471bc50f650885d481ccc94ba

SHA256
a2c63dde79774f2a70cadd8d97aef22ddac5cec02256504b72e99c735c2da035

SHA512
ec5279c552ad128263b0dc8d5eaa47cac4c603daa3a38f02d45d6ea53528fa56718830dfd00e3e4973230bbd7c2f8978191cc53c7722d562d8b576c7039555f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQMK.exe

Filesize
111KB

MD5
2a52e53d92e9eb868ed0e2e961ae5029

SHA1
245742efdd1640b1d3cb9ac110f1a72fd428c715

SHA256
76b8acf4b3bc3b6f6af33055f48a2cbb15aebd7bb717ab79b38a7dddcbf3ad68

SHA512
68b2e2a0e1d51c2c3883dd026b9768e0fc26c7d022850cfa8b0912fc78250cc10de2240dd6d8b69b2f8ec6d3f9b444981a156ba1be1a563a77787e9cd7c0f8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoIu.exe

Filesize
113KB

MD5
62cd4c829e0a56d81b49cc6940d23a6b

SHA1
101ae38b8a76773d38cb06bfc8b681022d4bc1fe

SHA256
9358603ab76f6a25bd0c4dba5563448115d5fe217860e066636e1070799f769c

SHA512
91cf05f351a4d6cfd174f371fc5ef192ee5c1095872b634b52e660c0818b5502ea609969e9351974a15f2d7b9f5779391ff3abc97bd1d8f6f7b69f96435c85fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYcQ.exe

Filesize
120KB

MD5
345d3df2f9b4a1cb9fbe51838d2ecb97

SHA1
a52d60cc79739ee31d97be10ffe049691c76e6e0

SHA256
a9c013420a95d0ea137301a0c1af7c0d774a32abbf4509b0f74c00878c4c4d40

SHA512
1546eae4806f541b533085038b789c7ba6791db28110b335895dcfd678cda09ee08ba610ef1fbefab01ab31d8d192e3fdba226fdcd29f2a93dee920e90ed3c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgUO.exe

Filesize
121KB

MD5
2f44a153c6160d3a0904ddbe4eea4789

SHA1
7b41ff582e4dd89bce7bbdc3147bd18c08927018

SHA256
2502d2edd7d900661f373d5799ae77345eda2681284c0d7fb6e75515fd4dfe40

SHA512
6935bdcefb8bee511a491c3bc29fff0f2715380f3cf07b7c893a4722763c1f931254fd014fbfea4e17a0453288f40175e649ca7d0b80211e453336f4610d2654

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIEkYcsk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\awAe.exe

Filesize
697KB

MD5
71d10fc3c1262a3d8bb1821c7363dcab

SHA1
af0bd690e4743480756af97f4c02b551389d888a

SHA256
b993a343b371b4c98401e54d618e9b173102b3d6256bc58432ebdf2eacd4ab02

SHA512
da3040ee60647583ce2662429a345c0705cdb3fdb3b27afae5d53a292d089af7f504e6f0f73913ed45c3661e95ff0ce3b9942804dd6663b79f2c391cb997d1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csQM.exe

Filesize
486KB

MD5
19471978a4be04df4cecad6c54a0abf0

SHA1
7525f6846308214382234f5fd24b29c7cc4d9cd2

SHA256
4eb9e8dd0726805987a34596a6742936705a0d1dbab256443f506826a38c2170

SHA512
042a43a6c4ad3d945bb7f8d0a321bd0f09716e315ae800f1a13d0df4f979ec8ca7c3023f5eea73d8b01c5485be9093418c461c8ce905d054aec590e4960568c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAAw.exe

Filesize
464KB

MD5
239b5ddafbd25b865304ef5780f5d336

SHA1
7fc2adb57b4ec3ad024f3b35cbcb5af5ce8c9c99

SHA256
b23556f4efe2306a3200fc6ed737460b8b6d6c3cfd4ef59c852362ffff813da0

SHA512
5785d66a0a7936120f0e863c803176e3cb7f9ca54c4c15b8769702763bbcd38d120e0f5a9b6ff567703ab10fdb7f7204a1ea901cb31de4035ba2648aa8d06ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAoQ.exe

Filesize
554KB

MD5
4c2bef61eb923dff0d9a4178fda2127d

SHA1
718db752696023d411c396c851aef46995526b8c

SHA256
1a88e938839c4d1212cb0a5f2dcfdb19f27e1c1f61d63b0dd2b3cd0156b63c2e

SHA512
30eb7c06a84ee396876841f3522042b3c6498ce8a36c102557d4b1801e1138f9d78563af2c02499c2119ca3ad63abb14e63520bbfa955d61a988dd51c3af6bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYAS.exe

Filesize
114KB

MD5
20d6b56acd41d6bbe3d1fea6fb036039

SHA1
b09d82a709271046d8569e90b13712284b9873c8

SHA256
17f2a91d2b05603bd8848f4cb35df8a53668f16350bb2653178046085404591a

SHA512
3283b1ca1575dfddc529b842dd5f946461c25bf168fa6dedd40e88c3ba8e61f25623b266fbd2b7c7770b1be9acdea966c0327b937fc76f780b48aa4e51b9fa4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioUS.exe

Filesize
116KB

MD5
8c695930e2dcd8ba617f46538741afe5

SHA1
f194af538f89090b12b78754d8bcb4beb2bc3ecc

SHA256
216e15ced8bc03f33f596d2434d5aae5c7c837d0558dd55f6ecaa31e1ffbdd62

SHA512
a74a3bcd8679d01e62f81205e04ecad3c3dc02fa3798553f9502a7181bd53afd060ee691292ae15fdeb92cf1df487ab9595dba7bbfcc6b76fc9f46fb1030f728

Download Submit
C:\Users\Admin\AppData\Local\Temp\koki.exe

Filesize
111KB

MD5
0dffeb0c831eb626222d0884815ddeae

SHA1
6c1830e46f1ccad33b03d0f705bbdbe8ad39bf8c

SHA256
0f27cdd2fbea266904c0750c62444451c4d6c566993421afea6056f4b6a0ae46

SHA512
2179f406f520d4bb3a870441c39c41377d013d36cf8d410a7a2deb61b88a89d24e6ec00bbbb1e77aa072913500878dd7ca4aee479908a8661f7ff6f624905fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQkK.exe

Filesize
111KB

MD5
c5141a4b21b75981ec5c367a1c44fc0a

SHA1
482d41f6837f98ec7f1bb7231eaf5ca9044c6dae

SHA256
a1b79a6991959481f77b86505b5cd3e02634bf8f03f8e8a625ba5642c9e8ba57

SHA512
e48f0ae90df7fd1fd218a20d0ecca74d626a677fa3142fd886d0206fc4f647c5e6dcb321fd76126b88d1241cfe22bd203b104b14c6251a0adf4950b9c86b451f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUYU.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYgy.exe

Filesize
112KB

MD5
71baba39d7663878aa6a996a4807dd9c

SHA1
768a8af12d6f57c7d38d3327b5f9f208d7de0055

SHA256
ecdcfb9c61d4e3bbfa7e8373defed96d1a65dde0114f5ecbfe84ffd0a107b4d4

SHA512
6665e8e218f2d328efdb66a64f427a86b5be700e8a1b993590e53cdec68e853e8ca7df09653f4ac24f5c7cb6949b69e5a0a4f634d557916975ced4c80e8e094d

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgI.exe

Filesize
347KB

MD5
54bd0428d7f605e228b5ed34a611ec26

SHA1
a38d5e1c07f863506bffce55c8591b0d68efd1a5

SHA256
a27f31da7b1019109e45bf0fabaeb480b0ee8ce264cc2709dcc60b737848f02d

SHA512
e733a7690ad1452b5b4471ac1d265b30852d9be8e16eda9d4ee4fce40709a612d5b70672625950db9ecc33597c685f5f91fe31c97faacb67c04d849027188bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\okIY.exe

Filesize
110KB

MD5
264ce61d141449bd4a12e6eaeabd497f

SHA1
87069b356b0542fb8583b60703be1a83100e28a4

SHA256
bccf5df22e70b3eb774f35d05a0fc93bb1000a04014e9f16bbd4cd5cd9347fc3

SHA512
77064d72aaa8ef51608c6b90f5b6b1c192f53528644a488e78ff4bb79828588cd86029cfa047a78bc9a7848e08823dc39d2df22a29cf86df62e7175999043c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\owIy.exe

Filesize
563KB

MD5
999b110dc5acbace945a81bf8bfffee7

SHA1
4ce8ae19404a0a30f02461637c27dba13d31a6e1

SHA256
aec0812bf20930d7a4668b3805420ec857af1c605ae084cfd7dbec6e2528ab16

SHA512
74a4d9e96d020fe279e1b001841c372b17832ae45c77907a7cb6744904bfc8b40c37115963847517e9e54b292218f6e7cb4f5d3f6e721efb78ac1345d8f645bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIwm.exe

Filesize
110KB

MD5
980552e19961528f05cf84ad88d78edf

SHA1
520cc87ce1a3dc14c072c3c6beafaaf51e347a2f

SHA256
09ade1a6fed59b2f47b89bec1ff34873c6c779ff645a919f86288ad42e827a82

SHA512
2c673415ddb78917399cbf3e580c938e6498dacdede269b6ff44a4d72595f683e1999edf484a3c771534e2e90824b6ba55d091cfa2ff4d135b1ff036a70ba4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMUg.exe

Filesize
111KB

MD5
16b57d0708c4e83813b27dcf93d12f6a

SHA1
4d73b5bee251d55a3044de7066b5f5832ef38de7

SHA256
ca226b4f3fca24ba82a679698fc6fb5cfab8100261831de9bbb50e8327120367

SHA512
11e7d9671da0124e22bb30a84d1ce67d352425e6379b8a3f0e993500705dd0c7db820e036cc582782ccb017a97fb860912811a1d382f55486ada858f8bcab478

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMYq.exe

Filesize
241KB

MD5
1cd8492d4e27efd1c65f2226e46bb56c

SHA1
cb0dcd38ea1eb6af51cce4d38bb13d744b5994c9

SHA256
e8921f23507d050539819de48464fa5c100f85213e1ca3d8b37eca1599f70722

SHA512
634a4b6228c1e790db0ec899337cd98259b5e55cd49a887ab1e4d8541e486b34eb34eb9e2f797851c68995b42bd1ea23d4baf5c115386562e1b734f0c454f336

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAYM.exe

Filesize
114KB

MD5
6b7b7169da1007f7696091ccc1b12816

SHA1
3fc3af878ab21dd763b2033f415a44a4d6714d51

SHA256
8995a3ee0b1052cb5870c89f7cf06c1feedccdaf3f97f4cb22adb8970326695d

SHA512
1ce2085bd5662c4ceb5d931d17dc3ff2473ef4269b11376452933e574eadc299d55063134194d2e938d4ffddf20a766a2753886284c03e385b4f371c3d7585dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIom.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUki.exe

Filesize
116KB

MD5
f5d0fedc23107b52b860051e21eee4d3

SHA1
058c91e7da80ab4d925886a91ef5961da9d92799

SHA256
79a440ce7d2f834e1bbbbb1618002cd11f4bb1cd4cb4312ce3e2941a86045e00

SHA512
063ba2eeb914dc6b1cfd6f8c45e2e346a3b053cf69de3fc876d8360ec395cd7b772754f7fc3b67ea4b41c784d94d1fcb7c9e925a327956a54c50104b844a5b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEoE.exe

Filesize
110KB

MD5
8e00abefe2710ced8a5e99c657fb2414

SHA1
199cad20bc047d6154c61e2039131f1a5bd40d37

SHA256
23767e1df9878568b3e10bd23e3ddaeabea6f90ee65ee5f9e8c437551ae14359

SHA512
aa403f01ca47a5aae47af60e0ce54cc86ee546dd0207f79f63aaaf6b27207c4581400526ace1d569f9139e3998f497334209581c8eb9df8fe49da51ca818671e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEse.exe

Filesize
5.2MB

MD5
17c2f7395e756e9fb73543ee4015a544

SHA1
6578c650e437108bbd38ece9cde763a566955b16

SHA256
b7e3cacd97f4cde117f9716904b972c706842d2797d6fcaad7e08373ce55a8e2

SHA512
ab91726eb199784486fcc24219d2ffe016191054dd38eaf1a6271136db1daf66524e5be5b47d5f5ba0e2b8d7d2cbaba5f5806631cc3362879070391097e0ae03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugwO.exe

Filesize
114KB

MD5
ed8fcf84abab7e06b75a40e76b747d9e

SHA1
5935a353a7d47d0d393479190ed43b0f17630636

SHA256
764e3ed97a3f264db47087e380a7d20ec1cdb64f45a7a0ece44d6ddfd8b9430a

SHA512
34f82504f8970547179fd29133063647446908aeb2bb829ce84061bb82f92e9aa2dd9a332c24250aa3ae2877a23f32009d6f7be6b085a58fac8af2dcae2accb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcoA.exe

Filesize
111KB

MD5
cbc69c3d77d850baa2b037f0a6fa66f1

SHA1
92c5d7ceb04b696545c82ba09c92f27f42480984

SHA256
bbb38f7df97e347335f9cef245b67d1596177c3ac2f992d0b39ad1e817448321

SHA512
9d495b9e6cf4e08279e20f637d58a76eb656825553f0e97691d16c0797446c72cebe0147a65b833eca3cb0146f68107b04cdbdba9da9f9a8390607a0f23afe6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykIy.exe

Filesize
116KB

MD5
0f178a468858c472c525d972573d8017

SHA1
89ab56768368215637966d04e4a4457abab0488f

SHA256
3a4d4b717d898c4ca1c80525c790a4b99605a771b7af8f67ff9163474310431b

SHA512
95f7828bb589db52d1e98817df05b4d3ad0d0a144c4a62e8953b6a864388879049bc185e1fe5a0e0c6c0138bf8b2b049b9f64bc519f2b21a93837f7f0e159988

Download Submit
C:\Users\Admin\lkwEgAgU\WIEMIUgM.exe

Filesize
110KB

MD5
5769b52e11c8390b68ba6c8e9f267d42

SHA1
b6e1c69342d044239c25ef756e607b69e92f788c

SHA256
f73145e3539740b1aff79fd2a8a9271d8d5dcea0332aec08095a52ae054bbb15

SHA512
cefe80ddb9a2c3e8fbeebb112fa3c2714709acd2a647e71465c8d67df489cbe6239c19ae3eb1a07d29a31b5f4e33fa8773647ad820aaf7ec72621231748bbbd5

Download Submit
memory/116-311-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/116-298-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/852-241-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/852-257-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/872-229-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/872-245-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/872-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/884-13-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/936-343-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/936-356-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/964-74-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/964-90-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1120-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1348-174-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1348-158-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1384-253-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1384-266-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1624-186-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1624-170-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1648-262-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1648-275-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1664-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1664-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1696-43-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1696-27-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1752-307-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1752-320-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2000-194-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2000-209-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2088-146-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2088-162-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2264-221-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-110-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-126-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2656-217-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2656-233-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2760-284-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2760-271-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2788-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2884-293-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2884-280-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3340-289-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3340-302-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4024-150-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4024-134-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4124-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4124-122-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4228-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4228-78-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4276-353-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4480-316-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4480-329-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4524-86-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4524-102-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4740-98-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4740-114-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4756-325-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4756-338-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4832-54-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4832-39-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4956-182-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4956-198-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5056-334-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5056-347-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download