9402dd1d5a53fc223acb4e4cf08dc64caffe30f1307aab670e4b45140ab5553d

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 08:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

76e64e4a178b337a100b97a277ccb02e.exe
Size

480KB
MD5

76e64e4a178b337a100b97a277ccb02e
SHA1

10bb247e79a628ca30c15e0948b5135cb705f6c0
SHA256

9402dd1d5a53fc223acb4e4cf08dc64caffe30f1307aab670e4b45140ab5553d
SHA512

43b073a63769f9e14037111a1cab1d4a9ffb821aed9c36968e82c0c3c7b208013f9299ba312a66d237c4c424970c24552490d56d84c64e9265c1a0298f427f68
SSDEEP

12288:hBMl99AgYRwRFLXBgKGi6Ggr0VSLKL+GMukhCo1R:bQ9cA/Gi6GgjfGa0or

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	76e64e4a178b337a100b97a277ccb02e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	76e64e4a178b337a100b97a277ccb02e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	76e64e4a178b337a100b97a277ccb02e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76e64e4a178b337a100b97a277ccb02e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76e64e4a178b337a100b97a277ccb02e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76e64e4a178b337a100b97a277ccb02e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76e64e4a178b337a100b97a277ccb02e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (51) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	WEokMgEQ.exe

Executes dropped EXE 3 IoCs

pid	Process
2032	WEokMgEQ.exe
396	vAwogMwg.exe
812	ZioYsMwk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vAwogMwg.exe = "C:\\ProgramData\\pqAAskwM\\vAwogMwg.exe"	76e64e4a178b337a100b97a277ccb02e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WEokMgEQ.exe = "C:\\Users\\Admin\\qKEksogg\\WEokMgEQ.exe"	WEokMgEQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vAwogMwg.exe = "C:\\ProgramData\\pqAAskwM\\vAwogMwg.exe"	ZioYsMwk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vAwogMwg.exe = "C:\\ProgramData\\pqAAskwM\\vAwogMwg.exe"	vAwogMwg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WEokMgEQ.exe = "C:\\Users\\Admin\\qKEksogg\\WEokMgEQ.exe"	76e64e4a178b337a100b97a277ccb02e.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76e64e4a178b337a100b97a277ccb02e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	76e64e4a178b337a100b97a277ccb02e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76e64e4a178b337a100b97a277ccb02e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76e64e4a178b337a100b97a277ccb02e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	76e64e4a178b337a100b97a277ccb02e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	76e64e4a178b337a100b97a277ccb02e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	76e64e4a178b337a100b97a277ccb02e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76e64e4a178b337a100b97a277ccb02e.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\qKEksogg	ZioYsMwk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\qKEksogg\WEokMgEQ	ZioYsMwk.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	WEokMgEQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4084	reg.exe
624	reg.exe
2088	reg.exe
468	reg.exe
3020	reg.exe
4060	reg.exe
4728	reg.exe
4400	reg.exe
5112	reg.exe
4036	reg.exe
2848	reg.exe
2396	reg.exe
1796	reg.exe
1772	reg.exe
4420	reg.exe
3020	reg.exe
4728	reg.exe
2564	reg.exe
3508	reg.exe
2504	reg.exe
2216	reg.exe
4360	reg.exe
4344	reg.exe
4836	reg.exe
1960	reg.exe
2544	reg.exe
1920	reg.exe
3216	reg.exe
4068	reg.exe
5008	reg.exe
440	reg.exe
5056	reg.exe
1980	reg.exe
3416	reg.exe
4804	reg.exe
1096	reg.exe
4140	reg.exe
5088	reg.exe
1704	reg.exe
1948	reg.exe
956	reg.exe
3828	reg.exe
1152	reg.exe
1664	reg.exe
3496	reg.exe
3140	reg.exe
1948	reg.exe
336	reg.exe
3636	reg.exe
1804	reg.exe
4176	reg.exe
5004	reg.exe
1376	reg.exe
4544	reg.exe
2672	reg.exe
2124	reg.exe
4316	reg.exe
4104	reg.exe
1832	reg.exe
2124	reg.exe
1468	reg.exe
1776	reg.exe
3140	reg.exe
2848	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2072	76e64e4a178b337a100b97a277ccb02e.exe
2072	76e64e4a178b337a100b97a277ccb02e.exe
2072	76e64e4a178b337a100b97a277ccb02e.exe
2072	76e64e4a178b337a100b97a277ccb02e.exe
3736	cmd.exe
3736	cmd.exe
3736	cmd.exe
3736	cmd.exe
4948	Conhost.exe
4948	Conhost.exe
4948	Conhost.exe
4948	Conhost.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
2544	cmd.exe
1372	76e64e4a178b337a100b97a277ccb02e.exe
1372	76e64e4a178b337a100b97a277ccb02e.exe
1372	76e64e4a178b337a100b97a277ccb02e.exe
1372	76e64e4a178b337a100b97a277ccb02e.exe
116	cmd.exe
116	cmd.exe
116	cmd.exe
116	cmd.exe
3816	cmd.exe
3816	cmd.exe
3816	cmd.exe
3816	cmd.exe
3508	Conhost.exe
3508	Conhost.exe
3508	Conhost.exe
3508	Conhost.exe
472	reg.exe
472	reg.exe
472	reg.exe
472	reg.exe
2932	Conhost.exe
2932	Conhost.exe
2932	Conhost.exe
2932	Conhost.exe
1552	76e64e4a178b337a100b97a277ccb02e.exe
1552	76e64e4a178b337a100b97a277ccb02e.exe
1552	76e64e4a178b337a100b97a277ccb02e.exe
1552	76e64e4a178b337a100b97a277ccb02e.exe
1644	76e64e4a178b337a100b97a277ccb02e.exe
1644	76e64e4a178b337a100b97a277ccb02e.exe
1644	76e64e4a178b337a100b97a277ccb02e.exe
1644	76e64e4a178b337a100b97a277ccb02e.exe
2456	Conhost.exe
2456	Conhost.exe
2456	Conhost.exe
2456	Conhost.exe
4800	Conhost.exe
4800	Conhost.exe
4800	Conhost.exe
4800	Conhost.exe
4660	76e64e4a178b337a100b97a277ccb02e.exe
4660	76e64e4a178b337a100b97a277ccb02e.exe
4660	76e64e4a178b337a100b97a277ccb02e.exe
4660	76e64e4a178b337a100b97a277ccb02e.exe
2204	cscript.exe
2204	cscript.exe
2204	cscript.exe
2204	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2032	WEokMgEQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe
2032	WEokMgEQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2032	2072	76e64e4a178b337a100b97a277ccb02e.exe	87
PID 2072 wrote to memory of 2032	2072	76e64e4a178b337a100b97a277ccb02e.exe	87
PID 2072 wrote to memory of 2032	2072	76e64e4a178b337a100b97a277ccb02e.exe	87
PID 2072 wrote to memory of 396	2072	76e64e4a178b337a100b97a277ccb02e.exe	88
PID 2072 wrote to memory of 396	2072	76e64e4a178b337a100b97a277ccb02e.exe	88
PID 2072 wrote to memory of 396	2072	76e64e4a178b337a100b97a277ccb02e.exe	88
PID 2072 wrote to memory of 4512	2072	76e64e4a178b337a100b97a277ccb02e.exe	91
PID 2072 wrote to memory of 4512	2072	76e64e4a178b337a100b97a277ccb02e.exe	91
PID 2072 wrote to memory of 4512	2072	76e64e4a178b337a100b97a277ccb02e.exe	91
PID 4512 wrote to memory of 3736	4512	cmd.exe	1048
PID 4512 wrote to memory of 3736	4512	cmd.exe	1048
PID 4512 wrote to memory of 3736	4512	cmd.exe	1048
PID 2072 wrote to memory of 4784	2072	76e64e4a178b337a100b97a277ccb02e.exe	980
PID 2072 wrote to memory of 4784	2072	76e64e4a178b337a100b97a277ccb02e.exe	980
PID 2072 wrote to memory of 4784	2072	76e64e4a178b337a100b97a277ccb02e.exe	980
PID 2072 wrote to memory of 2124	2072	76e64e4a178b337a100b97a277ccb02e.exe	1031
PID 2072 wrote to memory of 2124	2072	76e64e4a178b337a100b97a277ccb02e.exe	1031
PID 2072 wrote to memory of 2124	2072	76e64e4a178b337a100b97a277ccb02e.exe	1031
PID 2072 wrote to memory of 4932	2072	76e64e4a178b337a100b97a277ccb02e.exe	917
PID 2072 wrote to memory of 4932	2072	76e64e4a178b337a100b97a277ccb02e.exe	917
PID 2072 wrote to memory of 4932	2072	76e64e4a178b337a100b97a277ccb02e.exe	917
PID 3736 wrote to memory of 832	3736	cmd.exe	101
PID 3736 wrote to memory of 832	3736	cmd.exe	101
PID 3736 wrote to memory of 832	3736	cmd.exe	101
PID 832 wrote to memory of 4948	832	cmd.exe	971
PID 832 wrote to memory of 4948	832	cmd.exe	971
PID 832 wrote to memory of 4948	832	cmd.exe	971
PID 3736 wrote to memory of 4428	3736	cmd.exe	102
PID 3736 wrote to memory of 4428	3736	cmd.exe	102
PID 3736 wrote to memory of 4428	3736	cmd.exe	102
PID 3736 wrote to memory of 4500	3736	cmd.exe	113
PID 3736 wrote to memory of 4500	3736	cmd.exe	113
PID 3736 wrote to memory of 4500	3736	cmd.exe	113
PID 3736 wrote to memory of 3508	3736	cmd.exe	999
PID 3736 wrote to memory of 3508	3736	cmd.exe	999
PID 3736 wrote to memory of 3508	3736	cmd.exe	999
PID 3736 wrote to memory of 3536	3736	cmd.exe	797
PID 3736 wrote to memory of 3536	3736	cmd.exe	797
PID 3736 wrote to memory of 3536	3736	cmd.exe	797
PID 3536 wrote to memory of 4600	3536	Conhost.exe	1129
PID 3536 wrote to memory of 4600	3536	Conhost.exe	1129
PID 3536 wrote to memory of 4600	3536	Conhost.exe	1129
PID 4948 wrote to memory of 2620	4948	Conhost.exe	213
PID 4948 wrote to memory of 2620	4948	Conhost.exe	213
PID 4948 wrote to memory of 2620	4948	Conhost.exe	213
PID 2620 wrote to memory of 2544	2620	Conhost.exe	1039
PID 2620 wrote to memory of 2544	2620	Conhost.exe	1039
PID 2620 wrote to memory of 2544	2620	Conhost.exe	1039
PID 4948 wrote to memory of 4604	4948	Conhost.exe	1081
PID 4948 wrote to memory of 4604	4948	Conhost.exe	1081
PID 4948 wrote to memory of 4604	4948	Conhost.exe	1081
PID 4948 wrote to memory of 4084	4948	Conhost.exe	832
PID 4948 wrote to memory of 4084	4948	Conhost.exe	832
PID 4948 wrote to memory of 4084	4948	Conhost.exe	832
PID 4948 wrote to memory of 460	4948	Conhost.exe	1011
PID 4948 wrote to memory of 460	4948	Conhost.exe	1011
PID 4948 wrote to memory of 460	4948	Conhost.exe	1011
PID 4948 wrote to memory of 836	4948	Conhost.exe	421
PID 4948 wrote to memory of 836	4948	Conhost.exe	421
PID 4948 wrote to memory of 836	4948	Conhost.exe	421
PID 2544 wrote to memory of 1664	2544	cmd.exe	1138
PID 2544 wrote to memory of 1664	2544	cmd.exe	1138
PID 2544 wrote to memory of 1664	2544	cmd.exe	1138
PID 1664 wrote to memory of 1372	1664	Conhost.exe	1025

System policy modification 1 TTPs 32 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	76e64e4a178b337a100b97a277ccb02e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	76e64e4a178b337a100b97a277ccb02e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76e64e4a178b337a100b97a277ccb02e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76e64e4a178b337a100b97a277ccb02e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	76e64e4a178b337a100b97a277ccb02e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76e64e4a178b337a100b97a277ccb02e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76e64e4a178b337a100b97a277ccb02e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	76e64e4a178b337a100b97a277ccb02e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
"C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\qKEksogg\WEokMgEQ.exe
  "C:\Users\Admin\qKEksogg\WEokMgEQ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2032
- C:\ProgramData\pqAAskwM\vAwogMwg.exe
  "C:\ProgramData\pqAAskwM\vAwogMwg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
    C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
    3⤵
    PID:3736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:832
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sogkUcsA.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
      4⤵
      PID:3536
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4600
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3508
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4500
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4932
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2124
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEgEoMUY.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:2692
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4688
- C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
  C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
    3⤵
    PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
      C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
      4⤵
      PID:3868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
        5⤵
        
        PID:60
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWkMYAUs.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        5⤵
        
        PID:3508
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:4036
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:116
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAcMIIMc.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
    3⤵
    PID:624
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      UAC bypass
      PID:2212
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:5116
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      UAC bypass
      PID:4548
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCMYgkAU.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:3096
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:920
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zyAUYgAM.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:672
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3400
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4248
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1184

C:\ProgramData\cywcscEI\ZioYsMwk.exe
C:\ProgramData\cywcscEI\ZioYsMwk.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:812

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:4948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
    C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
    3⤵
    PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
      4⤵
      PID:1664
    - - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
        5⤵
        
        PID:1372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
        6⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
        7⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWAMYYcw.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        8⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
        9⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies registry key
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsoIoQAg.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        10⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
        10⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
        9⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
        8⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:2668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkcIYEAo.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        6⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:5020
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2668
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3100
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
        6⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
        7⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
        8⤵
        
        PID:2776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COswUgEI.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
      4⤵
      PID:4928
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4796
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:4344
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1660
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3408
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiwoEYEs.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:836
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3860
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:460
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4084
- - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
    C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
    3⤵
    PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEEAowQw.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
      4⤵
      PID:672
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3560
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      PID:1152
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4436
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QugEcoos.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        5⤵
        
        PID:2220
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:1028
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:1960
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:4948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
        5⤵
        
        PID:4528
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
      4⤵
      PID:2560
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4604

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:3816
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1980
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4524
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcMQAoIo.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:4836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:3124

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:3508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEkwgcQY.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:4804
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4212
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1948
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4616
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
    C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
    3⤵
    PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
      4⤵
      PID:4080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESwQowsA.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
      4⤵
      PID:2404
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2912
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2220
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1552
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:5112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImYUscwU.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:4688
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
    C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
    3⤵
    PID:1660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
      4⤵
      PID:5064
    - - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
        5⤵
        
        PID:2940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
        6⤵
        
        PID:5044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWQMEQkc.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        8⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEQgkcQU.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        9⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
        7⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaMAccck.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        8⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        UAC bypass
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
        8⤵
        
        PID:456
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4444
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2564
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkIAAUck.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        7⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
        7⤵
        
        PID:1376
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYUoYkIw.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        6⤵
        
        PID:3560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWgUwgso.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
      4⤵
      PID:1960
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2384
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2072
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:336
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:5036
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:2456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:4800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1896
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
1⤵
PID:4552
- C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
  C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
  2⤵
  PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
    3⤵
    PID:3128
  - - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
      C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
      4⤵
      PID:4972
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:1432
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:3216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuIQMEQs.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        5⤵
        
        PID:4476
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKEgYocc.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4068
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOMUgcsw.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mugsgokw.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
      4⤵
      PID:3560
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:4060
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3964
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
      4⤵
      PID:1940
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:2124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
    C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
    3⤵
    PID:640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQUkUwoA.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:1556
- - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
    C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
    3⤵
    PID:3924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
      4⤵
      PID:440
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUAIsYIg.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
      4⤵
      PID:892
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3860
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1232
      - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
        6⤵
        
        PID:4104
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4260
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:2848
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2212
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4788
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
    C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
    3⤵
    PID:1188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:1724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
    C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
    3⤵
    PID:1084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwkYMkwU.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:1600
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4820
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2400
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:2908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:4460
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqMgMcwM.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:3680
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3576

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
1⤵
PID:2124
- C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
  C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
  2⤵
  PID:1976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMoogUMU.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:1952
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:980
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3140
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:3416
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
1⤵
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCgIwoYQ.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
1⤵
PID:3048
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
1⤵
PID:1864
- C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
  C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
  2⤵
  PID:1428
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:808

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:1736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:2336

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:3036
- C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
  C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
  2⤵
  PID:1188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyYAwUYg.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
    3⤵
    PID:472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsEEwMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
      4⤵
      UAC bypass
      Checks whether UAC is enabled
      System policy modification
      PID:4176
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      Modifies registry key
      PID:3020
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1084
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3468
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2216
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:220
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:1844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:388
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4132

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:4568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:2912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:3212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:4564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsMEEwcc.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:2872
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1660
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3048
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2008
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3084
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:3880
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:5056
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUMwcYUw.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:4060
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:456
  - - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
      C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
      4⤵
      PID:2504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
        5⤵
        
        PID:2848
      - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
        6⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
        7⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
        8⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
        9⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
        10⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWQMQcIU.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        9⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkEYIcsg.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        7⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAoIwkEg.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        8⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
        8⤵
        Modifies visibility of file extensions in Explorer
        Checks whether UAC is enabled
        System policy modification
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        
        PID:2124
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWEYwUkk.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        5⤵
        
        PID:3700
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:3996
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:4660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEkIcwIM.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        6⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        Modifies visibility of file extensions in Explorer
        Checks whether UAC is enabled
        System policy modification
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
        8⤵
        
        PID:3728
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2320
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1704
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jScUEEgE.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        6⤵
        
        PID:892
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4808
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:4788
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4084
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1096
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:2788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:980
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:460

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:1428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akMUMgcM.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:4528
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4516
- C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
  C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
  2⤵
  PID:2692
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4260

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xuYUMook.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:2624
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4972
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:924
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3148
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:4604
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIsIQowo.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:4840
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4788
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4960
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1900
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
1⤵
PID:3324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:2304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEAYskMM.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:1948
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:4248
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2124
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2932
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:5008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:3536

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:4080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WogokgoI.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:4472
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYogYcMY.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:1720
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:5044
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4544
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3932
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkccIcwo.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:1832
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:3828
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:4176
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:1432

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:1720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKgscoMI.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:3312
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4784
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5044
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:892
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FyIUUwUQ.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3736
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3496
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1184
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4728

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qooYQMEw.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:672
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2860
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4728
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FyMcIgMY.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:4360
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - UAC bypass
    PID:4932
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3016

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:3100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:4084

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:3084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEgoEYIM.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:2640
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:5008
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4604
- - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
    C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
    3⤵
    PID:956
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:4960
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - UAC bypass
    PID:440
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4468

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOUoEMYE.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:3056
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:5004
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1736
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:1556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:3956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
    C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
    3⤵
    PID:796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEAoYgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
      4⤵
      PID:4604
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:2396
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4728
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
      4⤵
      UAC bypass
      Checks whether UAC is enabled
      System policy modification
      PID:4264
- C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
  C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
  2⤵
  PID:4584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:1428
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:220
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3940
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1084
- C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
  C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
  2⤵
  PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
    3⤵
    PID:3140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
1⤵
PID:3956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:3380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkQYkYYo.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
    3⤵
    PID:3736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
      4⤵
      PID:3136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIcgcEoE.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
      4⤵
      PID:1428
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:4460
      - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
        6⤵
        
        PID:3468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4544
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4424
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3936
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:4716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
        5⤵
        
        PID:1232
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOoUUgAs.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:116
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:4840
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4604
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:2056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
        5⤵
        
        PID:3164
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1796
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2008
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:1004
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4592
  - - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
      C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
      4⤵
      PID:440
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:5044
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3680
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGUkcEsE.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:3928
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
    C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
    3⤵
    PID:1828
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2456
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcQkgcEg.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:924
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:1864
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4836
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
    3⤵
    PID:4592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:4120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqwcsAgg.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:1896
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3416
- - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
    C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3636
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4516
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4804
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:4924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:1804
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSUkkIoc.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:4676
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3140
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4424
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1832
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - UAC bypass
    PID:5088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3196
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQMMgkkk.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4420
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
    3⤵
    PID:4592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4972
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:4944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4784
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:4520

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:1432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oyoIwAMs.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2544
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4168
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4080
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:1804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3136
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
1⤵
PID:220
- C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
  C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
  2⤵
  PID:3732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
    3⤵
    PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
      C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
      4⤵
      PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
        5⤵
        
        PID:3056
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:5004
      - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
        6⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
        7⤵
        
        PID:4192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
        8⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
        9⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
        
        C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
        10⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        
        PID:4688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        UAC bypass
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        Modifies registry key
        
        PID:1776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:60
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:1364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWgAgIgs.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:2672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:3164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        UAC bypass
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmQsoUog.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        7⤵
        
        PID:3868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:4280
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:472
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3936
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        UAC bypass
        
        PID:2940
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4728
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:1124
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        UAC bypass
        
        PID:1492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgcokYkE.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
        5⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1028
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2336
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:4600
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeIEoUoI.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
    3⤵
    PID:1208
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4960
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3212
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4928
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4176
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      UAC bypass
      Checks whether UAC is enabled
      System policy modification
      PID:2668
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1772
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2124
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:940
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:5116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECUQoQMY.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
1⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2504
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USIYMswY.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:2964
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:456
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:944
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
    3⤵
    PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
1⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwwgksEw.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
1⤵
PID:4476
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1468
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:872
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:3636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOYwscEY.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1832
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:672
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Suspicious behavior: EnumeratesProcesses
    PID:3508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
      4⤵
      PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2692
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncIQIEAE.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
1⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
1⤵
PID:4864
- C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
  C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MsMYEQks.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:2056
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3148
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2176
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:768
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:1156
- - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
    C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
    3⤵
    PID:3112

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byokEUgI.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
1⤵
PID:3164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
1⤵
PID:2564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywkgowwQ.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
1⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAEMoogU.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:1184
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2064
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3700
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2544
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2908
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1140
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1920
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:3020
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4184
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
1⤵
PID:3428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKwIoMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
1⤵
PID:3736
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
1⤵
PID:3312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xysQMskg.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
1⤵
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3020
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1184
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4804
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
1⤵
PID:2132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQcckIgA.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
1⤵
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4528
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkYoMgkc.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
1⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
1⤵
PID:1156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VekUUsEI.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
1⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgQscEgo.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
  2⤵
  PID:3312
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4400
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3196
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:544
- - C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
    C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - System policy modification
    PID:4660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
  2⤵
  PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwoAAkIk.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
1⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- UAC bypass
PID:672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:3132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
1⤵
PID:4552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOUQgQYc.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
1⤵
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1372

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
PID:2572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCIYAEwo.bat" "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe""
1⤵
PID:3864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e"
1⤵
PID:2652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- Modifies visibility of file extensions in Explorer
PID:4564

C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e.exe
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cywcscEI\ZioYsMwk.exe

Filesize
437KB

MD5
32ebaa80cdbd03c6f261c116e6e67953

SHA1
d3a4ea48ab1c175cf63d5bc616f5bb579ec14a20

SHA256
67698ccb48ad69b3873f769cff343e641c35ead63488fe9601d7b228ccfa2e81

SHA512
c79d367bbe4ee0fd8f75f8f701a12f84155c8bf8db682d790a39c8ed8ff8a3e7ab3cb2dfba24113ce791b2eeab52b9e603e73d3faca79945e3fd39646a9a8cc5

Download Submit
C:\ProgramData\pqAAskwM\vAwogMwg.exe

Filesize
435KB

MD5
2a15a7234dbef9e3ab7e9af40eed48f6

SHA1
520eff4e84c752e1b79b457f0802f957c7ebb1f4

SHA256
db5487080f3e1698553ccc40633c42021b79fb187fc38c59693beb852e9b555b

SHA512
6aa397c0947d34ec44d41c02bfc44fa4be7215ff5f96d537adb9338cea6d52b4db9268c1150b3d78b9853ce7f51f53a86758ec73da144b284e7cabd44fe801b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

Filesize
32KB

MD5
cc7d0bf0ad60a0ed4fcabbda941ef182

SHA1
de04ef136d5f508219bfaf027d313b1fba027909

SHA256
34387c8f70b364bdc7bf47d32d946a4a2dc36eea613adcc2b5ab80044bbd74ae

SHA512
37677f82f60b61e6e6543e8c7d0e891509c46b71134cdea2f47c6e5cfbbe2a50a083c75b58d380f00feb42c4a3e382e222354beee67b1617ec0a3cc180926c50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

Filesize
439KB

MD5
27702de3c176579a7e8721af59dd7a8c

SHA1
644576ad4b939918d0d5d0b04f4035a427e7111d

SHA256
d01a5eaeafffb63fefbc702ef7028ab3d0a56f6581fabd6365d68b0966720437

SHA512
63d1de0658106910d307a2ec470d37bb8d3b5da5ce665397bb697fccc0926c88ea20af1892c8094378981a63439fcbff9aea112646c69d194a97e409789e4138

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

Filesize
439KB

MD5
131831c30eda91be52e23b61a13b21d3

SHA1
854818c5e2be91bbf271dece01bebea63a5b732b

SHA256
d702c572f7fefacc63b0d3c7d0549bc91417430ceccddcdd412dfa82473f06fc

SHA512
b4be511241d0673f296a7d864746fdc03b639944f9865edc6157838b0975b67e34537119ba571f8dffb0417f239496bea0fc1eca1f8954d982f7a8858963bdd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

Filesize
55KB

MD5
29048ca56824536c77cbb793feade90f

SHA1
7120c6c3507ed30f7524b3325cf47b15b682eba3

SHA256
edf4b9d472a6614d95cd6802b190d1d3009ae29fdd0fd08783170a08bcd3d7d1

SHA512
b3520f74f4121099b35ee5bebc40ef49663253f4e3e5b3e0fde5ff1df52ada875abccc33beccf73781e8f0b863963c82136c80f692b11cc162cc3732f31982d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\76e64e4a178b337a100b97a277ccb02e

Filesize
47KB

MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIgA.exe

Filesize
437KB

MD5
10e83d6046bdef6b8eebd3f3d034e281

SHA1
44a46acc4c5f5ed95c796a2e110fc5e33af7920e

SHA256
fca8ff7b3d3f100f805c2b8e7f106f5d2072ad6d7478bfdd4a5e7edb93b9459f

SHA512
3c7d431019d51da4fefb15e098bed456f9834a5df39aac0cd9b2678682798e2976cc25be35d812a9e592e6d64ef99ae7be6425a9342e45849f00e9af267884ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcUW.exe

Filesize
448KB

MD5
acb2ed36c64f7daf032ba89a28e684c8

SHA1
32f93da0373bf1d0e7f7c666589e5263577fc827

SHA256
a7619afea79542ab894833db0d15ffa1f1ca408dd63faa3f60f882a9d87954c7

SHA512
c33daa9fc20494f70fc848752a9339fb5d069a65423021d83be269e0b601a3641175d5ced4ccff39b0491bff127e940b6763c8997365aab6d02b888d93d95e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgoI.exe

Filesize
1.0MB

MD5
c11b71052277f84d4dc5db2f2427ffaa

SHA1
c1e2b1c6aa753d746ead89ad3f1a6c7048f61161

SHA256
c818551b8e3d154903a665cd38acfe1b537f9784dc09f687ac144dfba6fabba1

SHA512
0ee7793a8adf8ce91b0f8f06af367aaef7c2d327486ae17d0c6452f8d6cc9904d2ae7a2d705c2a25ef25d71e80b04f58b8d8350f845a85bf76f502d92ea56cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIIK.exe

Filesize
90KB

MD5
6da36cb110c19631aa3daddf63324004

SHA1
5420d8e6a84a1789b497268cc87b3bd6790717a7

SHA256
ef6fb79158492c8fd1230b88d54a631bce03bb06d65643c5e6e20b1f87ef40f6

SHA512
e3c1695b12e82c9ca836e6a80f0ae21570ab809a8f4ad5cc71a1900b0ec970b169a5ee2e6cd41cb65a9100210d7b83de0cfd525e0f03e959923188a993d353c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIsm.exe

Filesize
432KB

MD5
7523254175daec4dc876009e6a1646ba

SHA1
bcc875a9256dfc7ec22a214050db85616aae7b68

SHA256
0265897190296c05134fb2305724775336849d69aa942a55e64076151c3f9546

SHA512
1659dda35552a86c0e6e894bcba395869fdc91d78d7e5dfc923f0309b1de54fb4bdc969990ce5d59cfa46ff6379d2e1eb63ae9084572a5e509acac596fce5335

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMQk.exe

Filesize
134KB

MD5
63148b1ed32141df72cb1e430498da3e

SHA1
349ec12a83da606dfb28ba76353b211c665e95a3

SHA256
bb97cc9009dd11db750a9bd64ec6faeeeab5ddd1eeca7f4f83ae4a8f1e404f50

SHA512
63d0606403df5802c4f4c85316421845c417e784399f8ad7f43f54a0527c9ffc31fefe7690ebd3368b1a7ec6a7246014789336bbf6ac15e33393e256c0255d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAIG.exe

Filesize
442KB

MD5
991c41f7c719c6734e7ce93099858c44

SHA1
1ca9d7507399d6464790750d203a74ebf0cee0f2

SHA256
d22f25f2435abbf087c6e4e7ddf2e23317df5c252b79f2646e4ef8431e214c23

SHA512
82bd82fb5da3743f6ee583bef438ac9925f640ac317a1a0ff5394b919bc485c44e27581a89b4eb6f709f4f1c6d545f7615ab22f6c776e822d415c6c32608a7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAIc.exe

Filesize
23KB

MD5
de287db78dea407c3ef9ed731581b288

SHA1
f948167b9b43a0b798982802835d62567a81f402

SHA256
afbe150f2569b6417b640a715247e9090d0368846e3babe2bfb7d5e6044adca5

SHA512
51e17514c996d7d8c7b1a0c680b856ee0de24da7e166ece7e0650653a2b152bcfd53a31fd6d1badc130544d3149634b350ad80774f929bd8b620f592a09e03df

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAMQ.exe

Filesize
162KB

MD5
4e7932ee04aeb89ac23d43d9660c104e

SHA1
f7791988bdbf822696251144a381e222d081f09d

SHA256
42470dc7b1c048f919effbf639583bd1c0a9e685f3cbbd0131faf5f2e1bb07aa

SHA512
394e628ad132cb8e0f7249f4f9f0ee3ff4e95eb457cffe07a92a98151d5c73d854b82c37e7ad12daadbd6be50de395bc8e9778ba702cab1723caaa56165e321a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEkE.exe

Filesize
149KB

MD5
ad6077c93b57e4c026fd0f122e1e8fd2

SHA1
d00eefd6394f97073850a51726b3009c96fed695

SHA256
0f01cc109e4fdf411f2e420f7ba8c84024e8dfa04024dfd153a9af024d712467

SHA512
dbf80976000996feee3cb57f90cff23cf52c9fa8371d7c9fb488f17c84645401dbdf80b0f5651950f8725a439b9655e3130664351fd47fb0ac50dfbb51b9e093

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIoC.exe

Filesize
443KB

MD5
a46829c58ded18473765abc2a1b1e0eb

SHA1
4e8141b2712878fcd87bc54fd15653f19e384b06

SHA256
94f2f35e8d175943ff6bcf7c543cd3cddf9f64bb171a3165f7d0101289ab715f

SHA512
26ae9b95ba27c9faa18c453464103caf161fe78396965f31c8e7dd210a81ee2126e39b3b98bdbc7de24a8bdeb0645936c32fb94c1833304a69897a207ae8fe8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAAW.exe

Filesize
80KB

MD5
f07422630564eb86eb1271fda08e9c95

SHA1
e3b4dd05027469450bc298edac7370adc9bbf3ff

SHA256
85401b851abcf94d5911335a3b87b43b98749fda2135465cdcb29df50efd4634

SHA512
6edb417d16e0acaa1a9448cf262593b25c23efe329c269ae6c75ba8d34f5a421e828a12de58d97982ab6c9f841af2ad9b7b424e70a65a72807bb5dc7f1c6a7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIIA.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIow.exe

Filesize
2.0MB

MD5
139779dbf4e564a129d0e12565e27fa4

SHA1
48a3b4e266f0728033c5c5b47b0b25fafbf96f52

SHA256
f985844196c0e5a211a68d416aaa2a993bf20987473d7b768ba34be094f052c4

SHA512
c096ec6ed229f8d8b51d3eccf9f564bdf39bea0ed1c96c14cfb33af18e012276cd051aa6f75a269951dd4e3406a08e368a59940accdc157945c5f4b534fb4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\McMe.exe

Filesize
1023KB

MD5
d0953c52bad94f152b0fa44a1dd8696c

SHA1
0091249a588e6629d71286b846aed2f46edde3b6

SHA256
0d90bea9a934598b4caa754a0145d2678f1df8ecc9bb3f41ae9b4e8acf294a96

SHA512
a955ae6370296ac06dcacbd68997546357104b0b15557082a65e7ea5f542808018bc5d34cff9ea085f11b9584566dccb4bbd116fa15c0669a392446e73e31b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\MccA.exe

Filesize
73KB

MD5
72c98d88d1899457a351eafff0b889a0

SHA1
3358ad4957fcfd56a827ed11837b3ee491834ad5

SHA256
c6fda7f2578d4a9d4363872f984f0351826e56521ab0a5ceb5429f7a837238d4

SHA512
1cffffb65e248fe4bdd991988dec22b19fcacd3c08c0cf59f511ac8f558b9976832cd87b437bd58b25bebf5ecc884e3dc6ac92e1fb7012e9d27018dff6570f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwMe.exe

Filesize
50KB

MD5
24696ec22eb82d776ca423e75cca41ec

SHA1
2750e24c35a95a0271e9e3e5869d27bcd9bbc4bf

SHA256
b897440887a313db992e601c33cb43ea2d7c66069da893fd90c96c8f5a05ec9d

SHA512
0369bccb5ab0b89b68ca30ddd99bf951fb3d43b0cfc9aa0fcd27e80105d414b7d0bd42f4b7e930c6a53af8d51b2fe62cbd43bb68c7c9783b8a6a232cb6d63653

Download Submit
C:\Users\Admin\AppData\Local\Temp\OckQ.exe

Filesize
444KB

MD5
238bb0d76ff4c36016bfb7e418f411a6

SHA1
4cce80eadf2481b9e8b2676b1c885e17d042a7ed

SHA256
2a44e3da495561d320c3eb4b7f9ee60f4031d7d9d3f603b213f50be3fd370a8d

SHA512
ecb61e4276cdb38850d752816cb90c29b80ee20f9c093b0a83dbfb04dcb0c3b8eed3739477b553f99862e15c7e779fa877f6b38c2212821579e7f6d28b286c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsMc.exe

Filesize
440KB

MD5
b5102bfb5df5add72694025d9e9f6cc0

SHA1
66dddba2bc3bcdf835456e9da9b6ffcd76910864

SHA256
82fd93e299f43207aec1bd75a5fefe1d42529f0fbc149909f535b8e2a24e920d

SHA512
9dd37e67400526d1b9880bb32e1e05d62353fd7bdda682a7463eff869a5bd7e808842209e5e17196e2778bd72c64033ed376642da8bc16dab3d1236553c79870

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAYW.exe

Filesize
435KB

MD5
99f46b09d4107e7a09e9b28195e11b48

SHA1
116c1ff71af9898569daedc2a8bf5cfacb46a541

SHA256
9b5edc3ff10ab36d128f1c4b1b307a1210a94476c3517a4c6ccb84937eac5c1e

SHA512
d51d5f757c71c6c5b8ed800af2d0437f9adb86242dd7e5ce403a0924f392b22e192af892b704d0d4697a341d249cd9c59d171fb04cf302024831db9c4a95392d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAsK.exe

Filesize
451KB

MD5
e492f2f043b087ab19ead25d26820b98

SHA1
ead0b5760ebbff00077c97a5a0ee3e1350363fad

SHA256
8c76cdaa24336e4d387ad63495e52cca68a78f7c2a01f1165304760ce1e2b0aa

SHA512
138825229e2c8e60607577df176a76762dd1819068cff1f8f2454e116f5051c0fd50c8b4c64d2de8088a1e77145638257eb6356638d5e2caf02cd304fb70c8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUMe.exe

Filesize
441KB

MD5
722d78567c4b1d467eac9912db6564d8

SHA1
5dad70ed78d79ea9eccb5f5630c3b87f1482c56e

SHA256
2e8f0bec2f76dcf1b180ed214850c4c4913cedbba592c47e7d2e0266639c0e45

SHA512
4cb854e0145280bd5a66a6bd31b6e6e74764c53c271b87761b8ad31cd688c325cb11568a5b1ce87c8adc2cc2c39b9894d432adda43eeebfc58e806c4268575d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAYg.exe

Filesize
9KB

MD5
e7c7b84e0af89172eb27f583146ccd97

SHA1
b68edd6092029f73a2e2840f85f00bf8187af469

SHA256
06fb4cf34990932a9af4798d7dae7ac0564bd1319d6eaccde1ef363d46e04ad6

SHA512
76e8d954b5198699b6d84d0f9198ae586297d63f6ae8b9ef2a527d7ea58ca479f9f9c539c2bf9641a1fdeb50b28e678d120d23e159dcdf0c80090f811184dc2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEcA.exe

Filesize
34KB

MD5
7aae025de7ac3a9946486d8e27a6f518

SHA1
0c4a112417cb634225c2121fd2fd5d3b5a75330e

SHA256
c9de3ccff82f2fcf3bcb9a05a2e39d65d56d6184718ead57b525899b6b1e85ba

SHA512
c22e81320f5250d4b28030021148774633a4d1bd6e7326cd4967822adb1f99feb862906cef226a671e1b63072ca053d98dc01fbdb2aaf6e8b518068c1c685528

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcQC.exe

Filesize
451KB

MD5
4e9b0f4a4af845b3b5da9a49031220da

SHA1
e718ed6282d0bfba45e285d85a66b5fee8355283

SHA256
b1e705a7f6256e5301b6cf99f4d0b37d17e668f107ea9ec15152c70491d0c394

SHA512
2e2187e5f1d425257123ac9d42e214b89547326b8dd3802ad234289bb9dc0add0b691e4c2a7b9b5b7516c981036c8a7b089027004a42d11b18bf1d9db9617933

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgAQ.exe

Filesize
434KB

MD5
c47bfb95cb7c0d7d0ae33d4e589ed4c5

SHA1
e282c1fa341b733fa450d1c2ec83474334b37e60

SHA256
42c9c1dd6effb2730abc5d22d7b1619b41dda4c3f9d812f997f3a0a9b9da3e7f

SHA512
2d2e6fb7630f15ace2c38c0d1d81a1f551c0822dbec263ed9205989fdb7bb288a674b4d766e55e4dfaaa831e3e67ed4a097df67f732c93382e931e3804592142

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgwQ.exe

Filesize
563KB

MD5
3dcc03d7b062437e5ea8711d3dfaf5a1

SHA1
12083dfbca4f1747dd6c24f0007e43cb6ab9ea8f

SHA256
9f1c9f77aecbf600a685abda1df71c342b4ce84856f99bcc9dcd7206ccf5e419

SHA512
82406bc219cc4cc5b21c7aa34831efc154c54979210098cef701ab3ca4df23421012b06fee7d2ae6ef93981a593f3fba5adce151a32a2982ee87a8ca439bd85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMoo.exe

Filesize
131KB

MD5
3d61360caf137d5d9ebf35e9ee44c37d

SHA1
5af3ecad925230944936b1dcd2cd84fdcc767599

SHA256
752a4d9fa11bc7acb94bf5c9952ca9b0d55e99295fa0a6857b384943db047ee1

SHA512
b89a15e4c34c04ca518e2e3cccba8c01cded850020aa8be93fdee2d14a405ec96e784f80c40d1df9992214b80d6630bbc6124440f5d56b7ecf8cc95fb185495c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQYs.exe

Filesize
83KB

MD5
e778839489ecfc8f794bc89d2567a0ba

SHA1
5022a545da4768d141cc3d4b0bc418adf8c30ee0

SHA256
3e83d0d237fa72a35f54cfba425e4b128549199b92c0c312d243f19be0bceb1f

SHA512
180dacef2f8554cb9edc6028d096504d326cd0245cf527f9867b0cd6c47408419d3faf5eb3c57226cf50d541e99a343385e4da42e81bb951c855abd227b1e428

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgoI.exe

Filesize
434KB

MD5
37211406c450514fa451af8065046dfb

SHA1
bed6e823f3b32b6210208bbfeb86cf07d7c53d1e

SHA256
c354e9dc92b7221fa78bd7bf9774385929a8b1a8796d9f8fed5a213eba330930

SHA512
32c7938b705d7343fbf736bbef4f27c81584e2d3870d2ee34d4c71c70bc36092d433a9aedb2491bad6a93dcfeeace709359b5296821943cde2a0c599d1fefce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEYg.exe

Filesize
435KB

MD5
569f7088863885346bd7944f2de91237

SHA1
ab588a126321f5313b14ffc1a8b381d1c0d663c7

SHA256
c173c5a4381392b80a1e76391feadeeddcd491fb4e5866067b374098db3c2aba

SHA512
d8f9ee8b5e069960c18da5643bbf12af830abf785e86524a4daa2368a532c3bd9988c9ad85d989a5527d26ea1fe4673cf095f97dd10ac363a9d93e28e92244a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEcK.exe

Filesize
809KB

MD5
ecaed53fddef7aaaf763884d6ab99e4d

SHA1
9256a14be34e2d99b8389aef275e322d97ea6daf

SHA256
d74a3fd3bb2619f5798f0f23e0c3f84138566aba81c1d4096b0b6ba3f5ec9834

SHA512
368b7effdc82d2c7de9054f4510f9ec5758fcfaa94e60f053dde3983bf2e522dbb58ff9b01ba427780c173a34f66bdcff6c0424d7ec67bac2c7cc95d68124735

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUcS.exe

Filesize
130KB

MD5
f9b7efbd270f320c06814cc5d0777c80

SHA1
8ff8a97d3f2c196fa3723768dacedf055ea37446

SHA256
d445cc144ed5ce4b2ee5eb1c3ecaf22d6bbfa43aba4c27b4ff41563d7a9e944a

SHA512
96e5a60339948126a8466d0db0374c78b1e6c13e9af49ad1d59275516a8f1dd1a4a8db0294757286c07d2fc7d50bc1794b7f978fd74f0a0635f366b71543566f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYoM.exe

Filesize
441KB

MD5
cfed552fdb530f60607065b1c16770b8

SHA1
3b0fe175ee98e7204f7d0d81a7ccbb660392b351

SHA256
b8b64805493270e9f5f89bc53d49f7c7c54a75f46eae1129d245a52f96ef1a0d

SHA512
26ff13915c332816d27e13c5d8095ef0dc436c666bb45e194e85036e5ab86fcefde4c85166d22334fb41876155fdac28d7a44b8dc805b4575f7964b99a0d0176

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEkU.exe

Filesize
2.0MB

MD5
7357464b0419908d069982362552f160

SHA1
2859370a6335d51b18c49a1dced736f4ad658fe2

SHA256
e9f06cd63cb73c0013aae9c01faec144ff7243a557f92f54c75ecb2577a4b905

SHA512
0c69a064c2ac7a0c18c199667d53699b6bf6b86ecc611b445b001884363f7f99f0bc1c9d3d6086bd69c9465065f3595cb5f25c43f2e4b4b8067e075d1f613f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUEe.exe

Filesize
39KB

MD5
e15b19130ba7e0c3ee3d70342a943bd6

SHA1
8ab4e01643cf2d73244bebe33a9a4c99eb495581

SHA256
1df50cb48269b4715316a98e3ace9e4da450b31b69a16c802df405bce4eeb684

SHA512
70ed416919cdfe3fd2bb4a199df1b65c27417e32d4a2782ff049f86aa31bbb61e2ac994687413ca19c976511d391a214404bccd5bcec933968cb25074dfb5e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEoM.exe

Filesize
80KB

MD5
bfcd2964d2daaf2afdfec65a0e77ecfc

SHA1
11ff1f98a8d26d45f92d593b8f7e61691bfa3fcf

SHA256
5d5c4dc3d429e8cf28eb73ac0367108b6dddbecb4806d2190efba7e670271b23

SHA512
dad7ac90cccbbcfe611d69e476db159d9c2287a8b08931d0353ff3fe8ace7545a3abf36a33e36955ac480efddcb5926195a7a447b3bfaf80879e30116a28a37c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQkI.exe

Filesize
439KB

MD5
56ffe8ff66b800e280c6cb19bcc9f61e

SHA1
0ef799bce348747cda0255dca62e8c9404352f2a

SHA256
9d0355efc631e780c47103752ff78e6a4251e86507e470c89c290d2100d7ed0e

SHA512
a4ad5337445a8b4717d8bbfdfbd0133f2ff411a782878f44bc01af40bcc0219295afc921999b85de019bf9a9b5f6dbd7042005d7bb07e90be509e47c4503b6d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\egoa.exe

Filesize
97KB

MD5
9fe80d9b3d01fec1a97ac45bf27eff38

SHA1
6a0a89c0e5595a6bcf4d523beee11740138f0ed5

SHA256
999463934f102360caba73611ab7d7674a8d11a06a294d0069cfff5f1b0ddcd1

SHA512
13f5087844f04c657503ff0246b9a7494842692d2c9d19f369b94b4476b761b02d5819a1e38d82f33490f8ffc86f436e5187ad054e4268a8d9cdc8c724796bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYMa.exe

Filesize
1022KB

MD5
5776489da377f838ab77d22958400a00

SHA1
c7687e21e72871e548e981d0f222b712aca51f86

SHA256
d1c7d0229df12bde9edec3af007767266c617a4455fa21f768c5065d451fc7b0

SHA512
4a7495c0d05b26e1ee1ade94f8382634a9fe04588f947ae5a23dbeca3187e7f99b11fe7c43d9b563420f0a92dacfa522728d46a7d81d1674678090d2200b12ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIsW.exe

Filesize
1KB

MD5
1353c9d5aa021183cef0a575f27658df

SHA1
307c74f920f8bda593b1a0749eb9609f8a010752

SHA256
b9b7491592a997596b158d46b7d7ecfe2d0ff5ad179234999b3ae8c80ed4c46b

SHA512
a418c01622651121222863294851dce99304df189f99a90c93c59266019de65bb720ca205efc0e9bd4524af0c94c13307c070c55743cb1a0f461333b5e0e3be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUQe.exe

Filesize
119KB

MD5
cc1ed7ef7cd24eaafa89ad4a9844ee01

SHA1
0b7533afe06f664ce316c59eb65d55a55a999913

SHA256
4e6a40d5030b7c5c76c91f77f91299d0ec04fb2eac268aa2f69dcfd5c3fba735

SHA512
ab998cd86358049bd559c506f0caa036594c3ca55a7e14c6b3e587ae0878f61b9dce855c4f499aa8b759ea448be7d6c93eea106218fecf814ae1d274c0e71f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQUW.exe

Filesize
1.0MB

MD5
f8d24aa65216b767a0b06b0a2a66a841

SHA1
8d48e1884f749658b121b74701b51c59733fb709

SHA256
59dd3dc8b3edcd47c85e6a5c3da1f3ec80bbe39e600cc2e86663906f76751532

SHA512
f5b962a9531c5a2261adfc2d0c9236e0b6d1edec1fcae1e0ee516618f920f839f1420f8e45c5d0c27938e929bd9ecdde4fa515e9de71ac7fae79828d5c7f798c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYEq.exe

Filesize
1.0MB

MD5
3f54816be9b45309c700ba97819e2a98

SHA1
1582092278dd687af83c7c3b4267f836ace9bab7

SHA256
c832cf5f78090e4205fd2fd0324186b4b1677c099a0cced5d62045016eb90cf5

SHA512
d3b4e2872e7d04fc1085b357d22435431ff6f0e118e1c0726c5fc5174daafc0bb82c4992668cd6459ac394c100389ddf1b70a1101ac6f2d8178100b0baf95466

Download Submit
C:\Users\Admin\AppData\Local\Temp\kowO.exe

Filesize
441KB

MD5
2c99191bf54029688f5b1bf66add11b5

SHA1
55065775dc21591d4c88c84eabf0f95f5194afdc

SHA256
d8bf0645ad487252fc9a85680a9296de2eb1edaf0dd9d72225d8837ddb79323b

SHA512
d1314c071adf19555b55447204429a9fa9318f30a8052a54bef72bf7be860870dbfc33acdaded276c87f7a27882bf5954880d495a90a945e578c4532e3faf284

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIgA.exe

Filesize
877KB

MD5
55dfb416ce1f947edfac199c5e4398aa

SHA1
8555c598f9d7cb879e3472621854bba966214adc

SHA256
d799217599eb0de97bae34d2179a3fe00d8378564f8c46a17fce81cefc106985

SHA512
240ad096e292a39a6df8c093ef52430be824f938d0a0fb978d9a808b9229441b1be12ef89d4970b939b450bf36793c95f64df5eab3324d945924bea17069b653

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUgQ.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcgA.exe

Filesize
670KB

MD5
8a5867fabd4eb815d47386b3aeebe4cb

SHA1
2ae76f1dd3e2a88d9f568d718c31bd3d4606d9d4

SHA256
f691e9e9abdab582b66cff33960ab6c4b9668fc76a470abdb47d29ccfb447481

SHA512
e1ddec2a79e424d9c6a0d91574893b9f0cdc2c641c07f76789ac8831c240942e79b0442bda32f26342a8cab27d749d13442bd315bfd096494c791e41000b7dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mckA.exe

Filesize
440KB

MD5
e6400c78e523a4765436f6e58d76ad8e

SHA1
9b354fbf956bce36e9f4d116e87f183d2f3b0f18

SHA256
d97a23f418fc6f14cf6a56af96e8cb2a7d5612c32d219c5b2960a12300a095a4

SHA512
6c657d1bb1cd8ec07d7f97d1dd11c56f8153421caf6f442c0f0aae59e622870dd2e504379e7ceffc875b4c3351c1d2ea390a19d5b8d4dc219c6ce73734aa1958

Download Submit
C:\Users\Admin\AppData\Local\Temp\moQS.exe

Filesize
1.0MB

MD5
717a08547731efb8541d6baad47a346d

SHA1
9680d89fbfd08bb8bf0fa67043089f357b97ae58

SHA256
b3621b46797359b774dcd6c8adc325eb9cd835a862874bbfcc10c453489d36fa

SHA512
ddba23dc7a7b17508a2b82720afe01252bccef83d89ad782d241f76f8c37f7b94eb75be0c821a2a69b7b8817195eea2a6372750badae245dbeca21a894951516

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAIq.exe

Filesize
22KB

MD5
843c33436a82da1640573be0006384a4

SHA1
692b93ed506a33694ce5333a1b85773da653cb29

SHA256
fa75629a7d1398279df0abe7ec296426604f4f62a698b759626d20591438f854

SHA512
a033608479986eb8f7df9114a5c7d890695db7cf23d7847ac6e098b6f17e339c021eafc4fc824c2c900e5bf69c421f736994cdf77d245a729ccd03a14ca308f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUUe.exe

Filesize
94KB

MD5
7236cf36b871029f000996595f63e790

SHA1
55e627f2b0216dd9b528529a5fb672bbcb7aecfc

SHA256
c91e9cb76fce58388a0379678b615bcca034eaf7eb4b38f81c29e14991e35e87

SHA512
0812f9ad91f30ac815d43d51cd8ffa86cb0964e38533a24445ae55a625ab611231ad4205970b6ec2f9ecfa95d50801dff2592f9a9040c2db68096f0cffd9ceba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocss.exe

Filesize
153KB

MD5
98cdd631c8acc31512c639a6e1152ed5

SHA1
94392be26b11f0ff15fe43cd7544ab865cfaac6c

SHA256
021bbc46c7f53220f827796af509971feb624c3e4252f4bef381491cfae66a46

SHA512
39d342c6061850ffc9315e19eb4909b26e9135e95c70a9999aa5a65513a5216fa8becabd5e8edaa56246c5bf70d1eaaeabf60c35bf1446021d213ca40ef09ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocwy.exe

Filesize
442KB

MD5
6df010db9952a9707c10a77169cca8ca

SHA1
62eea25d2686fcc518372a9974740f1da93a52f8

SHA256
1574cee0825ee0788c4c0273fe961d2564062a8551a49cfc39f5235ea0a73f8b

SHA512
e9420902b08dda124afb34745ebaa22f182c60565b609a8dc8a99a826ffdf68dc54e9898179361cfd9c34aa96d6e0732dc57776745e82c85be7beb41f1d4e7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\osoQ.exe

Filesize
885KB

MD5
bfdf4b4c25b6851740972582a3518a4c

SHA1
d158fa445eefd3ac9e3c03dbeaaadb11a611507b

SHA256
22e0f76f8322cc99bef6f52f43884c5b92abef5352883c227d10b5859b766550

SHA512
8828156d83dacbd46821af687764adc779363f7a5e763737175302e7315a15275aabc78d789f91921c71c9c0f6835e3b8cb7d740063d26585b3150ba502a9be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYkM.exe

Filesize
446KB

MD5
c96cd537a99da17d90cfc9056e4e200d

SHA1
7691201f96b5ce9e20c91be63e9a54bfc7585df6

SHA256
3be0f7408cb92b58335d45bb0e5b223cb6eb5c9490021be3667fd362829cf23a

SHA512
91f7001d1426842d8f10e3412d71d74c9fb7e91824491f8705988c6b035f2b7592488513690f51535e9043719e4998794cdb034a9bcf112d2f44a404ea4b114c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgki.exe

Filesize
55KB

MD5
7c271325eb8fc14b79a2206d0e4092f0

SHA1
21516f30391e2a72d0dfb81125d247c9589ba0d0

SHA256
b3403a15039e769ddee41dfe2a12869eb36c92767da7fde8635360238e1615d9

SHA512
8a16ac04ef5d78b7a085db4e8e1eaa27df2321e631e42d5bd4a4e12894070ec2916689e3c1499d0563a1d372c95f21337333cb2b2201675817a55b4963c3620f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEMA.exe

Filesize
62KB

MD5
27262f477209bbc1870968355293dbc7

SHA1
a024beb86356a3be494e977bf99250ca94ba8f3a

SHA256
4946b80b373def8a7e06bb274d59e987990e91da81d1b0ec2f18d306ecbbc03b

SHA512
8ffa8d0bda2a9d2ab86e01c29436be418e241ff6bb638bc107d650e89dffb76de9345d7338fe97c36d7c0eb539e77b88b2b356072743d093d0c11608b8d8cd64

Download Submit
C:\Users\Admin\AppData\Local\Temp\sogkUcsA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIoY.exe

Filesize
22KB

MD5
b45bed76b8775823954cd18e45e01e51

SHA1
6d3611829cf1541027d26d3b0e64dcbdd53a5e61

SHA256
72ce464127f809a9a15f4dbdef9299ffd3d50b5193b30d4880e6005d059a72a7

SHA512
48058b4ca5131a3a7f9f6c42cad543a14c069ccef20e2d0430eab61b4d8ef67028156732f6f896ad54a2cb495d21bdd67bb1b29d4d91c9c072325325e547610f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugIG.exe

Filesize
452KB

MD5
7f0f6f4f55bc4ec4ca4d0b2373d28b57

SHA1
3483189318b0ca0ac55c26f0f1291b3cf222aa8d

SHA256
32b604054519f27a2c9c2979a2eaa9cc6d703e4d9bfbfa19f6445d5c9057d4c6

SHA512
cdd045dfc7d18f100b7958a78670097777beb4088d975c750c6aab509d8c097bac1d90d07874c294ce105b9cc9e3f03a1fcbcf292f3452ae6af672315d7b21f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugUS.exe

Filesize
434KB

MD5
950e77cdf0df093f604287dfbb0597ab

SHA1
fa7a5fb45ad62e82093b7cd6e24c227c933001fb

SHA256
2a946909b69385c64ddb40c699774e18c1eafaa0f824bcd9051be5c722fbe136

SHA512
1094b1420ed33dcdc439b204e1bab1924e3d263bc8d975487371d12436127e8a425ee36d6040542b73845e4ffb2350c2806d3b229aa981a18a2fafc2798b1f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAEE.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcQk.exe

Filesize
65KB

MD5
6d24dfd0c313e694c79dbaf6c4023fa3

SHA1
111d8b5d8da2925d9bed151fad2a92c9d74dedc8

SHA256
8460b04dcf2915ef889f7a8ef0df84100e47311dad28c878c9cbea354c0cb2f9

SHA512
43806a8abc5bdbeea26081746ea7986c42735d04174ebd70c3d17b63ef63f11d05a6125d38bb5e6f9af987f7dbeac3405a6cb7c2f4ad243e4dc2fd3a91b07e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkkY.exe

Filesize
436KB

MD5
6a7481a362ef429122a41b8a77a14c81

SHA1
0350f5f83ff1e984b7e14b0cc2659ddfe83b2ea8

SHA256
7571b07ac3e4c50d8e249dc93ef1ac2996870b20ec243dbf22f2521e6a7e5cab

SHA512
d6fef83bbc1db12f544155630ed43ab235606b75ff866deb8df6103ce265f0f2995794d8b4d65a52d0c442acfa822f4833adf2d9a19a7b03e885040ad2b07541

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMUo.exe

Filesize
38KB

MD5
8b60f5db3ca363a919dd72f02d43d1a6

SHA1
ffcfb8a6fabdae0ee6a296e67191bd51dd82bc18

SHA256
bc5ddad6b5962562a379bd45665ab6de52726f46432d57286ad86ab17a0f1d8b

SHA512
f0610ebf0a9c828179d8a158eab5244f1a0f5d41e183092ce55d4bcc67fa4750b75224aec99eb451b92cf0f8047b98b1289254f6f6c116e74aef5a944978a745

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykQi.exe

Filesize
26KB

MD5
376800223f1385eeccb32c5dd797a9a9

SHA1
07b377a3ecd685b8146040ba7feb5ca5acb44c8f

SHA256
6e1ebe97bcb9bbada904218c0c92d7527aa4f7f4d5e2add3e82c9269ec362b97

SHA512
63933930ff9ff7e17ca31ba53f4d35f65502e5c4627cb745bac4a0d7f3749e95fbfdd50631fd01187fa83486419549b13b722a324da3c34c6419fc57e55b6227

Download Submit
C:\Users\Admin\AppData\Roaming\ConvertFromResume.zip.exe

Filesize
57KB

MD5
3b3826e85852afa74f979f0dc0681396

SHA1
0c8bab41f2357bd39944c02f882b440d7e7bbc70

SHA256
66d102fa951636854f84e3da30203db2aeb3a3e9202ace156302a298ef51dfb0

SHA512
7a8bd62b9017a2e60b6b31a9e90f695cb426ddd8ba22940db29fb24c39179cb78cd19a66d8ec2718993ff321c210b7c9045b595153db757166e60bae2bbd3160

Download Submit
C:\Users\Admin\AppData\Roaming\FormatLimit.rar.exe

Filesize
1.1MB

MD5
6eb842cdbd87dd6b41a7adf4713917b8

SHA1
d6bda467f368eb8ee35aa419038811944f709ea0

SHA256
2512eca68e9fefd968af637d364246a997df38eee0be01901c61ee91e0cf37e8

SHA512
cdd6feb33366bbb6c6e0aa0f8333b6c24362373833be92f6b85dd1c926a1dfb5b49bfb354bbaa6c34a9aec87e4d46a84f5eb4e8edc4abeda6e6530a5ed8e7203

Download Submit
C:\Users\Admin\qKEksogg\WEokMgEQ.exe

Filesize
432KB

MD5
44a753178aa83336026a8bec21eed9e3

SHA1
e87a6195fe8e4352aaaff42ebcba14c77e130f91

SHA256
56e656b207c7e8d6c1e11d2514ac7808dc2193210f553ee2b2981fae293ae9ca

SHA512
1083c2a8673618404b8ec2db4c8331e3294c3a0b1a1829872be1509a607729e512d105ba3a6f19a1778f8c93277f6320efcdbc6d206a62aa264bb746ce6e9aa7

Download Submit
memory/116-79-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/116-64-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/396-117-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/396-12-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/472-116-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/472-101-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/640-229-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/640-245-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/812-126-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/812-17-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1372-48-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1372-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1372-682-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1372-600-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1552-143-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1552-127-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1644-155-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1644-139-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1724-257-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1724-241-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1976-346-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1976-458-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2020-845-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2020-734-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2032-100-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2032-8-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2072-87-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2072-206-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2072-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2124-217-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2124-233-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2204-203-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2204-188-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2456-167-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2456-151-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2544-39-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2544-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2572-510-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2572-617-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2828-997-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2908-296-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2908-253-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2932-118-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2932-131-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3132-933-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3132-832-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3468-366-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3468-295-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3508-88-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3508-105-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3636-1001-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3636-908-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3736-31-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3736-21-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3816-92-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3816-75-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4660-191-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4660-178-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4800-163-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4800-179-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4948-43-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4948-27-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4972-221-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4972-202-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download