96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Analysis

max time kernel
35s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Size

564KB
MD5

67aebb5b12ae70764e7835e5305bc460
SHA1

570d85a6ab69874f18458ee3de795c43321c4273
SHA256

96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
SHA512

9846f822d6c0884c538544901f4d99623401690f769e8d504c1fc6a0f684fb7757e0db575720b6ac96487820c683a15b34d0b6c41346e270df5c739865696cdb
SSDEEP

12288:SeIHWQg2OJo6UTopWHLo/4NmOB2ltVb70tekUyoWaVscRKQv+8Y67:Seug2wmopW8/4Nmjl70Z9ajpl37

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\JaAsQUUI\\TyUoYoQs.exe,"	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\JaAsQUUI\\TyUoYoQs.exe,"	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe

Modifies visibility of file extensions in Explorer 2 TTPs 62 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe

UAC bypass 3 TTPs 60 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe

Executes dropped EXE 3 IoCs

pid	Process
4816	oUwQoEwM.exe
2064	TyUoYoQs.exe
3396	GkIwIIIs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TyUoYoQs.exe = "C:\\ProgramData\\JaAsQUUI\\TyUoYoQs.exe"	GkIwIIIs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oUwQoEwM.exe = "C:\\Users\\Admin\\iQcIYgww\\oUwQoEwM.exe"	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TyUoYoQs.exe = "C:\\ProgramData\\JaAsQUUI\\TyUoYoQs.exe"	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oUwQoEwM.exe = "C:\\Users\\Admin\\iQcIYgww\\oUwQoEwM.exe"	oUwQoEwM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TyUoYoQs.exe = "C:\\ProgramData\\JaAsQUUI\\TyUoYoQs.exe"	TyUoYoQs.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\iQcIYgww	GkIwIIIs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\iQcIYgww\oUwQoEwM	GkIwIIIs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3476	reg.exe
3628	reg.exe
2804	reg.exe
2320	reg.exe
4208	reg.exe
2568	reg.exe
3156	reg.exe
4224	reg.exe
4828	reg.exe
996	reg.exe
3544	reg.exe
3164	reg.exe
4584	reg.exe
4592	reg.exe
4896	reg.exe
4268	reg.exe
1452	reg.exe
1564	reg.exe
2060	reg.exe
2356	reg.exe
5100	reg.exe
668	reg.exe
4776	reg.exe
3932	reg.exe
4104	reg.exe
4444	reg.exe
3748	reg.exe
2756	reg.exe
5088	reg.exe
3828	reg.exe
3476	reg.exe
1276	reg.exe
4252	reg.exe
3256	reg.exe
436	reg.exe
112	reg.exe
3964	reg.exe
4432	reg.exe
4944	reg.exe
3160	reg.exe
1116	reg.exe
3112	reg.exe
1452	reg.exe
1112	reg.exe
4808	reg.exe
4980	reg.exe
1364	reg.exe
4760	reg.exe
2824	reg.exe
2148	reg.exe
1968	reg.exe
4076	reg.exe
1076	reg.exe
4000	reg.exe
4248	reg.exe
4232	reg.exe
1476	reg.exe
3996	reg.exe
1456	reg.exe
1284	reg.exe
432	reg.exe
1976	reg.exe
4252	reg.exe
4908	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
3496	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
3496	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
3496	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
3496	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
2208	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
2208	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
2208	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
2208	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4384	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4384	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4384	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4384	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
2468	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
2468	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
2468	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
2468	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4148	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4148	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4148	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4148	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4368	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4368	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4368	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4368	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
228	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
228	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
228	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
228	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
1284	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
1284	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
1284	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
1284	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
412	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
412	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
412	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
412	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4080	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4080	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4080	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4080	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
2700	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
2700	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
2700	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
2700	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
1300	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
1300	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
1300	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
1300	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
3852	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
3852	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
3852	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
3852	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
3764	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
3764	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
3764	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
3764	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
4220	cscript.exe
4220	cscript.exe
4220	cscript.exe
4220	cscript.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 4816	4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	83
PID 4908 wrote to memory of 4816	4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	83
PID 4908 wrote to memory of 4816	4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	83
PID 4908 wrote to memory of 2064	4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	84
PID 4908 wrote to memory of 2064	4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	84
PID 4908 wrote to memory of 2064	4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	84
PID 4908 wrote to memory of 1040	4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	86
PID 4908 wrote to memory of 1040	4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	86
PID 4908 wrote to memory of 1040	4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	86
PID 1040 wrote to memory of 3496	1040	cmd.exe	88
PID 1040 wrote to memory of 3496	1040	cmd.exe	88
PID 1040 wrote to memory of 3496	1040	cmd.exe	88
PID 4908 wrote to memory of 4692	4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	89
PID 4908 wrote to memory of 4692	4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	89
PID 4908 wrote to memory of 4692	4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	89
PID 4908 wrote to memory of 884	4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	91
PID 4908 wrote to memory of 884	4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	91
PID 4908 wrote to memory of 884	4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	91
PID 4908 wrote to memory of 4216	4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	93
PID 4908 wrote to memory of 4216	4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	93
PID 4908 wrote to memory of 4216	4908	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	93
PID 3496 wrote to memory of 112	3496	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	95
PID 3496 wrote to memory of 112	3496	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	95
PID 3496 wrote to memory of 112	3496	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	95
PID 112 wrote to memory of 2208	112	cmd.exe	97
PID 112 wrote to memory of 2208	112	cmd.exe	97
PID 112 wrote to memory of 2208	112	cmd.exe	97
PID 3496 wrote to memory of 5008	3496	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	98
PID 3496 wrote to memory of 5008	3496	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	98
PID 3496 wrote to memory of 5008	3496	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	98
PID 3496 wrote to memory of 4732	3496	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	105
PID 3496 wrote to memory of 4732	3496	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	105
PID 3496 wrote to memory of 4732	3496	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	105
PID 3496 wrote to memory of 4668	3496	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	99
PID 3496 wrote to memory of 4668	3496	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	99
PID 3496 wrote to memory of 4668	3496	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	99
PID 3496 wrote to memory of 3020	3496	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	103
PID 3496 wrote to memory of 3020	3496	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	103
PID 3496 wrote to memory of 3020	3496	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	103
PID 2208 wrote to memory of 4860	2208	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	106
PID 2208 wrote to memory of 4860	2208	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	106
PID 2208 wrote to memory of 4860	2208	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	106
PID 4860 wrote to memory of 4384	4860	cmd.exe	108
PID 4860 wrote to memory of 4384	4860	cmd.exe	108
PID 4860 wrote to memory of 4384	4860	cmd.exe	108
PID 2208 wrote to memory of 4972	2208	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	109
PID 2208 wrote to memory of 4972	2208	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	109
PID 2208 wrote to memory of 4972	2208	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	109
PID 2208 wrote to memory of 4104	2208	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	110
PID 2208 wrote to memory of 4104	2208	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	110
PID 2208 wrote to memory of 4104	2208	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	110
PID 2208 wrote to memory of 4444	2208	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	111
PID 2208 wrote to memory of 4444	2208	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	111
PID 2208 wrote to memory of 4444	2208	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	111
PID 2208 wrote to memory of 3324	2208	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	112
PID 2208 wrote to memory of 3324	2208	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	112
PID 2208 wrote to memory of 3324	2208	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	112
PID 3020 wrote to memory of 392	3020	cmd.exe	117
PID 3020 wrote to memory of 392	3020	cmd.exe	117
PID 3020 wrote to memory of 392	3020	cmd.exe	117
PID 3324 wrote to memory of 3580	3324	cmd.exe	118
PID 3324 wrote to memory of 3580	3324	cmd.exe	118
PID 3324 wrote to memory of 3580	3324	cmd.exe	118
PID 4384 wrote to memory of 768	4384	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe	119

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
"C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\iQcIYgww\oUwQoEwM.exe
  "C:\Users\Admin\iQcIYgww\oUwQoEwM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4816
- C:\ProgramData\JaAsQUUI\TyUoYoQs.exe
  "C:\ProgramData\JaAsQUUI\TyUoYoQs.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
    C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:112
    - - C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        8⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        10⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yykQAgYY.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        10⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKosIQsw.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        8⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        8⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        9⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naYsUgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        8⤵
        
        PID:2300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1936
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4972
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4104
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:4444
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAMEgcUY.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3580
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:5008
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:4668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkMIIMYA.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:392
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4732
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
    3⤵
    PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
      C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
      4⤵
      UAC bypass
      Checks whether UAC is enabled
      System policy modification
      PID:4592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        5⤵
        
        PID:1784
      - C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        6⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        7⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        8⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        9⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        10⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        11⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        12⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkQkIIkg.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        13⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMYooMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        11⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        UAC bypass
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pywYwIEI.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        9⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYYIgEIo.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        7⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies registry key
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        
        PID:4228
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQEcoMUw.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        5⤵
        
        PID:5108
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:1712
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:5056
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:1976
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:4368
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Modifies registry key
    PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGckkEYM.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
    3⤵
    PID:1812
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3084
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:364
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:884
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMUEcsEg.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
  2⤵
  PID:4156
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3648

C:\ProgramData\RmQgcwww\GkIwIIIs.exe
C:\ProgramData\RmQgcwww\GkIwIIIs.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3396

C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
  2⤵
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
    C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
      4⤵
      PID:2972
    - - C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:228
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        6⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        8⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        10⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        12⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        14⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        16⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        18⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        20⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        21⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        22⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        23⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        24⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        25⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        26⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        27⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        28⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        29⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        30⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        31⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOwgIsAE.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        30⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies registry key
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        31⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        32⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        33⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        34⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        35⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        36⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        37⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIcUEEQc.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        38⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        38⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqIkEUMk.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        36⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies registry key
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAoYsEgw.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        34⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqckcAAc.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        28⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIwgMAYE.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        26⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CewQsIQs.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        24⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKQIoMEs.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        22⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        Modifies registry key
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYMkUcQk.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        20⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EoMEwwMw.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        18⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        19⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        20⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        21⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tycIEcAg.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        20⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:4484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        UAC bypass
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAcoIQUU.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        16⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuAcQUwI.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        14⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGQYgYMk.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        12⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        UAC bypass
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUEUoAkY.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        10⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgwoEsMw.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        8⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        7⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqIwcAAM.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        8⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        8⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HskcYAok.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        8⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:640
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1456
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2512
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngQEQYIw.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        6⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jaogEswA.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        8⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        8⤵
        
        PID:5048
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:432
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWEQIogg.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        6⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2632
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:1076
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4072
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:3476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        6⤵
        
        PID:3428
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2056
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4248
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyMAoQsQ.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
      4⤵
      PID:1444
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3684
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:3748
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3068
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMAsIocA.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
  2⤵
  PID:3952
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
1⤵
PID:3484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eysMMkYA.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
  2⤵
  PID:4772
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1124
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1916
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2356
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
1⤵
PID:2660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BiYUQIEs.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
  2⤵
  PID:904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
1⤵
PID:3792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQsoAkYM.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
  2⤵
  PID:4328
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3996
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2732
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
    C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
    3⤵
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:4000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
1⤵
PID:3504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
  2⤵
  PID:392
- - C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
    C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
    3⤵
    PID:4220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dsgMoIIc.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
      4⤵
      PID:2516
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:3112
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
      4⤵
      PID:3340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAAYAoQI.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
  2⤵
  PID:2364
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1116
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3208
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
1⤵
PID:3600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgwAQgwY.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
  2⤵
  PID:1076
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1692
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3164
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3476
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1364
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
  2⤵
  PID:2860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGMwAYAY.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
  2⤵
  PID:2476
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4748
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1276
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
1⤵
PID:3932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
  2⤵
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
    C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
    3⤵
    PID:2860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQEcccwA.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
      4⤵
      PID:4260
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1412
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:2060
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3020
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4256
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
      4⤵
      PID:4388
  - - C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
      C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
      4⤵
      PID:4216
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4368
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      UAC bypass
      PID:5056
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2568
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWkccIoY.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
  2⤵
  PID:1324
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:668
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2148
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIUQscIE.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
1⤵
PID:4876
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
1⤵
PID:2168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
1⤵
PID:4000
- C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
  C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
  2⤵
  PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
    3⤵
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
      C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
      4⤵
      PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MckkIYEE.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocMskIso.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
1⤵
PID:4856
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3488
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:1112
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - UAC bypass
    PID:1116
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
    3⤵
    PID:744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
1⤵
PID:1820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
1⤵
PID:3788
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1244
- C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
  C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
  2⤵
  PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
    3⤵
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
      C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
      4⤵
      PID:4936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        5⤵
        
        PID:3692
      - C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        6⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        7⤵
        
        PID:4224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        8⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        9⤵
        
        PID:1216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        10⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        11⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        12⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        13⤵
        
        PID:2708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        14⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        15⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        17⤵
        
        PID:1040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        18⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        19⤵
        
        PID:3532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        21⤵
        
        PID:452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        22⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        23⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        24⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        25⤵
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        27⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        29⤵
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        UAC bypass
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        31⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        32⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        33⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        34⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        35⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        36⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        37⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HmMwAQEA.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        34⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUYQAooc.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        32⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        Modifies registry key
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        30⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        31⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        32⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        33⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        34⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        35⤵
        
        PID:2272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        36⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        37⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        38⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        39⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        40⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        41⤵
        Modifies visibility of file extensions in Explorer
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        42⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        43⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        44⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        45⤵
        
        PID:4668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        UAC bypass
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        46⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        47⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        48⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        49⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        50⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        51⤵
        
        PID:996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        52⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        53⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        54⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        55⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        56⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        57⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        58⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        59⤵
        
        PID:816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        60⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        61⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        62⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        63⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        64⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        65⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        66⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        67⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        68⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        69⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
        
        C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
        70⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
        71⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqgYQYUI.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        71⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        72⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        71⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        71⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        71⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIcIgcAs.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        69⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        70⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        69⤵
        Modifies registry key
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        69⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        69⤵
        Modifies registry key
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWMskUkU.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        67⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        68⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        67⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        67⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        67⤵
        Modifies registry key
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMckcQIY.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        65⤵
        
        PID:4776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        66⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        65⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        65⤵
        Modifies registry key
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        65⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYUQMwAA.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        63⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        64⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        63⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        63⤵
        Modifies registry key
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        63⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qaoIkAUc.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        61⤵
        
        PID:4908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        62⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        61⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        61⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        61⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSUMYIgU.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        59⤵
        
        PID:452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        60⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        59⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        59⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        59⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEEYAsYY.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        57⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        58⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        57⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        57⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        57⤵
        Modifies registry key
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIMoUUYg.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        55⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        56⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        55⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        55⤵
        Modifies registry key
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        55⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuYkIgco.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        53⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        54⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        53⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        53⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        53⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaokkEYA.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        51⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        52⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        51⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        51⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        51⤵
        Modifies registry key
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        49⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaQgIYQg.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        49⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        50⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        49⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        49⤵
        UAC bypass
        Modifies registry key
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        47⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        47⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqggEwIc.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        47⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        48⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        47⤵
        Modifies registry key
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGIEwAIA.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        45⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        46⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        45⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        45⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        45⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        43⤵
        Modifies registry key
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WGwEwgwk.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        43⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        44⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        43⤵
        Modifies registry key
        
        PID:1452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        43⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        41⤵
        UAC bypass
        
        PID:1548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        41⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        41⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqksoEYw.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        41⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        42⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        39⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        39⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        39⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoUAQMYg.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        39⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        40⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGIAcsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        37⤵
        
        PID:3176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        38⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        37⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        37⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        37⤵
        Modifies registry key
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        35⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQUQkksc.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        35⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        36⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        35⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        35⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        33⤵
        
        PID:2816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        33⤵
        
        PID:4120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COAcAYYs.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        33⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        34⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        33⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        31⤵
        
        PID:1340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        31⤵
        
        PID:3712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQcwcQQw.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        31⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        32⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        31⤵
        Modifies registry key
        
        PID:3156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWogIIUo.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        29⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        Modifies registry key
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        UAC bypass
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        Modifies registry key
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkskswEY.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        27⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsUAIgIs.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        25⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        Modifies visibility of file extensions in Explorer
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        
        PID:3084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        Modifies registry key
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teMwYMYE.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        23⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        UAC bypass
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        Modifies registry key
        
        PID:4208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deIwQMYA.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        21⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        UAC bypass
        Modifies registry key
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        Modifies registry key
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\weQgEgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        19⤵
        
        PID:756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        UAC bypass
        
        PID:2644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        
        PID:2848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suQUUsIA.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        17⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        Modifies registry key
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        Modifies registry key
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwMkwEEY.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        15⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        
        PID:4828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        
        PID:3696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awIIEggs.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        13⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsgoIQgE.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        
        PID:3400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQAUMswM.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        9⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmIcUMwY.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        7⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:728
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:1948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmUEUkgY.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
        5⤵
        
        PID:3260
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:1824
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:4776
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4084
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1604
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUwUMgwQ.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
    3⤵
    PID:3020
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2252
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4032
- - C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
    C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
    3⤵
    PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ymkkscwk.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
1⤵
PID:5076
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:32

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAUUYIEg.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
1⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
1⤵
PID:3792
- C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
  C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
  2⤵
  PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
1⤵
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIQkYUgI.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
1⤵
PID:4172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
1⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
1⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMMwAsQQ.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
1⤵
PID:4556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
1⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUIYMQYU.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
1⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:536

C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
1⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
1⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
1⤵
PID:1916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e
1⤵
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUcAsEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e.exe""
1⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:4584
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
1⤵
PID:2372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\JaAsQUUI\TyUoYoQs.exe

Filesize
484KB

MD5
83dc529aefb44f38ad83260d66f41cd5

SHA1
dea77cc56ee2ab19cd861dfc150daf210a140d55

SHA256
3f96163bf29ae2c5bad01161911f3efae90a7a759311c865b5ba8c2fb04f909a

SHA512
3e134ef9494426e6b91376929dd08c4446426e6fe9d03028c00cecdbf2555daa1ec2a39b8c65b2063d4d15e7f365d504496810efc8779c4784bb3a21e6b97c9b

Download Submit
C:\ProgramData\JaAsQUUI\TyUoYoQs.exe

Filesize
484KB

MD5
83dc529aefb44f38ad83260d66f41cd5

SHA1
dea77cc56ee2ab19cd861dfc150daf210a140d55

SHA256
3f96163bf29ae2c5bad01161911f3efae90a7a759311c865b5ba8c2fb04f909a

SHA512
3e134ef9494426e6b91376929dd08c4446426e6fe9d03028c00cecdbf2555daa1ec2a39b8c65b2063d4d15e7f365d504496810efc8779c4784bb3a21e6b97c9b

Download Submit
C:\ProgramData\RmQgcwww\GkIwIIIs.exe

Filesize
483KB

MD5
3bc2ae5a5111bbf41ebd8163e80fb8a0

SHA1
314e8bd6b0c734b098c2c2bdf23d501175666b2a

SHA256
b731643db005872f9e30a4a78d9ab73818afca5d6b8b4263a427dfdb68e1f25e

SHA512
16659936fe4a2caa1cc366c2aa33cad023be4b331e8269c24a75eb671f34493bf86800afc1267528d3447d5b77b3bc79faf1138ff3048f139e5b0e817d379fcf

Download Submit
C:\ProgramData\RmQgcwww\GkIwIIIs.exe

Filesize
483KB

MD5
3bc2ae5a5111bbf41ebd8163e80fb8a0

SHA1
314e8bd6b0c734b098c2c2bdf23d501175666b2a

SHA256
b731643db005872f9e30a4a78d9ab73818afca5d6b8b4263a427dfdb68e1f25e

SHA512
16659936fe4a2caa1cc366c2aa33cad023be4b331e8269c24a75eb671f34493bf86800afc1267528d3447d5b77b3bc79faf1138ff3048f139e5b0e817d379fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f37a5838762ee598ec925d80b741116ba37c8f1605859f5164bbb8cc42125e

Filesize
75KB

MD5
3df360b9de481c9f41b562c14765b03d

SHA1
00a7c134ef5e34efabff9a14506ca372e5459b4a

SHA256
c491fc25d5ccc0a745bd55720fbcf72b6c67e8a26862ad8934dab998098ad39e

SHA512
f0e03911a8f636f0c94bdfde7a9bc53b012d2d906825da0396ea3224948aa1a3f4ce87785e9fced4eae02961c6d03acb5681d226713cc853ff6f1cce5e382fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CewQsIQs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoMEwwMw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EqckcAAc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGQYgYMk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LAcoIQUU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UGckkEYM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAMEgcUY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VOwgIsAE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VyMAoQsQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgwoEsMw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YKosIQsw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYMkUcQk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMAsIocA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuAcQUwI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngQEQYIw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUEUoAkY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tKQIoMEs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkMIIMYA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\yykQAgYY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIwgMAYE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\iQcIYgww\oUwQoEwM.exe

Filesize
482KB

MD5
bfbc8ad044f231d5ba228f98b3112217

SHA1
dcf5f7db7487c7cf11f0100d356d40ddb5925dee

SHA256
d11c51ac86e0aa9d7e964ed2edd96dcb86d0db705dee95de5238d8af3f6be8ba

SHA512
3a32a0ce6c0622e7a5d263cd7aa0c661abe567501b0e0060c56618531917ac8d5b746997657d926c56060b09e02d0d4233ee0375824d997abf6c46dd66a3b425

Download Submit
C:\Users\Admin\iQcIYgww\oUwQoEwM.exe

Filesize
482KB

MD5
bfbc8ad044f231d5ba228f98b3112217

SHA1
dcf5f7db7487c7cf11f0100d356d40ddb5925dee

SHA256
d11c51ac86e0aa9d7e964ed2edd96dcb86d0db705dee95de5238d8af3f6be8ba

SHA512
3a32a0ce6c0622e7a5d263cd7aa0c661abe567501b0e0060c56618531917ac8d5b746997657d926c56060b09e02d0d4233ee0375824d997abf6c46dd66a3b425

Download Submit
memory/228-224-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/228-313-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/228-314-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/412-240-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/436-304-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1156-286-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1156-285-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1284-226-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1284-235-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1300-255-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1452-310-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1452-309-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1628-302-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1916-315-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2056-296-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2064-297-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2064-142-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2208-157-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2208-166-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2236-300-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2236-299-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2468-189-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2568-271-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2568-270-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2660-311-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2700-246-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2700-251-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3396-298-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3396-143-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3484-308-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3496-156-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3504-319-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3504-318-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3548-312-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3556-306-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3556-307-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3600-322-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3764-263-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3852-258-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4080-247-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4080-245-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4148-201-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4148-196-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4168-303-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4216-323-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4216-321-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4220-320-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4220-267-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4368-212-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4384-178-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4508-317-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4592-295-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4592-294-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4692-289-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4716-316-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4816-293-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4816-141-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4880-277-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4880-281-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4908-132-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4908-292-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5000-275-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5000-305-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5024-301-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download