caf95c614009163f06b890c747376d3a06513aa6498f3378cafe6391b7470015

Analysis

max time kernel
224s
max time network
230s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bc932bf53710c0dc37e3a16c0975a1c.exe
Size

464KB
MD5

2bc932bf53710c0dc37e3a16c0975a1c
SHA1

83bd73dd212ac325f61ec9c16d27b9f5368c1926
SHA256

caf95c614009163f06b890c747376d3a06513aa6498f3378cafe6391b7470015
SHA512

ecb9177e9ac0d39c43d8610578614af8aad09dcc5d8d261197a2e1968c0ceded5c02544b64a9d22b4717abb41f0b8127a62c878296cbe89a7325d94106098c3f
SSDEEP

12288:OFzFvBhbCs9GH2wgtsB6+y3PaOPeJDrRnKasZzb:OFz9GiN8fyFeJD9X4zb

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 37 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 37 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1792	VCQgEAwM.exe
5004	GuUYgAIo.exe
1392	CakogwUQ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VCQgEAwM.exe = "C:\\Users\\Admin\\UCEcQsIQ\\VCQgEAwM.exe"	VCQgEAwM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GuUYgAIo.exe = "C:\\ProgramData\\ySoMwkUc\\GuUYgAIo.exe"	GuUYgAIo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GuUYgAIo.exe = "C:\\ProgramData\\ySoMwkUc\\GuUYgAIo.exe"	CakogwUQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VCQgEAwM.exe = "C:\\Users\\Admin\\UCEcQsIQ\\VCQgEAwM.exe"	2bc932bf53710c0dc37e3a16c0975a1c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GuUYgAIo.exe = "C:\\ProgramData\\ySoMwkUc\\GuUYgAIo.exe"	2bc932bf53710c0dc37e3a16c0975a1c.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\UCEcQsIQ	CakogwUQ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\UCEcQsIQ\VCQgEAwM	CakogwUQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3584	reg.exe
2276	reg.exe
5636	reg.exe
5260	reg.exe
2004	reg.exe
4860	reg.exe
820	reg.exe
4592	reg.exe
5408	reg.exe
3548	reg.exe
4800	reg.exe
4600	reg.exe
1520	reg.exe
4916	reg.exe
5628	reg.exe
760	reg.exe
2064	reg.exe
4800	reg.exe
2412	reg.exe
1840	reg.exe
1524	reg.exe
2464	reg.exe
4600	reg.exe
4180	reg.exe
5128	reg.exe
5588	reg.exe
2216	reg.exe
4840	reg.exe
4964	reg.exe
3932	reg.exe
1604	reg.exe
1868	reg.exe
4524	reg.exe
5292	reg.exe
5640	reg.exe
5748	reg.exe
820	reg.exe
1144	reg.exe
4052	reg.exe
220	reg.exe
5788	reg.exe
4940	reg.exe
5452	reg.exe
4792	reg.exe
4916	reg.exe
1864	reg.exe
5908	reg.exe
6064	reg.exe
1824	reg.exe
3064	reg.exe
2556	reg.exe
3268	reg.exe
3904	reg.exe
2556	reg.exe
5644	reg.exe
5484	reg.exe
4020	reg.exe
3424	reg.exe
5608	reg.exe
4648	reg.exe
1652	reg.exe
5172	reg.exe
4000	reg.exe
1924	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1708	2bc932bf53710c0dc37e3a16c0975a1c.exe
1708	2bc932bf53710c0dc37e3a16c0975a1c.exe
1708	2bc932bf53710c0dc37e3a16c0975a1c.exe
1708	2bc932bf53710c0dc37e3a16c0975a1c.exe
4048	2bc932bf53710c0dc37e3a16c0975a1c.exe
4048	2bc932bf53710c0dc37e3a16c0975a1c.exe
4048	2bc932bf53710c0dc37e3a16c0975a1c.exe
4048	2bc932bf53710c0dc37e3a16c0975a1c.exe
1656	2bc932bf53710c0dc37e3a16c0975a1c.exe
1656	2bc932bf53710c0dc37e3a16c0975a1c.exe
1656	2bc932bf53710c0dc37e3a16c0975a1c.exe
1656	2bc932bf53710c0dc37e3a16c0975a1c.exe
1972	2bc932bf53710c0dc37e3a16c0975a1c.exe
1972	2bc932bf53710c0dc37e3a16c0975a1c.exe
1972	2bc932bf53710c0dc37e3a16c0975a1c.exe
1972	2bc932bf53710c0dc37e3a16c0975a1c.exe
1008	2bc932bf53710c0dc37e3a16c0975a1c.exe
1008	2bc932bf53710c0dc37e3a16c0975a1c.exe
1008	2bc932bf53710c0dc37e3a16c0975a1c.exe
1008	2bc932bf53710c0dc37e3a16c0975a1c.exe
3436	2bc932bf53710c0dc37e3a16c0975a1c.exe
3436	2bc932bf53710c0dc37e3a16c0975a1c.exe
3436	2bc932bf53710c0dc37e3a16c0975a1c.exe
3436	2bc932bf53710c0dc37e3a16c0975a1c.exe
4632	2bc932bf53710c0dc37e3a16c0975a1c.exe
4632	2bc932bf53710c0dc37e3a16c0975a1c.exe
4632	2bc932bf53710c0dc37e3a16c0975a1c.exe
4632	2bc932bf53710c0dc37e3a16c0975a1c.exe
1744	2bc932bf53710c0dc37e3a16c0975a1c.exe
1744	2bc932bf53710c0dc37e3a16c0975a1c.exe
1744	2bc932bf53710c0dc37e3a16c0975a1c.exe
1744	2bc932bf53710c0dc37e3a16c0975a1c.exe
1196	2bc932bf53710c0dc37e3a16c0975a1c.exe
1196	2bc932bf53710c0dc37e3a16c0975a1c.exe
1196	2bc932bf53710c0dc37e3a16c0975a1c.exe
1196	2bc932bf53710c0dc37e3a16c0975a1c.exe
2276	2bc932bf53710c0dc37e3a16c0975a1c.exe
2276	2bc932bf53710c0dc37e3a16c0975a1c.exe
2276	2bc932bf53710c0dc37e3a16c0975a1c.exe
2276	2bc932bf53710c0dc37e3a16c0975a1c.exe
4372	2bc932bf53710c0dc37e3a16c0975a1c.exe
4372	2bc932bf53710c0dc37e3a16c0975a1c.exe
4372	2bc932bf53710c0dc37e3a16c0975a1c.exe
4372	2bc932bf53710c0dc37e3a16c0975a1c.exe
4368	2bc932bf53710c0dc37e3a16c0975a1c.exe
4368	2bc932bf53710c0dc37e3a16c0975a1c.exe
4368	2bc932bf53710c0dc37e3a16c0975a1c.exe
4368	2bc932bf53710c0dc37e3a16c0975a1c.exe
3972	2bc932bf53710c0dc37e3a16c0975a1c.exe
3972	2bc932bf53710c0dc37e3a16c0975a1c.exe
3972	2bc932bf53710c0dc37e3a16c0975a1c.exe
3972	2bc932bf53710c0dc37e3a16c0975a1c.exe
1916	2bc932bf53710c0dc37e3a16c0975a1c.exe
1916	2bc932bf53710c0dc37e3a16c0975a1c.exe
1916	2bc932bf53710c0dc37e3a16c0975a1c.exe
1916	2bc932bf53710c0dc37e3a16c0975a1c.exe
5012	2bc932bf53710c0dc37e3a16c0975a1c.exe
5012	2bc932bf53710c0dc37e3a16c0975a1c.exe
5012	2bc932bf53710c0dc37e3a16c0975a1c.exe
5012	2bc932bf53710c0dc37e3a16c0975a1c.exe
248	2bc932bf53710c0dc37e3a16c0975a1c.exe
248	2bc932bf53710c0dc37e3a16c0975a1c.exe
248	2bc932bf53710c0dc37e3a16c0975a1c.exe
248	2bc932bf53710c0dc37e3a16c0975a1c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1792	1708	2bc932bf53710c0dc37e3a16c0975a1c.exe	91
PID 1708 wrote to memory of 1792	1708	2bc932bf53710c0dc37e3a16c0975a1c.exe	91
PID 1708 wrote to memory of 1792	1708	2bc932bf53710c0dc37e3a16c0975a1c.exe	91
PID 1708 wrote to memory of 5004	1708	2bc932bf53710c0dc37e3a16c0975a1c.exe	92
PID 1708 wrote to memory of 5004	1708	2bc932bf53710c0dc37e3a16c0975a1c.exe	92
PID 1708 wrote to memory of 5004	1708	2bc932bf53710c0dc37e3a16c0975a1c.exe	92
PID 1708 wrote to memory of 3156	1708	2bc932bf53710c0dc37e3a16c0975a1c.exe	94
PID 1708 wrote to memory of 3156	1708	2bc932bf53710c0dc37e3a16c0975a1c.exe	94
PID 1708 wrote to memory of 3156	1708	2bc932bf53710c0dc37e3a16c0975a1c.exe	94
PID 1708 wrote to memory of 3476	1708	2bc932bf53710c0dc37e3a16c0975a1c.exe	102
PID 1708 wrote to memory of 3476	1708	2bc932bf53710c0dc37e3a16c0975a1c.exe	102
PID 1708 wrote to memory of 3476	1708	2bc932bf53710c0dc37e3a16c0975a1c.exe	102
PID 1708 wrote to memory of 1864	1708	2bc932bf53710c0dc37e3a16c0975a1c.exe	101
PID 1708 wrote to memory of 1864	1708	2bc932bf53710c0dc37e3a16c0975a1c.exe	101
PID 1708 wrote to memory of 1864	1708	2bc932bf53710c0dc37e3a16c0975a1c.exe	101
PID 1708 wrote to memory of 3100	1708	2bc932bf53710c0dc37e3a16c0975a1c.exe	96
PID 1708 wrote to memory of 3100	1708	2bc932bf53710c0dc37e3a16c0975a1c.exe	96
PID 1708 wrote to memory of 3100	1708	2bc932bf53710c0dc37e3a16c0975a1c.exe	96
PID 3156 wrote to memory of 4048	3156	cmd.exe	103
PID 3156 wrote to memory of 4048	3156	cmd.exe	103
PID 3156 wrote to memory of 4048	3156	cmd.exe	103
PID 4048 wrote to memory of 4752	4048	2bc932bf53710c0dc37e3a16c0975a1c.exe	104
PID 4048 wrote to memory of 4752	4048	2bc932bf53710c0dc37e3a16c0975a1c.exe	104
PID 4048 wrote to memory of 4752	4048	2bc932bf53710c0dc37e3a16c0975a1c.exe	104
PID 4048 wrote to memory of 4616	4048	2bc932bf53710c0dc37e3a16c0975a1c.exe	105
PID 4048 wrote to memory of 4616	4048	2bc932bf53710c0dc37e3a16c0975a1c.exe	105
PID 4048 wrote to memory of 4616	4048	2bc932bf53710c0dc37e3a16c0975a1c.exe	105
PID 4048 wrote to memory of 1548	4048	2bc932bf53710c0dc37e3a16c0975a1c.exe	108
PID 4048 wrote to memory of 1548	4048	2bc932bf53710c0dc37e3a16c0975a1c.exe	108
PID 4048 wrote to memory of 1548	4048	2bc932bf53710c0dc37e3a16c0975a1c.exe	108
PID 4048 wrote to memory of 4684	4048	2bc932bf53710c0dc37e3a16c0975a1c.exe	106
PID 4048 wrote to memory of 4684	4048	2bc932bf53710c0dc37e3a16c0975a1c.exe	106
PID 4048 wrote to memory of 4684	4048	2bc932bf53710c0dc37e3a16c0975a1c.exe	106
PID 4048 wrote to memory of 392	4048	2bc932bf53710c0dc37e3a16c0975a1c.exe	107
PID 4048 wrote to memory of 392	4048	2bc932bf53710c0dc37e3a16c0975a1c.exe	107
PID 4048 wrote to memory of 392	4048	2bc932bf53710c0dc37e3a16c0975a1c.exe	107
PID 4752 wrote to memory of 1656	4752	cmd.exe	114
PID 4752 wrote to memory of 1656	4752	cmd.exe	114
PID 4752 wrote to memory of 1656	4752	cmd.exe	114
PID 1656 wrote to memory of 3536	1656	2bc932bf53710c0dc37e3a16c0975a1c.exe	115
PID 1656 wrote to memory of 3536	1656	2bc932bf53710c0dc37e3a16c0975a1c.exe	115
PID 1656 wrote to memory of 3536	1656	2bc932bf53710c0dc37e3a16c0975a1c.exe	115
PID 1656 wrote to memory of 220	1656	2bc932bf53710c0dc37e3a16c0975a1c.exe	116
PID 1656 wrote to memory of 220	1656	2bc932bf53710c0dc37e3a16c0975a1c.exe	116
PID 1656 wrote to memory of 220	1656	2bc932bf53710c0dc37e3a16c0975a1c.exe	116
PID 1656 wrote to memory of 4792	1656	2bc932bf53710c0dc37e3a16c0975a1c.exe	117
PID 1656 wrote to memory of 4792	1656	2bc932bf53710c0dc37e3a16c0975a1c.exe	117
PID 1656 wrote to memory of 4792	1656	2bc932bf53710c0dc37e3a16c0975a1c.exe	117
PID 1656 wrote to memory of 760	1656	2bc932bf53710c0dc37e3a16c0975a1c.exe	118
PID 1656 wrote to memory of 760	1656	2bc932bf53710c0dc37e3a16c0975a1c.exe	118
PID 1656 wrote to memory of 760	1656	2bc932bf53710c0dc37e3a16c0975a1c.exe	118
PID 1656 wrote to memory of 2712	1656	2bc932bf53710c0dc37e3a16c0975a1c.exe	119
PID 1656 wrote to memory of 2712	1656	2bc932bf53710c0dc37e3a16c0975a1c.exe	119
PID 1656 wrote to memory of 2712	1656	2bc932bf53710c0dc37e3a16c0975a1c.exe	119
PID 3536 wrote to memory of 1972	3536	cmd.exe	125
PID 3536 wrote to memory of 1972	3536	cmd.exe	125
PID 3536 wrote to memory of 1972	3536	cmd.exe	125
PID 1972 wrote to memory of 4296	1972	2bc932bf53710c0dc37e3a16c0975a1c.exe	126
PID 1972 wrote to memory of 4296	1972	2bc932bf53710c0dc37e3a16c0975a1c.exe	126
PID 1972 wrote to memory of 4296	1972	2bc932bf53710c0dc37e3a16c0975a1c.exe	126
PID 4296 wrote to memory of 1008	4296	cmd.exe	128
PID 4296 wrote to memory of 1008	4296	cmd.exe	128
PID 4296 wrote to memory of 1008	4296	cmd.exe	128
PID 1972 wrote to memory of 4812	1972	2bc932bf53710c0dc37e3a16c0975a1c.exe	129

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
"C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\UCEcQsIQ\VCQgEAwM.exe
  "C:\Users\Admin\UCEcQsIQ\VCQgEAwM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1792
- C:\ProgramData\ySoMwkUc\GuUYgAIo.exe
  "C:\ProgramData\ySoMwkUc\GuUYgAIo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
    C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4752
    - - C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        10⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        12⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        14⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        16⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        18⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        20⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        22⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        24⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        26⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        28⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        30⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        32⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        33⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        34⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        35⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        36⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        37⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        38⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        39⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        40⤵
        
        PID:5232
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        41⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        42⤵
        
        PID:5564
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        43⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        44⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        45⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        46⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        47⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        48⤵
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        49⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        50⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        51⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        52⤵
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        53⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        54⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        55⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        56⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        57⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        58⤵
        
        PID:5464
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        59⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        60⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        61⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        62⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        63⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        64⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        65⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        66⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        67⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        68⤵
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        69⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        70⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        71⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        72⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        73⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        74⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        75⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        76⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        77⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies registry key
        
        PID:5608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WGgUoQME.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        76⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACsEMIUE.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        74⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:5452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:5588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgoMgsIo.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        72⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYUwkwcs.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        70⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:5260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgEUYkkY.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        68⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcQYMsEM.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        66⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:5768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuQEMIAA.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        64⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSUgQEIY.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        62⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:5748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYwUkQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        60⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:5484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twgwwgcc.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        58⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywAwMUgU.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        56⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmIgAIgY.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        54⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqkwAcIo.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        52⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:5900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:6064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:5788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAwEIEIM.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        50⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:5336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgYsUQUo.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        48⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:5172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwoYUUUM.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        46⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUAMEsko.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        44⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:5908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuAgEEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        42⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:5644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:5636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:5300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:5292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqcYwAgA.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        40⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iyYscoEU.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        38⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkUQMccc.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        36⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqkYIgYk.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        34⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUYosssE.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        32⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUsgQYYg.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        30⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baQwYYcE.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        28⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWoskgEY.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        26⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncoEwwEw.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        24⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsEIcEso.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        22⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgoYAckA.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        20⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKgcsYkc.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        18⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UycEcssg.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        16⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUwkIokE.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        14⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EoYAAQAk.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        12⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUMYgoMc.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        10⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAgYgQoM.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        8⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:664
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:220
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4792
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:760
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYwsoEkA.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        6⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2940
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4616
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:4684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noUggAEE.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
      4⤵
      PID:392
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1492
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1548
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3100
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1864
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3476

C:\ProgramData\KKAwEQQU\CakogwUQ.exe
C:\ProgramData\KKAwEQQU\CakogwUQ.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KKAwEQQU\CakogwUQ.exe

Filesize
432KB

MD5
0bae513849d5beb7b5af34881c3d9ac8

SHA1
57b5ee94bae60b9039552a407998e6a0e2ab1825

SHA256
b5b7db8332baedfcddb666ac2403b3468dda7bd263174357dc1223ae353673d0

SHA512
2b027d2072e9f7361f68bd3922feabb646a33bd2725d3c10b2f61b0ef9c0cad9cd955c4f328feb7cdcad02cf7dc66834d7be809054658993060fbd18f64ee61d

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
475KB

MD5
5a3b11c21a692164f81e717d5aa83f0c

SHA1
2fa47f53c61cbbaefe46daaf2e89cbb51f5aba72

SHA256
17117f47afb8073aaaf404f5c62260d81d6f6464c18f5032bc8e7306e172132c

SHA512
5bc8fe8e6cc852fd96d2b319bdb3c824a4078d35d689044f5c343ba2d1cfee722e554d71f63f48252a9ad8644cb678d0680436cc2b5834258eea3d943cb816f3

Download Submit
C:\ProgramData\ySoMwkUc\GuUYgAIo.exe

Filesize
431KB

MD5
1878f5dc9ad960618875959ec4a142c1

SHA1
4a3c3e0dd270859745613fe2b9f729f61b5267c4

SHA256
84d213826ef63561effe959e9f377e632a8668c8eae544b48fe6dc4f42433d93

SHA512
65276150f1531752290c87a8c4fdf46d7cad65debc3b6a039f44265b931d3c7e835f68a5dbf254bc7bc2b265db7904ea3c9ed8df4d853e27ba923f067a4bd276

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIIg.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\Posw.exe

Filesize
477KB

MD5
8ab66d3854c0dc83517fa5501673cae4

SHA1
ecd38f8dd61d74a79ff311a25fe8245b5bd45ee3

SHA256
d9a85b471420069d96540c9d92ea188c1f73ab45446a61463ab6437344eeeade

SHA512
8b7d3ed0536c52cbab83ef3ccd3ad0880b14610ceb04eb634ce4595794cecfd60ef6499f7357f7832413b804cf5a6fe172cdb165c444aa423076fc761ada2dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIUC.exe

Filesize
460KB

MD5
efcb681c4d6365ca78a9441129922b1e

SHA1
0c10f28b3815486da53cb8d9cee2a82c026a0e2d

SHA256
555a132b0c6f1521d022b29a1a747e5b0e855695ad6d3096e812d70e3171c20e

SHA512
2ce55360a4805ef864339b6f3bf7624b7b6af9c0530dc3f1fedcd8a15b0185a337edf1640f97a8abe590572548835426059a3bd6979913152e0ae585efa6ffab

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMEo.exe

Filesize
1.3MB

MD5
1602c02ac821bffb5d8d9ac29c351bf1

SHA1
e91d21377ca4c55bf8c6d039756320c881190086

SHA256
a5c86d133021042b686f5399f7651e75e4f07143b28530a947c7ee2775934a48

SHA512
864d243fe5591609cdbee33a7be09aaed84c50e5e5456bdfee3c2e41a355c0d29331410b178328d0791070f816b713ed095c4b1e27bbf61ba3eb31cfc795a8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\noUggAEE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMQy.exe

Filesize
888KB

MD5
0835b9ea154108a24175bf21e128738f

SHA1
bbc848c7f00fa388f9324aa104899248a43e437e

SHA256
ffd78fc4f5929c5b6174e26305fa453b70e87df4548498b7f034308d3adee9ec

SHA512
a4c0f090de228ec9ad46f756cc2ca64e995655e41297c89a6f13036b32aca13935dac7b24fb1e25753ff9277beadc5a240bcc54850ef3f3474c0710c69b88000

Download Submit
C:\Users\Admin\AppData\Local\Temp\qssS.exe

Filesize
558KB

MD5
1b929bd2f38b13edb1560349e7384b40

SHA1
b8ab5c827b9e5e283581e1cd5df17053820e514f

SHA256
ad4e91ba081f1ede27f149d1cd1c9804b62faf3d36a6605e485fd9032ed38272

SHA512
2c7717728096c53dee34a95ab764469019fd7595819f407c948a8496123e35cf7d1cc121d938022e3f6b61d725a9af4565c40c8bb19d595c27c4baf6e185ef27

Download Submit
C:\Users\Admin\UCEcQsIQ\VCQgEAwM.exe

Filesize
435KB

MD5
5ce060a915111ff3e6f585659373e867

SHA1
9aef6160be6b675065697f524efd6bae8527540e

SHA256
23f612819c1467b27e275e92fba989534227714e8c8b3053c705589e816ed732

SHA512
9a399c8388e4168bffd019629e96782f9a29ea4a76a91e87d06efb14379962940ae14717b2783ab1ee2501b76383e927588fdd9895fa408d5208f77c6df0b900

Download Submit
memory/248-227-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1008-97-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1008-86-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1196-146-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1196-138-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1392-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1392-98-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1488-328-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1540-249-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1656-62-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1656-48-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1696-426-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1696-444-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1696-307-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1708-49-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1708-0-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1744-131-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1744-123-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1792-6-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1792-72-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1916-205-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1972-73-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1972-271-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1972-85-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2172-346-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2276-158-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2276-147-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2292-238-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2912-260-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3436-99-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3436-110-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3784-403-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3972-194-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3972-179-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4048-46-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4048-23-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4368-171-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4368-183-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4372-159-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4372-170-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4400-474-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4400-454-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4632-111-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4632-122-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/5004-12-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5004-84-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5012-216-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/5244-388-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/5244-395-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/5404-425-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/5404-415-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/5416-282-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/5600-291-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/5616-368-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/5616-361-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/5632-315-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/5688-378-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/5688-386-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/5756-457-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/5756-449-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/5840-411-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/6064-377-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/6064-370-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/6108-299-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download