ff8387f2e24afe36297ed7def690218288cd778e44890e28021fa4beb5d56e22

Analysis

max time kernel
189s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65a02a8e633a935bf53a4d3347eebaa1.exe
Size

480KB
MD5

65a02a8e633a935bf53a4d3347eebaa1
SHA1

2d2f41067c56f0b87ef5d8cac3d56dfdb402289d
SHA256

ff8387f2e24afe36297ed7def690218288cd778e44890e28021fa4beb5d56e22
SHA512

2ebc702c5df681bcd521076b98eac58730bb7e44717340e21973bbd8844f5dc92198f9c0fffafb9e8b9b6859517b296bef8ebd9e435aec58194006360fafada5
SSDEEP

6144:IiMV3aQrQGx82Pq+Zd47f0vB/OJIeVtYmKXjNk8jsFiwMZ6o7zIbTc+X:INa9U8JtiOJFhYy8oF/Xk+

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	65a02a8e633a935bf53a4d3347eebaa1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	65a02a8e633a935bf53a4d3347eebaa1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1188	OgQAkEAk.exe
2064	NcIYsYIA.exe
4320	tKcswkgA.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NcIYsYIA.exe = "C:\\ProgramData\\smMYcQgs\\NcIYsYIA.exe"	NcIYsYIA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NcIYsYIA.exe = "C:\\ProgramData\\smMYcQgs\\NcIYsYIA.exe"	tKcswkgA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wGEAoAIY.exe = "C:\\Users\\Admin\\iYIUAgIA\\wGEAoAIY.exe"	65a02a8e633a935bf53a4d3347eebaa1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OgoEccIk.exe = "C:\\ProgramData\\fcYEoEUs\\OgoEccIk.exe"	65a02a8e633a935bf53a4d3347eebaa1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OgQAkEAk.exe = "C:\\Users\\Admin\\DyMEscIA\\OgQAkEAk.exe"	65a02a8e633a935bf53a4d3347eebaa1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NcIYsYIA.exe = "C:\\ProgramData\\smMYcQgs\\NcIYsYIA.exe"	65a02a8e633a935bf53a4d3347eebaa1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OgQAkEAk.exe = "C:\\Users\\Admin\\DyMEscIA\\OgQAkEAk.exe"	OgQAkEAk.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\DyMEscIA	tKcswkgA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\DyMEscIA\OgQAkEAk	tKcswkgA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1860	2376	WerFault.exe	973
2084	4480	WerFault.exe	972
3720	3448	WerFault.exe	975

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4888	reg.exe
4372	reg.exe
3504	reg.exe
1860	reg.exe
4120	reg.exe
2796	reg.exe
4876	reg.exe
3844	reg.exe
912	reg.exe
3288	reg.exe
4392	reg.exe
4036	reg.exe
4984	reg.exe
3964	reg.exe
324	reg.exe
4696	reg.exe
4696	reg.exe
4348	reg.exe
824	reg.exe
2804	reg.exe
1724	reg.exe
772	reg.exe
5028	reg.exe
1640	reg.exe
1468	reg.exe
4348	reg.exe
5080	reg.exe
3768	reg.exe
456	reg.exe
3368	reg.exe
884	reg.exe
2344	reg.exe
1456	reg.exe
4524	reg.exe
2148	reg.exe
2504	reg.exe
2352	reg.exe
4856	reg.exe
644	reg.exe
408	reg.exe
4836	reg.exe
1424	reg.exe
4452	reg.exe
1860	reg.exe
2740	reg.exe
2200	reg.exe
2592	reg.exe
3096	reg.exe
3740	reg.exe
1328	reg.exe
1788	reg.exe
4368	reg.exe
324	reg.exe
1316	reg.exe
4444	reg.exe
4392	reg.exe
4620	reg.exe
4004	reg.exe
688	reg.exe
1424	reg.exe
2720	reg.exe
2660	reg.exe
680	reg.exe
1124	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1636	65a02a8e633a935bf53a4d3347eebaa1.exe
1636	65a02a8e633a935bf53a4d3347eebaa1.exe
1636	65a02a8e633a935bf53a4d3347eebaa1.exe
1636	65a02a8e633a935bf53a4d3347eebaa1.exe
4800	65a02a8e633a935bf53a4d3347eebaa1.exe
4800	65a02a8e633a935bf53a4d3347eebaa1.exe
4800	65a02a8e633a935bf53a4d3347eebaa1.exe
4800	65a02a8e633a935bf53a4d3347eebaa1.exe
3292	65a02a8e633a935bf53a4d3347eebaa1.exe
3292	65a02a8e633a935bf53a4d3347eebaa1.exe
3292	65a02a8e633a935bf53a4d3347eebaa1.exe
3292	65a02a8e633a935bf53a4d3347eebaa1.exe
440	65a02a8e633a935bf53a4d3347eebaa1.exe
440	65a02a8e633a935bf53a4d3347eebaa1.exe
440	65a02a8e633a935bf53a4d3347eebaa1.exe
440	65a02a8e633a935bf53a4d3347eebaa1.exe
1456	65a02a8e633a935bf53a4d3347eebaa1.exe
1456	65a02a8e633a935bf53a4d3347eebaa1.exe
1456	65a02a8e633a935bf53a4d3347eebaa1.exe
1456	65a02a8e633a935bf53a4d3347eebaa1.exe
3396	65a02a8e633a935bf53a4d3347eebaa1.exe
3396	65a02a8e633a935bf53a4d3347eebaa1.exe
3396	65a02a8e633a935bf53a4d3347eebaa1.exe
3396	65a02a8e633a935bf53a4d3347eebaa1.exe
964	65a02a8e633a935bf53a4d3347eebaa1.exe
964	65a02a8e633a935bf53a4d3347eebaa1.exe
964	65a02a8e633a935bf53a4d3347eebaa1.exe
964	65a02a8e633a935bf53a4d3347eebaa1.exe
3472	65a02a8e633a935bf53a4d3347eebaa1.exe
3472	65a02a8e633a935bf53a4d3347eebaa1.exe
3472	65a02a8e633a935bf53a4d3347eebaa1.exe
3472	65a02a8e633a935bf53a4d3347eebaa1.exe
4780	reg.exe
4780	reg.exe
4780	reg.exe
4780	reg.exe
912	65a02a8e633a935bf53a4d3347eebaa1.exe
912	65a02a8e633a935bf53a4d3347eebaa1.exe
912	65a02a8e633a935bf53a4d3347eebaa1.exe
912	65a02a8e633a935bf53a4d3347eebaa1.exe
756	cscript.exe
756	cscript.exe
756	cscript.exe
756	cscript.exe
3988	65a02a8e633a935bf53a4d3347eebaa1.exe
3988	65a02a8e633a935bf53a4d3347eebaa1.exe
3988	65a02a8e633a935bf53a4d3347eebaa1.exe
3988	65a02a8e633a935bf53a4d3347eebaa1.exe
3616	65a02a8e633a935bf53a4d3347eebaa1.exe
3616	65a02a8e633a935bf53a4d3347eebaa1.exe
3616	65a02a8e633a935bf53a4d3347eebaa1.exe
3616	65a02a8e633a935bf53a4d3347eebaa1.exe
4596	65a02a8e633a935bf53a4d3347eebaa1.exe
4596	65a02a8e633a935bf53a4d3347eebaa1.exe
4596	65a02a8e633a935bf53a4d3347eebaa1.exe
4596	65a02a8e633a935bf53a4d3347eebaa1.exe
2584	cscript.exe
2584	cscript.exe
2584	cscript.exe
2584	cscript.exe
2560	Conhost.exe
2560	Conhost.exe
2560	Conhost.exe
2560	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1188	1636	65a02a8e633a935bf53a4d3347eebaa1.exe	93
PID 1636 wrote to memory of 1188	1636	65a02a8e633a935bf53a4d3347eebaa1.exe	93
PID 1636 wrote to memory of 1188	1636	65a02a8e633a935bf53a4d3347eebaa1.exe	93
PID 1636 wrote to memory of 2064	1636	65a02a8e633a935bf53a4d3347eebaa1.exe	94
PID 1636 wrote to memory of 2064	1636	65a02a8e633a935bf53a4d3347eebaa1.exe	94
PID 1636 wrote to memory of 2064	1636	65a02a8e633a935bf53a4d3347eebaa1.exe	94
PID 1636 wrote to memory of 3648	1636	65a02a8e633a935bf53a4d3347eebaa1.exe	96
PID 1636 wrote to memory of 3648	1636	65a02a8e633a935bf53a4d3347eebaa1.exe	96
PID 1636 wrote to memory of 3648	1636	65a02a8e633a935bf53a4d3347eebaa1.exe	96
PID 1636 wrote to memory of 1316	1636	65a02a8e633a935bf53a4d3347eebaa1.exe	97
PID 1636 wrote to memory of 1316	1636	65a02a8e633a935bf53a4d3347eebaa1.exe	97
PID 1636 wrote to memory of 1316	1636	65a02a8e633a935bf53a4d3347eebaa1.exe	97
PID 3648 wrote to memory of 4800	3648	cmd.exe	100
PID 3648 wrote to memory of 4800	3648	cmd.exe	100
PID 3648 wrote to memory of 4800	3648	cmd.exe	100
PID 1636 wrote to memory of 2452	1636	65a02a8e633a935bf53a4d3347eebaa1.exe	99
PID 1636 wrote to memory of 2452	1636	65a02a8e633a935bf53a4d3347eebaa1.exe	99
PID 1636 wrote to memory of 2452	1636	65a02a8e633a935bf53a4d3347eebaa1.exe	99
PID 1636 wrote to memory of 4392	1636	65a02a8e633a935bf53a4d3347eebaa1.exe	104
PID 1636 wrote to memory of 4392	1636	65a02a8e633a935bf53a4d3347eebaa1.exe	104
PID 1636 wrote to memory of 4392	1636	65a02a8e633a935bf53a4d3347eebaa1.exe	104
PID 4800 wrote to memory of 4508	4800	65a02a8e633a935bf53a4d3347eebaa1.exe	105
PID 4800 wrote to memory of 4508	4800	65a02a8e633a935bf53a4d3347eebaa1.exe	105
PID 4800 wrote to memory of 4508	4800	65a02a8e633a935bf53a4d3347eebaa1.exe	105
PID 4800 wrote to memory of 2352	4800	65a02a8e633a935bf53a4d3347eebaa1.exe	107
PID 4800 wrote to memory of 2352	4800	65a02a8e633a935bf53a4d3347eebaa1.exe	107
PID 4800 wrote to memory of 2352	4800	65a02a8e633a935bf53a4d3347eebaa1.exe	107
PID 4800 wrote to memory of 416	4800	65a02a8e633a935bf53a4d3347eebaa1.exe	108
PID 4800 wrote to memory of 416	4800	65a02a8e633a935bf53a4d3347eebaa1.exe	108
PID 4800 wrote to memory of 416	4800	65a02a8e633a935bf53a4d3347eebaa1.exe	108
PID 4800 wrote to memory of 3368	4800	65a02a8e633a935bf53a4d3347eebaa1.exe	109
PID 4800 wrote to memory of 3368	4800	65a02a8e633a935bf53a4d3347eebaa1.exe	109
PID 4800 wrote to memory of 3368	4800	65a02a8e633a935bf53a4d3347eebaa1.exe	109
PID 4800 wrote to memory of 4968	4800	65a02a8e633a935bf53a4d3347eebaa1.exe	110
PID 4800 wrote to memory of 4968	4800	65a02a8e633a935bf53a4d3347eebaa1.exe	110
PID 4800 wrote to memory of 4968	4800	65a02a8e633a935bf53a4d3347eebaa1.exe	110
PID 4508 wrote to memory of 3292	4508	cmd.exe	115
PID 4508 wrote to memory of 3292	4508	cmd.exe	115
PID 4508 wrote to memory of 3292	4508	cmd.exe	115
PID 4968 wrote to memory of 756	4968	cmd.exe	116
PID 4968 wrote to memory of 756	4968	cmd.exe	116
PID 4968 wrote to memory of 756	4968	cmd.exe	116
PID 3292 wrote to memory of 368	3292	65a02a8e633a935bf53a4d3347eebaa1.exe	140
PID 3292 wrote to memory of 368	3292	65a02a8e633a935bf53a4d3347eebaa1.exe	140
PID 3292 wrote to memory of 368	3292	65a02a8e633a935bf53a4d3347eebaa1.exe	140
PID 368 wrote to memory of 440	368	cmd.exe	118
PID 368 wrote to memory of 440	368	cmd.exe	118
PID 368 wrote to memory of 440	368	cmd.exe	118
PID 3292 wrote to memory of 2148	3292	65a02a8e633a935bf53a4d3347eebaa1.exe	139
PID 3292 wrote to memory of 2148	3292	65a02a8e633a935bf53a4d3347eebaa1.exe	139
PID 3292 wrote to memory of 2148	3292	65a02a8e633a935bf53a4d3347eebaa1.exe	139
PID 3292 wrote to memory of 4700	3292	65a02a8e633a935bf53a4d3347eebaa1.exe	119
PID 3292 wrote to memory of 4700	3292	65a02a8e633a935bf53a4d3347eebaa1.exe	119
PID 3292 wrote to memory of 4700	3292	65a02a8e633a935bf53a4d3347eebaa1.exe	119
PID 3292 wrote to memory of 4924	3292	65a02a8e633a935bf53a4d3347eebaa1.exe	126
PID 3292 wrote to memory of 4924	3292	65a02a8e633a935bf53a4d3347eebaa1.exe	126
PID 3292 wrote to memory of 4924	3292	65a02a8e633a935bf53a4d3347eebaa1.exe	126
PID 3292 wrote to memory of 3208	3292	65a02a8e633a935bf53a4d3347eebaa1.exe	125
PID 3292 wrote to memory of 3208	3292	65a02a8e633a935bf53a4d3347eebaa1.exe	125
PID 3292 wrote to memory of 3208	3292	65a02a8e633a935bf53a4d3347eebaa1.exe	125
PID 3208 wrote to memory of 4972	3208	cmd.exe	122
PID 3208 wrote to memory of 4972	3208	cmd.exe	122
PID 3208 wrote to memory of 4972	3208	cmd.exe	122
PID 440 wrote to memory of 4240	440	65a02a8e633a935bf53a4d3347eebaa1.exe	138

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
"C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\DyMEscIA\OgQAkEAk.exe
  "C:\Users\Admin\DyMEscIA\OgQAkEAk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1188
- C:\ProgramData\smMYcQgs\NcIYsYIA.exe
  "C:\ProgramData\smMYcQgs\NcIYsYIA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
    C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4508
    - - C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3292
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4700
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igYUQwsw.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jucQAUoA.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        7⤵
        
        PID:2976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        UAC bypass
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        7⤵
        
        PID:3192
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:4924
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymAEMUUk.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        7⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        7⤵
        
        PID:4952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:368
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2352
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:416
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:3368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIwoQYUs.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:756
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1316
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2452
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4392

C:\ProgramData\FCIoIsoY\tKcswkgA.exe
C:\ProgramData\FCIoIsoY\tKcswkgA.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4320

C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEUoAMYc.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
  2⤵
  PID:1180
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4644
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2796
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
  2⤵
  PID:4240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
  2⤵
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
    C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAEEokQs.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
  2⤵
  PID:4872
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2108
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4512
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4696
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4484
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
1⤵
PID:416
- C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
  C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:964
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgMoYgcY.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
    3⤵
    PID:4384
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2604
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:4812
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3192
  - - C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
      C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
      4⤵
      PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
    3⤵
    PID:3740
  - - C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
      C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3472
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        5⤵
        
        PID:4644
      - C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        6⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        7⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        9⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        10⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        11⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmsMkgMk.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        11⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:2112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAwQAQUc.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        9⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies registry key
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcMMYUIg.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        7⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies registry key
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies registry key
        
        PID:1124
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4348
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:1124
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:4304
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4712
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuwYcMUY.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        5⤵
        
        PID:3720
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:2448
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYcMMQgY.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
1⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2592

C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
  2⤵
  PID:2864
- - C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
    C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
      4⤵
      PID:2696
    - - C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4596
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        6⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        7⤵
        
        PID:2584
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAIkIMoo.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        6⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:756
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        7⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        9⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        10⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        11⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        12⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        13⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        14⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        15⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        16⤵
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        17⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        18⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        19⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        20⤵
        
        PID:4672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        21⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        22⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        23⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        24⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        25⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        26⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        27⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        28⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        29⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        31⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        32⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        33⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        34⤵
        
        PID:1868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        35⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        36⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        37⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        38⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        39⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        40⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        41⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        42⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        43⤵
        Modifies visibility of file extensions in Explorer
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        44⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        45⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        46⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        47⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        48⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        49⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        50⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        51⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        52⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        53⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        54⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        55⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        56⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        57⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        58⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        59⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        60⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        61⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        62⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        63⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        64⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        65⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        66⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        67⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        68⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        69⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        70⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        71⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        72⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        73⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        74⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        75⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        76⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        77⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        78⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        79⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        80⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        81⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        82⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        83⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        84⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        85⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        86⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        87⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        88⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        89⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        90⤵
        
        PID:4640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        91⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        92⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        93⤵
        Adds Run key to start application
        
        PID:1828
        
        C:\Users\Admin\iYIUAgIA\wGEAoAIY.exe
        
        "C:\Users\Admin\iYIUAgIA\wGEAoAIY.exe"
        94⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 372
        95⤵
        Program crash
        
        PID:2084
        
        C:\ProgramData\fcYEoEUs\OgoEccIk.exe
        
        "C:\ProgramData\fcYEoEUs\OgoEccIk.exe"
        94⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 264
        95⤵
        Program crash
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        94⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        95⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        96⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        97⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        98⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        99⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        100⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        101⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        102⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        103⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQYgEYEs.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        102⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAwYUUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        100⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\legwQswo.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        98⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hogsoUgY.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        96⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwQIEwwk.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        92⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQocgsMM.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        90⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQgIQwos.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        88⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:3504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        UAC bypass
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:1424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        Modifies visibility of file extensions in Explorer
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaUkAgQo.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        86⤵
        
        PID:520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUEcIEkE.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        84⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:2236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UssAcgsI.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        82⤵
        
        PID:4572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        UAC bypass
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEwgQokY.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        80⤵
        
        PID:2076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        UAC bypass
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOgcEQAk.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        78⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQkIUgYM.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        76⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKUQAMkY.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        74⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies registry key
        
        PID:688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiMMgswA.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        72⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AycocMkU.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        70⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HagscMoo.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        68⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcQAEcMU.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        66⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies registry key
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROMgkIEM.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        64⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAEgIYQw.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        62⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGAUUckk.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        60⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IScckEkg.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        58⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WywoscEs.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        56⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RawUsQgA.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        54⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgswAEIE.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        52⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiUMoEks.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        50⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSIoYUkU.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        48⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies registry key
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiccMYgU.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        46⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCMMkwQY.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        44⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaAogMoE.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        42⤵
        
        PID:1336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aasMwYAY.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        40⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGMEAEgI.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        38⤵
        
        PID:3188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        UAC bypass
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWcwMook.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        36⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwYwUAMI.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        34⤵
        
        PID:3948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JsIYIwMc.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        32⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwUsEUwY.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        30⤵
        
        PID:4872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQwIcgwY.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        28⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCgwIMco.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        26⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies registry key
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCQwgUkM.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        24⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\geEIsUwg.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        22⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAwAoQog.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        20⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSYIcYYQ.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        18⤵
        
        PID:2892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        UAC bypass
        
        PID:324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:3948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        UAC bypass
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vsQYsgEk.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        16⤵
        
        PID:488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAoMgEww.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        14⤵
        
        PID:4228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies registry key
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwQQUUIE.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        12⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEYYwEQg.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        10⤵
        
        PID:540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmEAAEwY.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        8⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:5028
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        UAC bypass
        
        PID:2588
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUUAYIEc.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
      4⤵
      PID:4396
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2420
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1788
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3964
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcAkoMos.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3236
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:5080
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:644
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1952

C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
1⤵
PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
  2⤵
  PID:540
- - C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
    C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
    3⤵
    PID:3272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eogsYIgE.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
      4⤵
      PID:1468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGMYQkYA.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
  2⤵
  PID:1476
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1860
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3180
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Suspicious behavior: EnumeratesProcesses
  PID:4780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
1⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKIgIUcc.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
1⤵
PID:4968
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
1⤵
PID:1280
- C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
  C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
  2⤵
  PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImcwsUss.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
    3⤵
    PID:440
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4948
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:680
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
    3⤵
    PID:2860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
1⤵
PID:2444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
    C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
    3⤵
    PID:1160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
      4⤵
      PID:2108
    - - C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        5⤵
        
        PID:4512
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqYoMAok.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        6⤵
        
        PID:2056
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:680
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:4392
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWAoYogg.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
      4⤵
      PID:2480
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3364
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:216
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOsAYMMI.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1180
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:824
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
1⤵
PID:4152
- C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
  C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
  2⤵
  PID:4620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
    3⤵
    PID:4112
  - - C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
      C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
      4⤵
      PID:3880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        5⤵
        
        PID:4512
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:964
      - C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        6⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        7⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        8⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        9⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
        
        C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
        10⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\woUYYscI.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        9⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mssgMQAY.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        7⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies registry key
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        
        PID:3776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
        6⤵
        
        PID:4592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGEgsccA.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
        5⤵
        
        PID:1292
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:3196
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3472
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:4392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgAIgsAA.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2664
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1328
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOAkIosQ.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
1⤵
PID:3004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4436

C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
1⤵
PID:3208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3272
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1640
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2152
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1392
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
1⤵
PID:4508
- C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
  C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
  2⤵
  PID:3480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgYkskYY.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1"
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:3096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYcAQYco.bat" "C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe""
1⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1.exe
C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1
1⤵
PID:2148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1604
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1200

C:\ProgramData\ZsYAYIMk\hAskMgcs.exe
C:\ProgramData\ZsYAYIMk\hAskMgcs.exe
1⤵
PID:3448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 260
  2⤵
  - Program crash
  PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4480 -ip 4480
1⤵
PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FCIoIsoY\tKcswkgA.exe

Filesize
430KB

MD5
b5f78fae2579f724118327500f3ae40b

SHA1
f6c7d462102dc46c567bd4ff0fc3c27fedb276c4

SHA256
d3417c69fea2fd05d63c953fda37e0087012d9c43fa655426c7815a79835f203

SHA512
f173c73b8a7461684bf8b1e52dcba12c4646aa26323bce8f393b552fa769a90a63e04aea976911b2a87d1034c04a2c9b4fc44d6708154fdb06e10b5c1293d02b

Download Submit
C:\ProgramData\smMYcQgs\NcIYsYIA.exe

Filesize
436KB

MD5
df0c6899e033e86f71f299e5fc58a9aa

SHA1
44ee027b3fe4a24cb47b17a51ebf9bd3eae2854c

SHA256
7134b7c7bebfad8a9ff0ef8e1a188cfcf407d13346fa0d422f2f20e28bd7f676

SHA512
7d0e1643013de3c6aa09c4101e98f849a09e772103553be6013aeabdc6da2916c739a380eed3c884c435dd39e1a18069c788e489ba845a0ea1c59da317291f49

Download Submit
C:\ProgramData\smMYcQgs\NcIYsYIA.exe

Filesize
286KB

MD5
d67be0fe5785cc3be4ac10fcdd6111a8

SHA1
075964310b57cf6cd3d0aca7831aaa373f6afb9d

SHA256
9ab0f5eca23188f404aa0b82c6c20d6b6b04c213c999a1d3e6b4605c0ce864b8

SHA512
0b41301895bf5aa6f089776df3a8e10f7645185d3c3caa49a04d412d50c076cca553023fa182b8aead562993e745af3d2ca2dc8dbede37a516440f525082dc92

Download Submit
C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1

Filesize
24KB

MD5
e0494587ab304d264ebd8f3bde154e1f

SHA1
e28743d178be539b2deac13b14180004051f2bcd

SHA256
6630491e258221f7fa46e79e76622b96b5cd945f9432c15d6ad5250b1e5cb2a0

SHA512
7baa0e47c44882bc7ff6c07ca33c2af67d0280107bc6801435d88fe842cd4b95d03c7fdc66fb83ddfa04576a52f6ec758f5f182b922c5fac7d6f03cbe75b979c

Download Submit
C:\Users\Admin\AppData\Local\Temp\65a02a8e633a935bf53a4d3347eebaa1

Filesize
48KB

MD5
01756f45662d7cff811ff986e2fd4e66

SHA1
fd67e79512c5386dda615835a40dfe5f286437bc

SHA256
1732b081443d1e292dd1a4477ecd8be81fa350cf3b3ce6dd222567b7585a8895

SHA512
c78311075d33ff2a253dcb86911355ed76ab349fc2f83bc6ab042dcea56d5d092af8abb2598372cd988210549376d023f6c34e92cb8816f4736d91dad606c2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUUk.exe

Filesize
478KB

MD5
0405d6831ebd995f78262898478e2368

SHA1
4d68fde5d55102632afce58553124a26b25dde2d

SHA256
a911c4a25699c6f080bc7df62a6a9f49c82b95ad029df88227613cfab650ffb6

SHA512
128f1c0482668d3b54b93c49cd04f378d930afee366f53277f1e7b32df0d593e4fb1249c09636e123edc0521563e9a76d23d5165f24b46ae704ba54af5762184

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEsw.exe

Filesize
2.2MB

MD5
95981d1853bcec5c8eaf8541d773191e

SHA1
098c354eaf1f51ead2c388f3af54dc740370847c

SHA256
04d41ff398cd10bbb49f7fb4d6ab8c9f6a06e54fd33c9a0ff482ebb4a9f671bf

SHA512
1d49e04c53fe2eb55a23bf2adefcec049dd390fc88a551600dc1909e46e7d7e1de8dbff972fc71a030a7f232b6c6d765f2fa23a630b9fc46099ee258481a30cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUsI.exe

Filesize
561KB

MD5
66efb90ef51dc371592c72ca2ac9982b

SHA1
baa38ee05e264bcbc9f753843b863e31a5f39ec8

SHA256
5338eae96bdacb0c7ddb894eb91483514c74f1597c3ce05a00bfdc3868e58ec6

SHA512
00b9a7385ffd3ee5ea27a8675f0989c7eb9e892491fc994de42d36720a285ae595e26cefdfd9f4feb0c0879847a1fe02e81671a8bc5a04917f7f9a2b226a69c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIIG.exe

Filesize
891KB

MD5
319e209cb664b4ecb6e17cfc4d7ec2c5

SHA1
cdda56b45d653404169b1b6b772f0cb6ae9e33f8

SHA256
d4573b3e884985cbba65fd691403b0e81644c57336b0601351ad779bd469bfe7

SHA512
8ca0bc854114b5ff78f8c7898ab063d32b03d2f774355c4d34661284377643084c475c6f477776a6e7b7e0c439698c2b1cec43e16c45704a581ca53d3fbcffb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMgK.exe

Filesize
460KB

MD5
7cc9b4c64d9f2d8346cfc02842ee84e8

SHA1
9efd5088f8dbba64ff4852fd7f7cdf40cd93b8b8

SHA256
692be0c1bfd887a648a85ad73f8d7ab48c690412907955967c7de92600c0b0b5

SHA512
89085e6a4bfa1f65bdbf050c3d7f9542f2c447210a32cbd6ae89dfbf20bdfd110623f1bd6ce55edd614f02f13c8cdde1d942f8a14678a447a9eec02a0741457f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rUQE.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIwoQYUs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\DyMEscIA\OgQAkEAk.exe

Filesize
434KB

MD5
84c764d0dcd2fa7974d9d05001dba141

SHA1
af2b15a3113c355a9d051cd001f0f183310d90bc

SHA256
1a51e1b8167e9dd603b1b83eba2b5339635c814cbeed2624747b4e03728c6c7d

SHA512
23267562c15c2c90d16b68b8027c5083492db4fb8ce8ec1ee2cabc87706da938ab406e6526de728cb63466166398fe55895baffd1dae4a93e62738dac35fd28a

Download Submit
memory/220-346-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/220-334-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/440-79-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/440-57-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/756-172-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/756-156-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/912-160-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/912-145-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/964-123-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/964-114-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1160-292-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1160-280-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1188-8-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1188-49-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1456-78-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1456-100-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1620-306-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1620-319-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1636-22-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1636-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2064-56-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2064-12-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2148-253-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2148-268-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2444-279-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2444-264-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2560-232-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2560-217-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2584-207-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2584-220-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2628-256-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2628-243-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3208-310-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3208-300-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3272-229-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3272-244-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3292-61-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3292-41-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3396-111-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3396-99-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3424-351-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3472-127-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3472-135-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3480-360-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3616-183-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3616-196-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3880-327-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3880-337-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3988-184-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3988-168-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4264-343-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4264-355-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4320-17-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4320-75-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4512-301-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4512-291-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4596-208-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4596-192-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4620-328-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4620-318-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4780-136-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4780-148-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4800-42-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4800-23-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download