96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4

Analysis

max time kernel
150s
max time network
64s
platform
windows7_x64
resource
win7v20210410
submitted
13-05-2021 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
Size

747KB
MD5

cdf338251e81a7e534d4ad847a0cc01f
SHA1

6e420d5f4c0dde21b1ad80f58db7d05855dfa21d
SHA256

96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
SHA512

b2123eae4d19edc94eb930e5063c123ff374bf9f968bbefb96f96fcb4410b107544d5c97c5d85eb7ec4a05d262e97b18e2b578f620967c166cd91675d87819a1

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 2 IoCs

Processes:

PYEwIwsI.exeBOMYscYQ.exe

pid process

2004 PYEwIwsI.exe
2028 BOMYscYQ.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

BOMYscYQ.exe

description ioc process

File created C:\Users\Admin\Pictures\ExitEnter.png.exe BOMYscYQ.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

BOMYscYQ.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation BOMYscYQ.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1152 cmd.exe

pid	process
2004	PYEwIwsI.exe
2028	BOMYscYQ.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\ExitEnter.png.exe	BOMYscYQ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation	BOMYscYQ.exe

pid	process
1152	cmd.exe

Loads dropped DLL 14 IoCs

Processes:

96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exeBOMYscYQ.exe

pid	process
540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exeBOMYscYQ.exePYEwIwsI.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\PYEwIwsI.exe = "C:\\Users\\Admin\\ewIsgswM\\PYEwIwsI.exe"	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BOMYscYQ.exe = "C:\\ProgramData\\CcYwkkIc\\BOMYscYQ.exe"	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BOMYscYQ.exe = "C:\\ProgramData\\CcYwkkIc\\BOMYscYQ.exe"	BOMYscYQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\PYEwIwsI.exe = "C:\\Users\\Admin\\ewIsgswM\\PYEwIwsI.exe"	PYEwIwsI.exe

Drops file in Windows directory 1 IoCs

Processes:

BOMYscYQ.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico BOMYscYQ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	BOMYscYQ.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
652	reg.exe
844	reg.exe
916	reg.exe
628	reg.exe
332	reg.exe
1300	reg.exe
612	reg.exe
540	reg.exe
944	reg.exe
1636	reg.exe
1936	reg.exe
672	reg.exe
304	reg.exe
1580	reg.exe
1956	reg.exe
736	reg.exe
1800	reg.exe
1540	reg.exe
740	reg.exe
628	reg.exe
676	reg.exe
112	reg.exe
1072	reg.exe
2020	reg.exe
1188	reg.exe
1940	reg.exe
1960	reg.exe
1580	reg.exe
1152	reg.exe
856	reg.exe
1516	reg.exe
1984	reg.exe
1848	reg.exe
944	reg.exe
1976	reg.exe
1152	reg.exe
1936	reg.exe
1152	reg.exe
1912	reg.exe
332	reg.exe
1732	reg.exe
1692	reg.exe
1544	reg.exe
544	reg.exe
1780	reg.exe
304	reg.exe
304	reg.exe
676	reg.exe
1940	reg.exe
916	reg.exe
888	reg.exe
844	reg.exe
1956	reg.exe
1848	reg.exe
1520	reg.exe
1492	reg.exe
588	reg.exe
1484	reg.exe
1276	reg.exe
588	reg.exe
1540	reg.exe
1172	reg.exe
1540	reg.exe
860	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe

pid	process
540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1764	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1764	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1696	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1696	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
112	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
112	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1028	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1028	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1980	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1980	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
628	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
628	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1696	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1696	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1520	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1520	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2020	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2020	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
296	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
296	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1056	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1056	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2036	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2036	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1696	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1696	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1496	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1496	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
304	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
304	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1924	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1924	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1688	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1688	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
304	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
304	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
564	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
564	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1576	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1576	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1720	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1720	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1740	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1740	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1544	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1544	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1192	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1192	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1848	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1848	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1544	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1544	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1192	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1192	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1924	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1924	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1576	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1576	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1720	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1720	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

BOMYscYQ.exe

pid process

2028 BOMYscYQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

BOMYscYQ.exe

pid	process
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe
2028	BOMYscYQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.execmd.execmd.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.execmd.execmd.exe

description	pid	process	target process
PID 540 wrote to memory of 2004	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	PYEwIwsI.exe
PID 540 wrote to memory of 2004	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	PYEwIwsI.exe
PID 540 wrote to memory of 2004	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	PYEwIwsI.exe
PID 540 wrote to memory of 2004	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	PYEwIwsI.exe
PID 540 wrote to memory of 2028	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	BOMYscYQ.exe
PID 540 wrote to memory of 2028	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	BOMYscYQ.exe
PID 540 wrote to memory of 2028	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	BOMYscYQ.exe
PID 540 wrote to memory of 2028	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	BOMYscYQ.exe
PID 540 wrote to memory of 1976	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 540 wrote to memory of 1976	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 540 wrote to memory of 1976	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 540 wrote to memory of 1976	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 1976 wrote to memory of 1176	1976	cmd.exe	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
PID 1976 wrote to memory of 1176	1976	cmd.exe	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
PID 1976 wrote to memory of 1176	1976	cmd.exe	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
PID 1976 wrote to memory of 1176	1976	cmd.exe	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
PID 540 wrote to memory of 1844	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 540 wrote to memory of 1844	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 540 wrote to memory of 1844	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 540 wrote to memory of 1844	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 540 wrote to memory of 1800	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 540 wrote to memory of 1800	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 540 wrote to memory of 1800	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 540 wrote to memory of 1800	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 540 wrote to memory of 1812	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 540 wrote to memory of 1812	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 540 wrote to memory of 1812	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 540 wrote to memory of 1812	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 540 wrote to memory of 1228	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 540 wrote to memory of 1228	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 540 wrote to memory of 1228	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 540 wrote to memory of 1228	540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 1228 wrote to memory of 604	1228	cmd.exe	cscript.exe
PID 1228 wrote to memory of 604	1228	cmd.exe	cscript.exe
PID 1228 wrote to memory of 604	1228	cmd.exe	cscript.exe
PID 1228 wrote to memory of 604	1228	cmd.exe	cscript.exe
PID 1176 wrote to memory of 1688	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 1176 wrote to memory of 1688	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 1176 wrote to memory of 1688	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 1176 wrote to memory of 1688	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 1688 wrote to memory of 1764	1688	cmd.exe	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
PID 1688 wrote to memory of 1764	1688	cmd.exe	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
PID 1688 wrote to memory of 1764	1688	cmd.exe	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
PID 1688 wrote to memory of 1764	1688	cmd.exe	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
PID 1176 wrote to memory of 640	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 1176 wrote to memory of 640	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 1176 wrote to memory of 640	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 1176 wrote to memory of 640	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 1176 wrote to memory of 1152	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 1176 wrote to memory of 1152	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 1176 wrote to memory of 1152	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 1176 wrote to memory of 1152	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 1176 wrote to memory of 1576	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 1176 wrote to memory of 1576	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 1176 wrote to memory of 1576	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 1176 wrote to memory of 1576	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 1176 wrote to memory of 588	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 1176 wrote to memory of 588	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 1176 wrote to memory of 588	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 1176 wrote to memory of 588	1176	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 588 wrote to memory of 464	588	cmd.exe	cscript.exe
PID 588 wrote to memory of 464	588	cmd.exe	cscript.exe
PID 588 wrote to memory of 464	588	cmd.exe	cscript.exe
PID 588 wrote to memory of 464	588	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
"C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\ewIsgswM\PYEwIwsI.exe
"C:\Users\Admin\ewIsgswM\PYEwIwsI.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2004

C:\ProgramData\CcYwkkIc\BOMYscYQ.exe
"C:\ProgramData\CcYwkkIc\BOMYscYQ.exe"
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2028

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
4⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
6⤵
PID:736

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
8⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:112

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
10⤵
PID:328

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1028

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
12⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
14⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
16⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
18⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
20⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
22⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:296

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
24⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1056

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
26⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
28⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
30⤵
PID:788

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
32⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
33⤵
- Suspicious behavior: EnumeratesProcesses
PID:304

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
34⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
36⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
37⤵
- Suspicious behavior: EnumeratesProcesses
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
38⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
39⤵
- Suspicious behavior: EnumeratesProcesses
PID:304

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
40⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
41⤵
- Suspicious behavior: EnumeratesProcesses
PID:564

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
42⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
43⤵
- Suspicious behavior: EnumeratesProcesses
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
44⤵
PID:652

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
45⤵
- Suspicious behavior: EnumeratesProcesses
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
46⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
47⤵
- Suspicious behavior: EnumeratesProcesses
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
48⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
49⤵
- Suspicious behavior: EnumeratesProcesses
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
50⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
51⤵
- Suspicious behavior: EnumeratesProcesses
PID:1192

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
52⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
53⤵
- Suspicious behavior: EnumeratesProcesses
PID:1848

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
54⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
55⤵
- Suspicious behavior: EnumeratesProcesses
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
56⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
57⤵
- Suspicious behavior: EnumeratesProcesses
PID:1192

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
58⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
59⤵
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
60⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
61⤵
- Suspicious behavior: EnumeratesProcesses
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
62⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
63⤵
- Suspicious behavior: EnumeratesProcesses
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
64⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
65⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
66⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
67⤵
PID:316

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
68⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
69⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
70⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
71⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
72⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
73⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
74⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
75⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
76⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
77⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
78⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
79⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
80⤵
PID:304

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
81⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
82⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
83⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
84⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
85⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
86⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
87⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
88⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
89⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
90⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
91⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
92⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
93⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
94⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
95⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
96⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
97⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
98⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
99⤵
PID:332

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
100⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
101⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
102⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
103⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
104⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
105⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
106⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
107⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
108⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
109⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
110⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
111⤵
PID:296

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
112⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
113⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
114⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
115⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
116⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
117⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
118⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
119⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
120⤵
PID:736

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
121⤵
PID:564

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
122⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
123⤵
PID:1252

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
124⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
125⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
126⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
127⤵
PID:588

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
128⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
129⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
130⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
131⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
132⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
133⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
134⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
135⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
136⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
137⤵
PID:328

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
138⤵
PID:304

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
139⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
140⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
141⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
142⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
143⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
144⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
145⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
146⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
147⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
148⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
149⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
150⤵
PID:332

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
151⤵
PID:672

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
152⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
153⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
154⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
155⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
156⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
157⤵
PID:672

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
158⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
159⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
160⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
161⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
162⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
163⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
164⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
165⤵
PID:296

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
166⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
167⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
168⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
169⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
170⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
171⤵
PID:320

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
172⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
173⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
174⤵
PID:672

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
175⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
176⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
177⤵
PID:736

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
178⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
179⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
180⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
181⤵
PID:112

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
182⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
183⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
184⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
185⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
186⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
187⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
188⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
189⤵
PID:788

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
190⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
191⤵
PID:588

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
192⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
193⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
194⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
195⤵
PID:788

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
196⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
197⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
198⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
199⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
200⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
201⤵
PID:816

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
202⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
203⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
204⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
205⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
206⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
207⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
208⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
209⤵
PID:296

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
210⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
211⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
212⤵
PID:240

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
213⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
214⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
215⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
216⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
217⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
218⤵
PID:788

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
219⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
220⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
221⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
222⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
223⤵
PID:320

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
224⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
225⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
226⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
227⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
228⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
229⤵
PID:788

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
230⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
231⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
232⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
233⤵
PID:964

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
234⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
235⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
236⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
237⤵
PID:112

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
238⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
239⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
240⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
241⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
242⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
243⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
PID:936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nKcUUoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
242⤵
- Deletes itself
PID:1152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies registry key
PID:332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DCIkIEwQ.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
240⤵
PID:1780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ySoAYoYs.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
238⤵
PID:1660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
- Modifies registry key
PID:676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UiQEgYcU.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
236⤵
PID:1496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cwAUIAgs.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
234⤵
PID:940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yMwscMAE.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
232⤵
PID:1352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\maoEsIgA.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
230⤵
PID:1984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies registry key
PID:304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bMUQIQMY.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
228⤵
PID:1916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:1192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKogMEUs.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
226⤵
PID:1636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PGkoEkYE.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
224⤵
PID:1152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
- Modifies registry key
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PuYEcUcw.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
222⤵
PID:1332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
- Modifies registry key
PID:672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:960

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HWswsEIM.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
220⤵
PID:1580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- Modifies registry key
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MWwsgIUk.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
218⤵
PID:1516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:332

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oKssEQQk.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
216⤵
PID:320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wWcYMMMs.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
214⤵
PID:1580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies registry key
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WqcIIQAs.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
212⤵
PID:1496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
- Modifies registry key
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WAkcMgQM.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
210⤵
PID:544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- Modifies registry key
PID:1936

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rmkEMwwc.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
208⤵
PID:2020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
PID:544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- Modifies registry key
PID:736

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pIcsIUgM.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
206⤵
PID:1956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- Modifies registry key
PID:304

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DeIAcgww.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
204⤵
PID:788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
- Modifies registry key
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:112

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jkgQcUYs.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
202⤵
PID:960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:672

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HekYQAco.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
200⤵
PID:1192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
- Modifies registry key
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qQAYooAE.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
198⤵
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wKIIsIYM.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
196⤵
PID:1976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SAEMgUwE.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
194⤵
PID:1960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EmQgEIos.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
192⤵
PID:1176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies registry key
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gmwoYcUA.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
190⤵
PID:1588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:304

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RqgcckUg.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
188⤵
PID:676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:296

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DQsgwIYY.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
186⤵
PID:1720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- Modifies registry key
PID:1936

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jYAMsoQE.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
184⤵
PID:944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vYoUYwMw.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
182⤵
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- Modifies registry key
PID:612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TkYgYkIs.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
180⤵
PID:1072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AEAsIwgA.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
178⤵
PID:788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies registry key
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
PID:740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yssEowkI.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
176⤵
PID:1732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ymgAAsww.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
174⤵
PID:296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IaoQgQEU.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
172⤵
PID:316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kYcEUkAI.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
170⤵
PID:1276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- Modifies registry key
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jcAckYso.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
168⤵
PID:1152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- Modifies registry key
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HaoIscMs.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
166⤵
PID:1188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies registry key
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
- Modifies registry key
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pgswMAko.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
164⤵
PID:1628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- Modifies registry key
PID:1172

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hYcEkEkU.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
162⤵
PID:1684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
- Modifies registry key
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LSkQIUYQ.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
160⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
- Modifies registry key
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cYIYYYUw.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
158⤵
PID:816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- Modifies registry key
PID:1072

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KwYkUwQc.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
156⤵
PID:1300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:1368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- Modifies registry key
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GWwAAkcY.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
154⤵
PID:676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kYkgMcss.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
152⤵
PID:320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies registry key
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:1056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:816

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UwwgMwwI.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
150⤵
PID:888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:652

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qakQEkwQ.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
148⤵
PID:916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:736

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HIYcMgcE.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
146⤵
PID:1684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
- Modifies registry key
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- Modifies registry key
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rcUoMMoc.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
144⤵
PID:1448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:1368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lyccIIUk.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
142⤵
PID:1536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
- Modifies registry key
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nkcYkgAU.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
140⤵
PID:552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:1332

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tysgQccQ.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
138⤵
PID:1476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:1296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies registry key
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EYUUMMkk.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
136⤵
PID:1764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kKMUscEU.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
134⤵
PID:628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- Modifies registry key
PID:112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:316

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iigEkMIw.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
132⤵
PID:544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cKIYwckk.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
130⤵
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QGwIcIoo.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
128⤵
PID:1172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jqQkwwEU.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
126⤵
PID:888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- Modifies registry key
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
- Modifies registry key
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JaEUooko.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
124⤵
PID:1192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:1956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies registry key
PID:1636

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwIIcgcM.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
122⤵
PID:544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tKIYsYEs.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
120⤵
PID:1516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- Modifies registry key
PID:1848

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lsYIUkkE.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
118⤵
PID:2024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies registry key
PID:588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IiEYcwcs.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
116⤵
PID:1296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
- Modifies registry key
PID:332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QwEYkcIg.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
114⤵
PID:1576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WuIksUwI.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
112⤵
PID:1176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wIkMMoMY.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
110⤵
PID:788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
- Modifies registry key
PID:652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
- Modifies registry key
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KeIQMUMU.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
108⤵
PID:1360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:588

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vMQwYwIw.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
106⤵
PID:1956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies registry key
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZqgUoIck.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
104⤵
PID:2036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWQUgIgA.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
102⤵
PID:1908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PUMIcokI.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
100⤵
PID:1732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies registry key
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dQgQYooE.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
98⤵
PID:1544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:1192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
- Modifies registry key
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MAcwgsYQ.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
96⤵
PID:2024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIEQIIME.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
94⤵
PID:1172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:1332

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oyIcokIQ.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
92⤵
PID:1056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies registry key
PID:544

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EyEwgsQE.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
90⤵
PID:1300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- Modifies registry key
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
- Modifies registry key
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IYcsYscs.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
88⤵
PID:1152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- Modifies registry key
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cgEIkQsU.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
86⤵
PID:304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xQYEwIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
84⤵
PID:860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pwMocQIA.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
82⤵
PID:1484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- Modifies registry key
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
- Modifies registry key
PID:916

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RiEMQIoY.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
80⤵
PID:1624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DCoMgwcQ.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
78⤵
PID:816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- Modifies registry key
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zAowAAgE.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
76⤵
PID:544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:588

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vuEcwAIo.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
74⤵
PID:916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- Modifies registry key
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
- Modifies registry key
PID:676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- Modifies registry key
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KAwYosss.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
72⤵
PID:816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SMsYAkgs.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
70⤵
PID:2020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:1192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CogAIUUo.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
68⤵
PID:588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
- Modifies registry key
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\smAYsEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
66⤵
PID:320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:788

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YwYwUEYg.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
64⤵
PID:112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ziAEQIco.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
62⤵
PID:1072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQYocEss.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
60⤵
PID:1296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:1332

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jQAwEMYI.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
58⤵
PID:740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rSkAAAsM.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
56⤵
PID:960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:1296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWMgAMMc.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
54⤵
PID:1228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- Modifies registry key
PID:540

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dqEYQUgk.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
52⤵
PID:856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yqQMgUgA.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
50⤵
PID:612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUwocUwo.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
48⤵
PID:1940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yUgsccIM.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
46⤵
PID:1984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sGogogYk.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
44⤵
PID:672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UUYsswYI.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
42⤵
PID:1368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\viYkEEgE.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
40⤵
PID:1984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies registry key
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lWAwwIIc.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
38⤵
PID:1656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DAQAkkYk.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
36⤵
PID:2000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies registry key
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:328

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DckYEIIg.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
34⤵
PID:676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HGYMMoIY.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
32⤵
PID:1448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eGIYMwYo.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
30⤵
PID:1072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:304

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SYAgcUQc.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
28⤵
PID:1720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:328

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sSckIksQ.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
26⤵
PID:1448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:1296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KYwgUgUU.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
24⤵
PID:316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IUkAowEw.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
22⤵
PID:1332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- Modifies registry key
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fgokcQUs.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
20⤵
PID:1692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- Modifies registry key
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:328

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NioQgUQI.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
18⤵
PID:2024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:564

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tGEksUgg.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
16⤵
PID:1544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
- Modifies registry key
PID:856

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JCEgIIMU.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
14⤵
PID:796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\emkkQIMM.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
12⤵
PID:1940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies registry key
PID:588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:564

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ucggkogs.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
10⤵
PID:1656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wEAIMAgo.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
8⤵
PID:1520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cScoUUsE.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
6⤵
PID:1720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tsEkEoUs.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PiIMIIMI.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CcYwkkIc\BOMYscYQ.exe
MD5
41d11905089c090e4817db5835eaef7d

SHA1
6b9caa648f082de950e6ee34b993b85ee33518e7

SHA256
29f7982c28486a1c0f13ca168f9641d95d17d7c77aa80edbb48159c8a9b889dd

SHA512
5f2889c8297967afdcc995ac657895e153cebffd889999c90d16bcca1becfe05c7c96c02dca4bbc2a406e7db91035ea3cab50e053920d47ef2bef1aee0cee7b0

Download Submit
C:\ProgramData\CcYwkkIc\BOMYscYQ.inf
MD5
3a3a86582f4b9927744d11c0e9adfff2

SHA1
8c6454d454794fff9f046cd6aa1d28dff126bf7d

SHA256
a2f5af31eeef1124ad01674012c8079cd7113b4361542b8537fe20b7be570ab3

SHA512
816fb0a2ff1550221a217b7e66314d29818ce9d56225ae00e88a7ba5c0821da8f67468887a0506b34d7a396020156f2860a0ae40c372512fbf26040d91ee3481

Download Submit
C:\ProgramData\CcYwkkIc\BOMYscYQ.inf
MD5
f2661bf7d699cdcfebaf59e94c461e10

SHA1
4d6862d709b9d680a1940dc01a60c91853c1f65d

SHA256
129b04888c26da47539bb8aca758a377d8df46d15cd07d63078ffeb846691003

SHA512
b5c76d02de9bca151f1a7434f7704a914883ac1d87e0cb0644302ad86b2df35b6026ee5a0f38245aecd55483b6be40b01241dd9eb4c2164ea3b9e178fe31a11e

Download Submit
C:\ProgramData\CcYwkkIc\BOMYscYQ.inf
MD5
7eaf9797416d8d69b814ae378ef454e5

SHA1
be3bce182219165dcc6b857ba116b6850562f37c

SHA256
6b36bddf5fc60968f875523151bc194e7b2e13684b50a85dbdd179ee9f248a3f

SHA512
dcd211c21e721e612307fc74f6047602a83c868f6ed2da8cf4426144325660c377f6d6fa96e1d7c3fecb496f17918375bbdb81a9c080115f1a5adfbc826958b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGYMMoIY.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUkAowEw.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCEgIIMU.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYwgUgUU.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NioQgUQI.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PiIMIIMI.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYAgcUQc.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ucggkogs.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cScoUUsE.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eGIYMwYo.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\emkkQIMM.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgokcQUs.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSckIksQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tGEksUgg.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsEkEoUs.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEAIMAgo.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\ewIsgswM\PYEwIwsI.exe
MD5
f75d1bd33a3080fe5f4a96b9784cd89f

SHA1
5ad2d4ec4332ca82a1f27d778c277c61c9eec56b

SHA256
bd4486954b34e51d355af0eb4cfa4f6e54b085bbe8d254edb4e877f2d021294e

SHA512
c7dfd8704e6fa36f1bca9b04a43526727d451e5e9e2b17dd7102de9c02743847e7ce9f200200eb96d84846113d450e6516cdebcd3dede5ebd4a1e1344fce8ebf

Download Submit
C:\Users\Admin\ewIsgswM\PYEwIwsI.inf
MD5
3a3a86582f4b9927744d11c0e9adfff2

SHA1
8c6454d454794fff9f046cd6aa1d28dff126bf7d

SHA256
a2f5af31eeef1124ad01674012c8079cd7113b4361542b8537fe20b7be570ab3

SHA512
816fb0a2ff1550221a217b7e66314d29818ce9d56225ae00e88a7ba5c0821da8f67468887a0506b34d7a396020156f2860a0ae40c372512fbf26040d91ee3481

Download Submit
C:\Users\Admin\ewIsgswM\PYEwIwsI.inf
MD5
f2661bf7d699cdcfebaf59e94c461e10

SHA1
4d6862d709b9d680a1940dc01a60c91853c1f65d

SHA256
129b04888c26da47539bb8aca758a377d8df46d15cd07d63078ffeb846691003

SHA512
b5c76d02de9bca151f1a7434f7704a914883ac1d87e0cb0644302ad86b2df35b6026ee5a0f38245aecd55483b6be40b01241dd9eb4c2164ea3b9e178fe31a11e

Download Submit
C:\Users\Admin\ewIsgswM\PYEwIwsI.inf
MD5
7eaf9797416d8d69b814ae378ef454e5

SHA1
be3bce182219165dcc6b857ba116b6850562f37c

SHA256
6b36bddf5fc60968f875523151bc194e7b2e13684b50a85dbdd179ee9f248a3f

SHA512
dcd211c21e721e612307fc74f6047602a83c868f6ed2da8cf4426144325660c377f6d6fa96e1d7c3fecb496f17918375bbdb81a9c080115f1a5adfbc826958b7

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\CcYwkkIc\BOMYscYQ.exe
MD5
41d11905089c090e4817db5835eaef7d

SHA1
6b9caa648f082de950e6ee34b993b85ee33518e7

SHA256
29f7982c28486a1c0f13ca168f9641d95d17d7c77aa80edbb48159c8a9b889dd

SHA512
5f2889c8297967afdcc995ac657895e153cebffd889999c90d16bcca1becfe05c7c96c02dca4bbc2a406e7db91035ea3cab50e053920d47ef2bef1aee0cee7b0

Download Submit
\ProgramData\CcYwkkIc\BOMYscYQ.exe
MD5
41d11905089c090e4817db5835eaef7d

SHA1
6b9caa648f082de950e6ee34b993b85ee33518e7

SHA256
29f7982c28486a1c0f13ca168f9641d95d17d7c77aa80edbb48159c8a9b889dd

SHA512
5f2889c8297967afdcc995ac657895e153cebffd889999c90d16bcca1becfe05c7c96c02dca4bbc2a406e7db91035ea3cab50e053920d47ef2bef1aee0cee7b0

Download Submit
\Users\Admin\ewIsgswM\PYEwIwsI.exe
MD5
f75d1bd33a3080fe5f4a96b9784cd89f

SHA1
5ad2d4ec4332ca82a1f27d778c277c61c9eec56b

SHA256
bd4486954b34e51d355af0eb4cfa4f6e54b085bbe8d254edb4e877f2d021294e

SHA512
c7dfd8704e6fa36f1bca9b04a43526727d451e5e9e2b17dd7102de9c02743847e7ce9f200200eb96d84846113d450e6516cdebcd3dede5ebd4a1e1344fce8ebf

Download Submit
\Users\Admin\ewIsgswM\PYEwIwsI.exe
MD5
f75d1bd33a3080fe5f4a96b9784cd89f

SHA1
5ad2d4ec4332ca82a1f27d778c277c61c9eec56b

SHA256
bd4486954b34e51d355af0eb4cfa4f6e54b085bbe8d254edb4e877f2d021294e

SHA512
c7dfd8704e6fa36f1bca9b04a43526727d451e5e9e2b17dd7102de9c02743847e7ce9f200200eb96d84846113d450e6516cdebcd3dede5ebd4a1e1344fce8ebf

Download Submit
memory/112-107-0x0000000000000000-mapping.dmp

Download
memory/328-114-0x0000000000000000-mapping.dmp

Download
memory/328-171-0x0000000000000000-mapping.dmp

Download
memory/436-134-0x0000000000000000-mapping.dmp

Download
memory/464-90-0x0000000000000000-mapping.dmp

Download
memory/540-59-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/544-142-0x0000000000000000-mapping.dmp

Download
memory/564-122-0x0000000000000000-mapping.dmp

Download
memory/564-159-0x0000000000000000-mapping.dmp

Download
memory/588-88-0x0000000000000000-mapping.dmp

Download
memory/588-120-0x0000000000000000-mapping.dmp

Download
memory/604-78-0x0000000000000000-mapping.dmp

Download
memory/612-109-0x0000000000000000-mapping.dmp

Download
memory/628-143-0x0000000000000000-mapping.dmp

Download
memory/640-110-0x0000000000000000-mapping.dmp

Download
memory/640-85-0x0000000000000000-mapping.dmp

Download
memory/736-94-0x0000000000000000-mapping.dmp

Download
memory/796-148-0x0000000000000000-mapping.dmp

Download
memory/856-146-0x0000000000000000-mapping.dmp

Download
memory/916-158-0x0000000000000000-mapping.dmp

Download
memory/916-135-0x0000000000000000-mapping.dmp

Download
memory/1028-154-0x0000000000000000-mapping.dmp

Download
memory/1028-115-0x0000000000000000-mapping.dmp

Download
memory/1152-86-0x0000000000000000-mapping.dmp

Download
memory/1176-111-0x0000000000000000-mapping.dmp

Download
memory/1176-71-0x0000000000000000-mapping.dmp

Download
memory/1188-130-0x0000000000000000-mapping.dmp

Download
memory/1228-76-0x0000000000000000-mapping.dmp

Download
memory/1252-169-0x0000000000000000-mapping.dmp

Download
memory/1252-126-0x0000000000000000-mapping.dmp

Download
memory/1296-162-0x0000000000000000-mapping.dmp

Download
memory/1332-106-0x0000000000000000-mapping.dmp

Download
memory/1496-117-0x0000000000000000-mapping.dmp

Download
memory/1496-145-0x0000000000000000-mapping.dmp

Download
memory/1520-167-0x0000000000000000-mapping.dmp

Download
memory/1520-112-0x0000000000000000-mapping.dmp

Download
memory/1544-160-0x0000000000000000-mapping.dmp

Download
memory/1576-87-0x0000000000000000-mapping.dmp

Download
memory/1656-124-0x0000000000000000-mapping.dmp

Download
memory/1656-97-0x0000000000000000-mapping.dmp

Download
memory/1688-82-0x0000000000000000-mapping.dmp

Download
memory/1688-166-0x0000000000000000-mapping.dmp

Download
memory/1696-155-0x0000000000000000-mapping.dmp

Download
memory/1696-95-0x0000000000000000-mapping.dmp

Download
memory/1720-100-0x0000000000000000-mapping.dmp

Download
memory/1732-147-0x0000000000000000-mapping.dmp

Download
memory/1732-123-0x0000000000000000-mapping.dmp

Download
memory/1732-170-0x0000000000000000-mapping.dmp

Download
memory/1764-83-0x0000000000000000-mapping.dmp

Download
memory/1800-74-0x0000000000000000-mapping.dmp

Download
memory/1800-102-0x0000000000000000-mapping.dmp

Download
memory/1812-75-0x0000000000000000-mapping.dmp

Download
memory/1844-73-0x0000000000000000-mapping.dmp

Download
memory/1940-136-0x0000000000000000-mapping.dmp

Download
memory/1976-70-0x0000000000000000-mapping.dmp

Download
memory/1980-131-0x0000000000000000-mapping.dmp

Download
memory/2000-138-0x0000000000000000-mapping.dmp

Download
memory/2000-98-0x0000000000000000-mapping.dmp

Download
memory/2004-62-0x0000000000000000-mapping.dmp

Download
memory/2012-157-0x0000000000000000-mapping.dmp

Download
memory/2024-172-0x0000000000000000-mapping.dmp

Download
memory/2024-99-0x0000000000000000-mapping.dmp

Download
memory/2028-67-0x0000000000000000-mapping.dmp

Download
memory/2036-150-0x0000000000000000-mapping.dmp

Download
memory/2040-133-0x0000000000000000-mapping.dmp

Download