96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4

Analysis

max time kernel
151s
max time network
136s
platform
windows10_x64
resource
win10v20210408
submitted
13-05-2021 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
Size

747KB
MD5

cdf338251e81a7e534d4ad847a0cc01f
SHA1

6e420d5f4c0dde21b1ad80f58db7d05855dfa21d
SHA256

96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
SHA512

b2123eae4d19edc94eb930e5063c123ff374bf9f968bbefb96f96fcb4410b107544d5c97c5d85eb7ec4a05d262e97b18e2b578f620967c166cd91675d87819a1

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 2 IoCs

Processes:

zOMYcsQs.exeJiQcYsQI.exe

pid process

2700 zOMYcsQs.exe
2300 JiQcYsQI.exe

pid	process
2700	zOMYcsQs.exe
2300	JiQcYsQI.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

JiQcYsQI.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\CompleteSelect.png.exe	JiQcYsQI.exe
File created	C:\Users\Admin\Pictures\RevokeInitialize.png.exe	JiQcYsQI.exe
File created	C:\Users\Admin\Pictures\StopBackup.png.exe	JiQcYsQI.exe
File created	C:\Users\Admin\Pictures\UseUndo.png.exe	JiQcYsQI.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

JiQcYsQI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	JiQcYsQI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exeJiQcYsQI.exezOMYcsQs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zOMYcsQs.exe = "C:\\Users\\Admin\\iGoQEQEE\\zOMYcsQs.exe"	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JiQcYsQI.exe = "C:\\ProgramData\\TcMYccMk\\JiQcYsQI.exe"	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JiQcYsQI.exe = "C:\\ProgramData\\TcMYccMk\\JiQcYsQI.exe"	JiQcYsQI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zOMYcsQs.exe = "C:\\Users\\Admin\\iGoQEQEE\\zOMYcsQs.exe"	zOMYcsQs.exe

Drops file in System32 directory 2 IoCs

Processes:

JiQcYsQI.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	JiQcYsQI.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	JiQcYsQI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
3652	reg.exe
2420	reg.exe
3028	reg.exe
4036	reg.exe
1492	reg.exe
1244	reg.exe
3580	reg.exe
1940	reg.exe
2144	reg.exe
3948	reg.exe
1652	reg.exe
1564	reg.exe
2540	reg.exe
3984	reg.exe
192	reg.exe
748	reg.exe
2540	reg.exe
976	reg.exe
1492	reg.exe
3372	reg.exe
636	reg.exe
3756	reg.exe
2920	reg.exe
2132	reg.exe
652	reg.exe
2668	reg.exe
2544	reg.exe
1776	reg.exe
3872	reg.exe
3976	reg.exe
1752	reg.exe
428	reg.exe
3940	reg.exe
1776	reg.exe
652	reg.exe
2920	reg.exe
2488	reg.exe
4048	reg.exe
3088	reg.exe
192	reg.exe
1840	reg.exe
1556	reg.exe
4048	reg.exe
3984	reg.exe
3588	reg.exe
2556	reg.exe
1416	reg.exe
3940	reg.exe
428	reg.exe
3940	reg.exe
1572	reg.exe
644	reg.exe
2564	reg.exe
192	reg.exe
1568	reg.exe
4048	reg.exe
2400	reg.exe
2588	reg.exe
2920	reg.exe
2556	reg.exe
1244	reg.exe
3756	reg.exe
3980	reg.exe
744	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe

pid	process
644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3648	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3648	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3648	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3648	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
976	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
976	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
976	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
976	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1448	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1448	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1448	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1448	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2716	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2716	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2716	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2716	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3960	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3960	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3960	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3960	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1940	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1940	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1940	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1940	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3872	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3872	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3872	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3872	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
652	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
652	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
652	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
652	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
200	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
200	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
200	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
200	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2912	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2912	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2912	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2912	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2532	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2532	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2532	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2532	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3100	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3100	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3100	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3100	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
2540	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1776	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1776	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1776	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
1776	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3676	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3676	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3676	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
3676	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

JiQcYsQI.exe

pid process

2300 JiQcYsQI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

JiQcYsQI.exe

pid	process
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe
2300	JiQcYsQI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.execmd.execmd.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.execmd.execmd.exe96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.execmd.exe

description	pid	process	target process
PID 644 wrote to memory of 2700	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	zOMYcsQs.exe
PID 644 wrote to memory of 2700	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	zOMYcsQs.exe
PID 644 wrote to memory of 2700	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	zOMYcsQs.exe
PID 644 wrote to memory of 2300	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	JiQcYsQI.exe
PID 644 wrote to memory of 2300	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	JiQcYsQI.exe
PID 644 wrote to memory of 2300	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	JiQcYsQI.exe
PID 644 wrote to memory of 3860	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 644 wrote to memory of 3860	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 644 wrote to memory of 3860	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 644 wrote to memory of 3588	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 644 wrote to memory of 3588	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 644 wrote to memory of 3588	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 644 wrote to memory of 4036	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 644 wrote to memory of 4036	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 644 wrote to memory of 4036	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 644 wrote to memory of 196	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 644 wrote to memory of 196	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 644 wrote to memory of 196	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 644 wrote to memory of 3460	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 644 wrote to memory of 3460	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 644 wrote to memory of 3460	644	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 3860 wrote to memory of 3648	3860	cmd.exe	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
PID 3860 wrote to memory of 3648	3860	cmd.exe	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
PID 3860 wrote to memory of 3648	3860	cmd.exe	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
PID 3460 wrote to memory of 3656	3460	cmd.exe	cscript.exe
PID 3460 wrote to memory of 3656	3460	cmd.exe	cscript.exe
PID 3460 wrote to memory of 3656	3460	cmd.exe	cscript.exe
PID 3648 wrote to memory of 3880	3648	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 3648 wrote to memory of 3880	3648	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 3648 wrote to memory of 3880	3648	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 3648 wrote to memory of 1492	3648	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 3648 wrote to memory of 1492	3648	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 3648 wrote to memory of 1492	3648	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 3648 wrote to memory of 1776	3648	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 3648 wrote to memory of 1776	3648	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 3648 wrote to memory of 1776	3648	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 3648 wrote to memory of 2220	3648	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 3648 wrote to memory of 2220	3648	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 3648 wrote to memory of 2220	3648	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 3648 wrote to memory of 2540	3648	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 3648 wrote to memory of 2540	3648	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 3648 wrote to memory of 2540	3648	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 3880 wrote to memory of 976	3880	cmd.exe	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
PID 3880 wrote to memory of 976	3880	cmd.exe	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
PID 3880 wrote to memory of 976	3880	cmd.exe	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
PID 2540 wrote to memory of 4048	2540	cmd.exe	cscript.exe
PID 2540 wrote to memory of 4048	2540	cmd.exe	cscript.exe
PID 2540 wrote to memory of 4048	2540	cmd.exe	cscript.exe
PID 976 wrote to memory of 1516	976	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 976 wrote to memory of 1516	976	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 976 wrote to memory of 1516	976	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe
PID 1516 wrote to memory of 1448	1516	cmd.exe	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
PID 1516 wrote to memory of 1448	1516	cmd.exe	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
PID 1516 wrote to memory of 1448	1516	cmd.exe	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
PID 976 wrote to memory of 1088	976	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 976 wrote to memory of 1088	976	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 976 wrote to memory of 1088	976	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 976 wrote to memory of 1224	976	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 976 wrote to memory of 1224	976	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 976 wrote to memory of 1224	976	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 976 wrote to memory of 2480	976	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 976 wrote to memory of 2480	976	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 976 wrote to memory of 2480	976	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	reg.exe
PID 976 wrote to memory of 2484	976	96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
"C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\iGoQEQEE\zOMYcsQs.exe
"C:\Users\Admin\iGoQEQEE\zOMYcsQs.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2700

C:\ProgramData\TcMYccMk\JiQcYsQI.exe
"C:\ProgramData\TcMYccMk\JiQcYsQI.exe"
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
2⤵
- Suspicious use of WriteProcessMemory
PID:3860

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
4⤵
- Suspicious use of WriteProcessMemory
PID:3880

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
6⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
8⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
10⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
12⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
14⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
16⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
18⤵
PID:188

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
20⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
22⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
24⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
26⤵
PID:192

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
28⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
30⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:3676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
32⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
33⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
34⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
35⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
36⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
37⤵
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
38⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
39⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
40⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
41⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
42⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
43⤵
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
44⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
45⤵
PID:196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
46⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
47⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
48⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
49⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
50⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
51⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
52⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
53⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
54⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
55⤵
PID:1224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
56⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
57⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
58⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
59⤵
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
60⤵
PID:3864

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
61⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
62⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
63⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
64⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
65⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
66⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
67⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
68⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
69⤵
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
70⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
71⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
72⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
73⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
74⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
75⤵
PID:1252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
76⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
77⤵
PID:1224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
78⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
79⤵
PID:3732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
80⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
81⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
82⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
83⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
84⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
85⤵
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
86⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
87⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
88⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
89⤵
PID:3796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
90⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
91⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
92⤵
PID:3864

C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
93⤵
PID:3852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4"
94⤵
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqQsgEYg.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
94⤵
PID:2368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
- Modifies registry key
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwsQkwMY.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
92⤵
PID:3592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- Modifies registry key
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies registry key
PID:2564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqEAUEEg.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
90⤵
PID:1920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:3192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
- Modifies registry key
PID:3372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies registry key
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWgAoEME.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
88⤵
PID:4092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:3100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- Modifies registry key
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
- Modifies registry key
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies registry key
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VukoEYYQ.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
86⤵
PID:3948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySEwUswg.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
84⤵
PID:1512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:1132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies registry key
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIsYscgY.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
82⤵
PID:1784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIUQwUgg.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
80⤵
PID:2484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- Modifies registry key
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
- Modifies registry key
PID:192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies registry key
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:3088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
- Modifies registry key
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMgUcIsc.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
78⤵
PID:4060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qscMgAwc.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
76⤵
PID:2288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:3100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- Modifies registry key
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMAoYQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
74⤵
PID:1564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKsowMYU.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
72⤵
PID:2200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- Modifies registry key
PID:976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
- Modifies registry key
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgQkIskE.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
70⤵
PID:2664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- Modifies registry key
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
- Modifies registry key
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUkowIoA.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
68⤵
PID:4060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- Modifies registry key
PID:3872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
- Modifies registry key
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies registry key
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEIYgcUw.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
66⤵
PID:3756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAgkIUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
64⤵
PID:748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:3576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOMoQcUo.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
62⤵
PID:2716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- Modifies registry key
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies registry key
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwUMUIQc.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
60⤵
PID:744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- Modifies registry key
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies registry key
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCUAogIs.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
58⤵
PID:3940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
- Modifies registry key
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiAkEYMk.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
56⤵
PID:2204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- Modifies registry key
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QecMcckk.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
54⤵
PID:976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies registry key
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUMYkQwo.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
52⤵
PID:2176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:3656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies registry key
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
- Modifies registry key
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xccskosc.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
50⤵
PID:2744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAcsgAgs.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
48⤵
PID:188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- Modifies registry key
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
- Modifies registry key
PID:652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\poUgIUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
46⤵
PID:2288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- Modifies registry key
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:3860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies registry key
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
- Modifies registry key
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- Modifies registry key
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMYoIQoE.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
44⤵
PID:2076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiEAkgwI.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
42⤵
PID:3668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSkoMgUM.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
40⤵
PID:2052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:1132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
- Modifies registry key
PID:428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQgoIYsE.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
38⤵
PID:1492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:2744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies registry key
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies registry key
PID:192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- Modifies registry key
PID:1244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wycoYIYk.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
36⤵
PID:3372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQokMUgg.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
34⤵
PID:2552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:3356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- Modifies registry key
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies registry key
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
- Modifies registry key
PID:644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wucsAEsE.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
32⤵
PID:2088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKkcwccQ.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
30⤵
PID:2052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:3356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqIsIEoM.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
28⤵
PID:2220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCYokkgM.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
26⤵
PID:196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- Modifies registry key
PID:2668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies registry key
PID:3088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies registry key
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- Modifies registry key
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMAYQEAw.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
24⤵
PID:2144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- Modifies registry key
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgwUAQoY.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
22⤵
PID:1416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies registry key
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGsMIYoU.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
20⤵
PID:1652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:2552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMksUQkE.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
18⤵
PID:2588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:3864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies registry key
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:3656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMwQcYgA.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
16⤵
PID:3192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- Modifies registry key
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies registry key
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:3720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- Modifies registry key
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\doUYEMkM.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
14⤵
PID:960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:3852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- Modifies registry key
PID:428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQQMQYYc.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
12⤵
PID:3864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:3588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- Modifies registry key
PID:652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSUcoAUw.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
10⤵
PID:960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:3192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAMQkQwU.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
8⤵
PID:1088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:1088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkAkMEEI.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
6⤵
PID:2484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:1224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies registry key
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcsEckEE.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:3588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:4036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQQogEwg.bat" "C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:3656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TcMYccMk\JiQcYsQI.exe
MD5
8cbf424805f04d731516d0c4e3b64847

SHA1
49828d480bfb00cddbf773c4f90f7bcb36ea16bd

SHA256
c7c4d881b901edf1f30c339fc18465fc6788d95d15cce23e8cbd4650c5d19857

SHA512
87d52bc1bdfc1f194d4eec1a740f7d5cae4949437ad7b7f925d468c4e754732e2ce8daba4318f2381a1bcf6791f3dc15868a8edd367eb31ef0e33a4bc5a676eb

Download Submit
C:\ProgramData\TcMYccMk\JiQcYsQI.exe
MD5
8cbf424805f04d731516d0c4e3b64847

SHA1
49828d480bfb00cddbf773c4f90f7bcb36ea16bd

SHA256
c7c4d881b901edf1f30c339fc18465fc6788d95d15cce23e8cbd4650c5d19857

SHA512
87d52bc1bdfc1f194d4eec1a740f7d5cae4949437ad7b7f925d468c4e754732e2ce8daba4318f2381a1bcf6791f3dc15868a8edd367eb31ef0e33a4bc5a676eb

Download Submit
C:\ProgramData\TcMYccMk\JiQcYsQI.inf
MD5
4b43cd85c28d2644493e9e1293876f6f

SHA1
2956958b92bc01638c11d1dda0f677a6018cf7a5

SHA256
63a9576f1b52ce37bd8a05b58cfec85014fdb650476d0ed707c23eff9e456b21

SHA512
46e11cb1a0628d91b6838dd4f48e63c6ecbeebf02471743ef568e4fba01fad5c97b6e3a5b8a1f39cdbeb81f374e0c4a3a69e21c89a1c8e50c0b39b3f8ef79c0b

Download Submit
C:\ProgramData\TcMYccMk\JiQcYsQI.inf
MD5
e6fec37fd6ff46b9de9615464a3892f4

SHA1
47f296dcf09aff3928c99b29269f8c9d4dda04b8

SHA256
f04919701fd8e4ba8a4b32f477e4b82d7104bfc04b5eedf22f6d875ce522136c

SHA512
18e5b4a2c0565cae86902f7f6a7b58b91a3f8b68541d9acbd938642a9523296b9e22dcd24dca3bf2a8401d9af4bd68214acfe67f4c7951496553e120b45d28b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d002e9f91400e8522e5d2de7bd353c7bc8672897f3b618ada0d725ca589dc4
MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMksUQkE.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQokMUgg.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RqIsIEoM.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQQogEwg.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VgwUAQoY.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQgoIYsE.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcsEckEE.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XGsMIYoU.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAMQkQwU.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\doUYEMkM.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hMwQcYgA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lSUcoAUw.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkAkMEEI.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMAYQEAw.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uCYokkgM.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uKkcwccQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wucsAEsE.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wycoYIYk.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xQQMQYYc.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\iGoQEQEE\zOMYcsQs.exe
MD5
045e20ebdb2024def5beeb6287f11806

SHA1
75029986b8f375ca54e281a331a11b0d00210704

SHA256
df953bbb5058e091b54ad9872deccd9c8186c9a95cd990f917af83dfabd1e421

SHA512
022bb4975cfb43b89c2386ef9b938dcb4d762c4666c96dbf0951032616efcb8bca1690fc7fbde97a1426a2affd9de5ea4ce2f41831f5ee3c4b30fa5ca5a18dca

Download Submit
C:\Users\Admin\iGoQEQEE\zOMYcsQs.exe
MD5
045e20ebdb2024def5beeb6287f11806

SHA1
75029986b8f375ca54e281a331a11b0d00210704

SHA256
df953bbb5058e091b54ad9872deccd9c8186c9a95cd990f917af83dfabd1e421

SHA512
022bb4975cfb43b89c2386ef9b938dcb4d762c4666c96dbf0951032616efcb8bca1690fc7fbde97a1426a2affd9de5ea4ce2f41831f5ee3c4b30fa5ca5a18dca

Download Submit
C:\Users\Admin\iGoQEQEE\zOMYcsQs.inf
MD5
4b43cd85c28d2644493e9e1293876f6f

SHA1
2956958b92bc01638c11d1dda0f677a6018cf7a5

SHA256
63a9576f1b52ce37bd8a05b58cfec85014fdb650476d0ed707c23eff9e456b21

SHA512
46e11cb1a0628d91b6838dd4f48e63c6ecbeebf02471743ef568e4fba01fad5c97b6e3a5b8a1f39cdbeb81f374e0c4a3a69e21c89a1c8e50c0b39b3f8ef79c0b

Download Submit
C:\Users\Admin\iGoQEQEE\zOMYcsQs.inf
MD5
e6fec37fd6ff46b9de9615464a3892f4

SHA1
47f296dcf09aff3928c99b29269f8c9d4dda04b8

SHA256
f04919701fd8e4ba8a4b32f477e4b82d7104bfc04b5eedf22f6d875ce522136c

SHA512
18e5b4a2c0565cae86902f7f6a7b58b91a3f8b68541d9acbd938642a9523296b9e22dcd24dca3bf2a8401d9af4bd68214acfe67f4c7951496553e120b45d28b4

Download Submit
memory/188-196-0x0000000000000000-mapping.dmp

Download
memory/192-152-0x0000000000000000-mapping.dmp

Download
memory/196-123-0x0000000000000000-mapping.dmp

Download
memory/200-198-0x0000000000000000-mapping.dmp

Download
memory/428-173-0x0000000000000000-mapping.dmp

Download
memory/636-191-0x0000000000000000-mapping.dmp

Download
memory/644-188-0x0000000000000000-mapping.dmp

Download
memory/652-162-0x0000000000000000-mapping.dmp

Download
memory/652-190-0x0000000000000000-mapping.dmp

Download
memory/744-172-0x0000000000000000-mapping.dmp

Download
memory/960-184-0x0000000000000000-mapping.dmp

Download
memory/960-163-0x0000000000000000-mapping.dmp

Download
memory/976-134-0x0000000000000000-mapping.dmp

Download
memory/1088-154-0x0000000000000000-mapping.dmp

Download
memory/1088-141-0x0000000000000000-mapping.dmp

Download
memory/1224-142-0x0000000000000000-mapping.dmp

Download
memory/1244-179-0x0000000000000000-mapping.dmp

Download
memory/1252-169-0x0000000000000000-mapping.dmp

Download
memory/1448-140-0x0000000000000000-mapping.dmp

Download
memory/1492-130-0x0000000000000000-mapping.dmp

Download
memory/1516-139-0x0000000000000000-mapping.dmp

Download
memory/1776-131-0x0000000000000000-mapping.dmp

Download
memory/1940-170-0x0000000000000000-mapping.dmp

Download
memory/2200-202-0x0000000000000000-mapping.dmp

Download
memory/2220-132-0x0000000000000000-mapping.dmp

Download
memory/2288-165-0x0000000000000000-mapping.dmp

Download
memory/2300-117-0x0000000000000000-mapping.dmp

Download
memory/2480-143-0x0000000000000000-mapping.dmp

Download
memory/2484-144-0x0000000000000000-mapping.dmp

Download
memory/2540-133-0x0000000000000000-mapping.dmp

Download
memory/2540-201-0x0000000000000000-mapping.dmp

Download
memory/2544-156-0x0000000000000000-mapping.dmp

Download
memory/2552-200-0x0000000000000000-mapping.dmp

Download
memory/2556-183-0x0000000000000000-mapping.dmp

Download
memory/2556-199-0x0000000000000000-mapping.dmp

Download
memory/2560-161-0x0000000000000000-mapping.dmp

Download
memory/2568-147-0x0000000000000000-mapping.dmp

Download
memory/2588-203-0x0000000000000000-mapping.dmp

Download
memory/2700-114-0x0000000000000000-mapping.dmp

Download
memory/2716-150-0x0000000000000000-mapping.dmp

Download
memory/3028-149-0x0000000000000000-mapping.dmp

Download
memory/3192-151-0x0000000000000000-mapping.dmp

Download
memory/3192-194-0x0000000000000000-mapping.dmp

Download
memory/3460-124-0x0000000000000000-mapping.dmp

Download
memory/3588-176-0x0000000000000000-mapping.dmp

Download
memory/3588-121-0x0000000000000000-mapping.dmp

Download
memory/3592-153-0x0000000000000000-mapping.dmp

Download
memory/3648-125-0x0000000000000000-mapping.dmp

Download
memory/3656-127-0x0000000000000000-mapping.dmp

Download
memory/3656-192-0x0000000000000000-mapping.dmp

Download
memory/3668-160-0x0000000000000000-mapping.dmp

Download
memory/3720-182-0x0000000000000000-mapping.dmp

Download
memory/3756-171-0x0000000000000000-mapping.dmp

Download
memory/3852-186-0x0000000000000000-mapping.dmp

Download
memory/3860-120-0x0000000000000000-mapping.dmp

Download
memory/3864-174-0x0000000000000000-mapping.dmp

Download
memory/3872-180-0x0000000000000000-mapping.dmp

Download
memory/3880-129-0x0000000000000000-mapping.dmp

Download
memory/3940-181-0x0000000000000000-mapping.dmp

Download
memory/3960-166-0x0000000000000000-mapping.dmp

Download
memory/4036-122-0x0000000000000000-mapping.dmp

Download
memory/4048-137-0x0000000000000000-mapping.dmp

Download
memory/4048-193-0x0000000000000000-mapping.dmp

Download
memory/4092-158-0x0000000000000000-mapping.dmp

Download