9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2022 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
Size

867KB
MD5

1838114e4893a371a0e4d3e8a0e88570
SHA1

490eca7e5517b3adfd7e643c595e687b42df5352
SHA256

9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
SHA512

dcaaa2580dce75961f191877f25781b9644118ead11d1612234bcc11bd54e4735bf8ca4f6dde3599a1d48762a17c9a79c2049f28da19e20dcc98c63dbfcd5849
SSDEEP

12288:pq8hiZ2zrU8ge+g/3PDarqaH0AZYSrW/TQpXqRAwYIm/NTn7g:pa8/N/rlBAZP2QpXPBk

Score

10^/10

evasion macro persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\dqgoEgYk\\lkMUIoYs.exe,"	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\dqgoEgYk\\lkMUIoYs.exe,"	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

Processes:

QsYwQUcA.exelkMUIoYs.exeOocwgEQw.exe

pid process

1748 QsYwQUcA.exe
4176 lkMUIoYs.exe
4416 OocwgEQw.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1748	QsYwQUcA.exe
4176	lkMUIoYs.exe
4416	OocwgEQw.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exeQsYwQUcA.exelkMUIoYs.exeOocwgEQw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QsYwQUcA.exe = "C:\\Users\\Admin\\jQokQcoA\\QsYwQUcA.exe"	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QsYwQUcA.exe = "C:\\Users\\Admin\\jQokQcoA\\QsYwQUcA.exe"	QsYwQUcA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lkMUIoYs.exe = "C:\\ProgramData\\dqgoEgYk\\lkMUIoYs.exe"	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lkMUIoYs.exe = "C:\\ProgramData\\dqgoEgYk\\lkMUIoYs.exe"	lkMUIoYs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lkMUIoYs.exe = "C:\\ProgramData\\dqgoEgYk\\lkMUIoYs.exe"	OocwgEQw.exe

Document created with cracked Office version 27 IoCs

Office document contains Grizli777 string known to be caused by using a cracked version of the software.

macro

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333	grizli777_cracked_office

Drops file in System32 directory 2 IoCs

Processes:

OocwgEQw.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\jQokQcoA	OocwgEQw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\jQokQcoA\QsYwQUcA	OocwgEQw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
64	reg.exe
1452	reg.exe
5684	reg.exe
5408	reg.exe
6252	reg.exe
5072	reg.exe
1644	reg.exe
5132	reg.exe
5952	reg.exe
3968	reg.exe
5680	reg.exe
440	reg.exe
5648	reg.exe
4000	reg.exe
4684	reg.exe
4764	reg.exe
3224	reg.exe
5524	reg.exe
6172	reg.exe
4580	reg.exe
4968	reg.exe
5448	reg.exe
1776	reg.exe
1008	reg.exe
5780	reg.exe
5864	reg.exe
4644	reg.exe
6488	reg.exe
6392	reg.exe
3500	reg.exe
5024	reg.exe
6496	reg.exe
3048	reg.exe
4312	reg.exe
5364	reg.exe
5820	reg.exe
3916	reg.exe
4240	reg.exe
1452	reg.exe
5688	reg.exe
7044	reg.exe
640	reg.exe
5024	reg.exe
6380	reg.exe
1848	reg.exe
2084	reg.exe
5628	reg.exe
6956	reg.exe
3124	reg.exe
4948	reg.exe
5500	reg.exe
4572	reg.exe
1324	reg.exe
1804	reg.exe
4968	reg.exe
4900	reg.exe
1796	reg.exe
3984	reg.exe
5772	reg.exe
5220	reg.exe
3652	reg.exe
3548	reg.exe
6980	reg.exe
7104	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe

pid	process
2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
1856	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
1856	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
1856	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
1856	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3156	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3156	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3156	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3156	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
2344	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
2344	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
2344	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
2344	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4836	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4836	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4836	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4836	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
1060	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
1060	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
1060	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
1060	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3784	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3784	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3784	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3784	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4360	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4360	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4360	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4360	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3732	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3732	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3732	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3732	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4900	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4900	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4900	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4900	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3636	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3636	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3636	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3636	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3784	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3784	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3784	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3784	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4080	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4080	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4080	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4080	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4580	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4580	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4580	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
4580	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3824	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3824	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3824	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
3824	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
2640	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
2640	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
2640	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
2640	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.execmd.exe9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.execmd.exe9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.execmd.execmd.exe9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe

description	pid	process	target process
PID 2104 wrote to memory of 1748	2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	QsYwQUcA.exe
PID 2104 wrote to memory of 1748	2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	QsYwQUcA.exe
PID 2104 wrote to memory of 1748	2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	QsYwQUcA.exe
PID 2104 wrote to memory of 4176	2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	lkMUIoYs.exe
PID 2104 wrote to memory of 4176	2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	lkMUIoYs.exe
PID 2104 wrote to memory of 4176	2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	lkMUIoYs.exe
PID 2104 wrote to memory of 1996	2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	cmd.exe
PID 2104 wrote to memory of 1996	2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	cmd.exe
PID 2104 wrote to memory of 1996	2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	cmd.exe
PID 2104 wrote to memory of 5072	2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 2104 wrote to memory of 5072	2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 2104 wrote to memory of 5072	2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 2104 wrote to memory of 3376	2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 2104 wrote to memory of 3376	2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 2104 wrote to memory of 3376	2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 2104 wrote to memory of 216	2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 2104 wrote to memory of 216	2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 2104 wrote to memory of 216	2104	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 1996 wrote to memory of 1856	1996	cmd.exe	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
PID 1996 wrote to memory of 1856	1996	cmd.exe	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
PID 1996 wrote to memory of 1856	1996	cmd.exe	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
PID 1856 wrote to memory of 4200	1856	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	cmd.exe
PID 1856 wrote to memory of 4200	1856	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	cmd.exe
PID 1856 wrote to memory of 4200	1856	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	cmd.exe
PID 1856 wrote to memory of 2244	1856	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 1856 wrote to memory of 2244	1856	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 1856 wrote to memory of 2244	1856	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 1856 wrote to memory of 3124	1856	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 1856 wrote to memory of 3124	1856	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 1856 wrote to memory of 3124	1856	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 1856 wrote to memory of 3984	1856	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 1856 wrote to memory of 3984	1856	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 1856 wrote to memory of 3984	1856	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 1856 wrote to memory of 364	1856	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	cmd.exe
PID 1856 wrote to memory of 364	1856	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	cmd.exe
PID 1856 wrote to memory of 364	1856	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	cmd.exe
PID 4200 wrote to memory of 3156	4200	cmd.exe	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
PID 4200 wrote to memory of 3156	4200	cmd.exe	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
PID 4200 wrote to memory of 3156	4200	cmd.exe	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
PID 3156 wrote to memory of 1892	3156	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	cmd.exe
PID 3156 wrote to memory of 1892	3156	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	cmd.exe
PID 3156 wrote to memory of 1892	3156	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	cmd.exe
PID 1892 wrote to memory of 2344	1892	cmd.exe	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
PID 1892 wrote to memory of 2344	1892	cmd.exe	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
PID 1892 wrote to memory of 2344	1892	cmd.exe	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
PID 3156 wrote to memory of 4000	3156	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 3156 wrote to memory of 4000	3156	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 3156 wrote to memory of 4000	3156	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 3156 wrote to memory of 4680	3156	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 3156 wrote to memory of 4680	3156	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 3156 wrote to memory of 4680	3156	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 3156 wrote to memory of 3916	3156	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 3156 wrote to memory of 3916	3156	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 3156 wrote to memory of 3916	3156	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe
PID 3156 wrote to memory of 1792	3156	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	cmd.exe
PID 3156 wrote to memory of 1792	3156	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	cmd.exe
PID 3156 wrote to memory of 1792	3156	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	cmd.exe
PID 364 wrote to memory of 4340	364	cmd.exe	cscript.exe
PID 364 wrote to memory of 4340	364	cmd.exe	cscript.exe
PID 364 wrote to memory of 4340	364	cmd.exe	cscript.exe
PID 2344 wrote to memory of 3196	2344	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	cmd.exe
PID 2344 wrote to memory of 3196	2344	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	cmd.exe
PID 2344 wrote to memory of 3196	2344	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	cmd.exe
PID 2344 wrote to memory of 456	2344	9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
"C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\jQokQcoA\QsYwQUcA.exe
"C:\Users\Admin\jQokQcoA\QsYwQUcA.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1748

C:\ProgramData\dqgoEgYk\lkMUIoYs.exe
"C:\ProgramData\dqgoEgYk\lkMUIoYs.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
4⤵
- Suspicious use of WriteProcessMemory
PID:4200

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
6⤵
- Suspicious use of WriteProcessMemory
PID:1892

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
8⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
10⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
12⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
14⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
16⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:3732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
18⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
20⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
22⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
24⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
26⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
28⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:3824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
30⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
32⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
33⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
34⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
35⤵
PID:3512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
36⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
37⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
38⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
39⤵
PID:3344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
40⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
41⤵
PID:4264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
42⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
43⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
44⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
45⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
46⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
47⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
48⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
49⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
50⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
51⤵
PID:5168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
52⤵
PID:5212

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
53⤵
PID:5260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
54⤵
PID:5480

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
55⤵
PID:5552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
56⤵
PID:5748

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
57⤵
PID:5864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
58⤵
PID:5408

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
59⤵
PID:5276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
60⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
61⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
62⤵
PID:5192

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
63⤵
PID:5800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
64⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
65⤵
PID:5660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
66⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
67⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
68⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
69⤵
PID:5828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
70⤵
PID:5260

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
71⤵
PID:5872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
72⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
73⤵
PID:5220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
74⤵
PID:5276

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
75⤵
PID:5232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
76⤵
PID:6196

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
77⤵
PID:6252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
78⤵
PID:6468

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
79⤵
PID:6684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
80⤵
PID:6728

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
81⤵
PID:6776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
82⤵
PID:6992

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
83⤵
PID:7040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
84⤵
PID:5868

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
85⤵
PID:6148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
86⤵
PID:6404

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
87⤵
PID:6256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
88⤵
PID:6852

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
89⤵
PID:6528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
90⤵
PID:7128

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
91⤵
PID:7156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
92⤵
PID:6276

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
93⤵
PID:6484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
94⤵
PID:6560

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
95⤵
PID:6904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
96⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
97⤵
PID:6304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
98⤵
PID:6840

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
99⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
100⤵
PID:5808

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
101⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
102⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
103⤵
PID:5312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
104⤵
PID:6760

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
105⤵
PID:4208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
106⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
107⤵
PID:812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
108⤵
PID:5476

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
109⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
110⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
111⤵
PID:5464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
112⤵
PID:5488

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
113⤵
PID:6680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
114⤵
PID:5856

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
115⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
116⤵
PID:6668

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
117⤵
PID:7084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
118⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
119⤵
PID:3760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
120⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
121⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
122⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
123⤵
PID:5520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
124⤵
PID:5808

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
125⤵
PID:6076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
126⤵
PID:6396

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
127⤵
PID:5992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
128⤵
PID:5792

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
129⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
130⤵
PID:6692

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
131⤵
PID:6008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
132⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
133⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
134⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
135⤵
PID:6380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
136⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
137⤵
PID:6212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
138⤵
PID:6376

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
139⤵
PID:6916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
140⤵
PID:5780

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
141⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
142⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
143⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
144⤵
PID:5672

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
145⤵
PID:308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
146⤵
PID:176

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
147⤵
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
148⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
149⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
150⤵
PID:5880

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
151⤵
PID:5432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
152⤵
PID:5916

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
153⤵
PID:5940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
154⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333
155⤵
PID:6208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333"
156⤵
PID:5952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:4180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
- Modifies registry key
PID:6956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmoccAQs.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
156⤵
PID:4784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:3400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:5492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmUUEQEE.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
154⤵
PID:4964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:6448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:6824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:4220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:5948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:5896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYoYwIwk.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
152⤵
PID:1032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:5944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEwswUQk.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
150⤵
PID:5144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:4780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:5420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:6012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KocsAgMk.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
148⤵
PID:1272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:4672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:4444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
- Modifies registry key
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies registry key
PID:3968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:6796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
- Modifies registry key
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xsEgYYAU.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
146⤵
PID:312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:6980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaMkwAEs.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
144⤵
PID:6540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:6248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- Modifies registry key
PID:5820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
- Modifies registry key
PID:5648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:6868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QasIMIAk.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
142⤵
PID:6676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:6876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:5408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baMcIUwE.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
140⤵
PID:3136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
- Modifies registry key
PID:6392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
- Modifies registry key
PID:5364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqcosgwM.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
138⤵
PID:2304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:5756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:3712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:1136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies registry key
PID:4312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
- Modifies registry key
PID:5628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgcIQcUU.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
136⤵
PID:6384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:7044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:6244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MyIUYggM.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
134⤵
PID:6580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:6440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:5500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maocEYYY.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
132⤵
PID:1752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:6276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
PID:932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
- Modifies registry key
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwAYAYYQ.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
130⤵
PID:5128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
- Modifies registry key
PID:5952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
- Modifies registry key
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:6004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeIgwgws.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
128⤵
PID:4180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:3716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:5456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsIUckIU.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
126⤵
PID:1088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:5964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:5444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgAIMEAE.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
124⤵
PID:2028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:6408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:5664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:6488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWwMEcUM.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
122⤵
PID:6560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:6784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:6716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
PID:5640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:7012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
- Modifies registry key
PID:5132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgMgEUYk.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
120⤵
PID:5536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:6980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwYEoEoI.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
118⤵
PID:3276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
PID:6776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:6876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies registry key
PID:4644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:5568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:7164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSQgsIcg.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
116⤵
PID:6192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCcMMAAs.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
114⤵
PID:364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:7152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
- Modifies registry key
PID:440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
- Modifies registry key
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIgAwYIs.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
112⤵
PID:1792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:6672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:6196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmgMEwIU.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
110⤵
PID:6172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
- Modifies registry key
PID:6380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:6360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:6252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emwcwcYw.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
108⤵
PID:2484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:7064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:5972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSkAwUIk.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
106⤵
PID:4260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:6280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:4220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:5232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwcEAUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
104⤵
PID:4796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:3544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:5768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:5264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dooUkcwc.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
102⤵
PID:5456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:5424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:5664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:4672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSAcAEgI.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
100⤵
PID:6756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:5716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:1116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiocQMIc.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
98⤵
PID:6488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:7140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
- Modifies registry key
PID:5500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
- Modifies registry key
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:5660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naQcEgwM.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
96⤵
PID:6856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:6500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:7064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:7148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:7108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:6768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:6980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dsgcIUoo.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
94⤵
PID:6968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:6612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSgIgEAA.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
92⤵
PID:6148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:6256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
- Modifies registry key
PID:5220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:6172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:7120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgYYEMYU.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
90⤵
PID:7112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:6428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
- Modifies registry key
PID:7104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:6192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies registry key
PID:6496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:6872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kucsocww.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
88⤵
PID:6892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:6728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
- Modifies registry key
PID:6980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:6664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yUYAgIwU.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
86⤵
PID:6248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:6832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:6584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:6508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkAwskQw.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
84⤵
PID:6308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:6288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:6324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:5864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:7056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksoQIEgA.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
82⤵
PID:7080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:7072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:7064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:6784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:6792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:6800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoAEAMIw.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
80⤵
PID:6808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:6952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:6520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:6512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:6504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgIwsQws.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
78⤵
PID:6532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:6692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:6272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:6280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsMQQUMg.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
76⤵
PID:6296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:6448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:6288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:5680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:5868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:5260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOMQgMYE.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
74⤵
PID:5708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:6216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOYIEIIk.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
72⤵
PID:1256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:5624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:5748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
- Modifies registry key
PID:5864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZsooEIco.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
70⤵
PID:4704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:5616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:5492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
- Modifies registry key
PID:5408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zssEQkoU.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
68⤵
PID:5796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCIYocMo.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
66⤵
PID:1676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:5320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
- Modifies registry key
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:5700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imAMMwwM.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
64⤵
PID:1392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:5740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fiAwkgwg.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
62⤵
PID:5780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:5344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:5452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies registry key
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOQIIgYc.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
60⤵
PID:916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:5224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies registry key
PID:5688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
- Modifies registry key
PID:5684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUEooQss.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
58⤵
PID:5212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:5720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:5256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:5800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:5792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAAEwkUM.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
56⤵
PID:5856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:5440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcMoUgYs.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
54⤵
PID:5560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:5724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:5544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:5536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:5268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tscsoEYQ.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
52⤵
PID:5296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:5432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:5288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:5280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsEYkUIU.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
50⤵
PID:3500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:5184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
- Modifies registry key
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyksgQQA.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
48⤵
PID:5116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imAMwIQg.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
46⤵
PID:4264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:3344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:3500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
- Modifies registry key
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aiAkkAII.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
44⤵
PID:64

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:1120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCMQcoIE.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
42⤵
PID:1060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:1324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuQsoMsM.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
40⤵
PID:1708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGwEQskg.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
38⤵
PID:5048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:3548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liEsosYU.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
36⤵
PID:3356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:4240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmUgMcUw.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
34⤵
PID:2256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsIAwoYA.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
32⤵
PID:4900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awcwMQMY.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
30⤵
PID:224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCYscYkk.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
28⤵
PID:1252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umAwAEwo.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
26⤵
PID:3192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:4264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyYcYUwE.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
24⤵
PID:2344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:4200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSkskIUk.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
22⤵
PID:4556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:1372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOUswwUM.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
20⤵
PID:4628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
- Modifies registry key
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies registry key
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
- Modifies registry key
PID:640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMgYMUAs.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
18⤵
PID:4148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsksoccA.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
16⤵
PID:3744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:3820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
- Modifies registry key
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyksQQYs.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
14⤵
PID:2356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OoggMMIY.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
12⤵
PID:4876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIoIwMQg.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
10⤵
PID:3060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQgAskgw.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
8⤵
PID:1784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:2204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
- Modifies registry key
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQokcUgw.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
6⤵
PID:1792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoQYIAsM.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUsQIgII.bat" "C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333.exe""
2⤵
PID:2444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2256

C:\ProgramData\OUEUsIQQ\OocwgEQw.exe
C:\ProgramData\OUEUsIQQ\OocwgEQw.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OUEUsIQQ\OocwgEQw.exe

Filesize
482KB

MD5
0793b9f6a10e06e033f7bf90e78856ae

SHA1
c1a2aef567e3bfe36ce6cac6a1b1e870859ef94a

SHA256
edd8f3e7e2c70422e94c6634063bc1d522fa529140079defa12fc9c5e78c5f5c

SHA512
c881482cd2447a7cf6669f1eab20cb6ee32b8298de362d1f83e9d8286919a61c8e24c90a1cab68c8fdd889513021bd27b1b915a919129c7437f424c410080f8c

Download Submit
C:\ProgramData\OUEUsIQQ\OocwgEQw.exe

Filesize
482KB

MD5
0793b9f6a10e06e033f7bf90e78856ae

SHA1
c1a2aef567e3bfe36ce6cac6a1b1e870859ef94a

SHA256
edd8f3e7e2c70422e94c6634063bc1d522fa529140079defa12fc9c5e78c5f5c

SHA512
c881482cd2447a7cf6669f1eab20cb6ee32b8298de362d1f83e9d8286919a61c8e24c90a1cab68c8fdd889513021bd27b1b915a919129c7437f424c410080f8c

Download Submit
C:\ProgramData\dqgoEgYk\lkMUIoYs.exe

Filesize
478KB

MD5
c36b61aa7ca44932c9fde02cf34b5176

SHA1
1fa5955f1a474eb78a64277170155e508d6af34b

SHA256
c23184f56495bd902850a0b0093a95d0cc37d6da025e218e750ef0e6058d806f

SHA512
5e13fb0d0548541fc89f9de3b94f0a12b8bdf41954b774b4663065c4f6701976d6dd4671ad5c28fb037e07599b4cb70db1f5bfb1ac0448e022562f643fd1c423

Download Submit
C:\ProgramData\dqgoEgYk\lkMUIoYs.exe

Filesize
478KB

MD5
c36b61aa7ca44932c9fde02cf34b5176

SHA1
1fa5955f1a474eb78a64277170155e508d6af34b

SHA256
c23184f56495bd902850a0b0093a95d0cc37d6da025e218e750ef0e6058d806f

SHA512
5e13fb0d0548541fc89f9de3b94f0a12b8bdf41954b774b4663065c4f6701976d6dd4671ad5c28fb037e07599b4cb70db1f5bfb1ac0448e022562f643fd1c423

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\9534e9f11f274b0643f099fafd6895452e15398da308b88f64049fd609215333

Filesize
384KB

MD5
2f1d7bc065945d508e62e62972e24810

SHA1
7fc24ce1a153f27829541059f548e809efd4771b

SHA256
2e94c7145d98e0eb233ec40590544dffc332344cff29ef8fb1b05e2cf523b0b5

SHA512
a8c33db560ce16b7a16e688d19b35f0a3f8e20d608f85bb9528a97f61dc93dcc8eefb160235c03548d567f9751d862567792b71b8a045c9db10a44e3cd289256

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsksoccA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQokcUgw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIoIwMQg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IOUswwUM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsEYkUIU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IyksQQYs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcMoUgYs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoQYIAsM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LmUgMcUw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoggMMIY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCYscYkk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQgAskgw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMgYMUAs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aiAkkAII.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\awcwMQMY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsIAwoYA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dyYcYUwE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\imAMwIQg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\liEsosYU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyksgQQA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oSkskIUk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tscsoEYQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\umAwAEwo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCMQcoIE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuQsoMsM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\jQokQcoA\QsYwQUcA.exe

Filesize
482KB

MD5
69bcb2d66cb550daabe50861cb4d553e

SHA1
05d3e2ba75d0c45c95cc399df6446edf8dad5725

SHA256
8e29d5e7b144e31a5ef0f57153f9ff2d070d16678dd1f105a7cbd0b363546a36

SHA512
5688bba49e349ebc50b81145498d923233ab9b3f67421846d38dbd1a79fbd16033286976a0fc2fe88347cca53f3edb4e8956124a308ff105e4cddd737b1abcd7

Download Submit
C:\Users\Admin\jQokQcoA\QsYwQUcA.exe

Filesize
482KB

MD5
69bcb2d66cb550daabe50861cb4d553e

SHA1
05d3e2ba75d0c45c95cc399df6446edf8dad5725

SHA256
8e29d5e7b144e31a5ef0f57153f9ff2d070d16678dd1f105a7cbd0b363546a36

SHA512
5688bba49e349ebc50b81145498d923233ab9b3f67421846d38dbd1a79fbd16033286976a0fc2fe88347cca53f3edb4e8956124a308ff105e4cddd737b1abcd7

Download Submit
memory/8-198-0x0000000000000000-mapping.dmp

Download
memory/216-147-0x0000000000000000-mapping.dmp

Download
memory/364-155-0x0000000000000000-mapping.dmp

Download
memory/456-173-0x0000000000000000-mapping.dmp

Download
memory/576-223-0x0000000000000000-mapping.dmp

Download
memory/640-235-0x0000000000000000-mapping.dmp

Download
memory/1008-197-0x0000000000000000-mapping.dmp

Download
memory/1060-186-0x0000000000000000-mapping.dmp

Download
memory/1060-201-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1104-231-0x0000000000000000-mapping.dmp

Download
memory/1644-234-0x0000000000000000-mapping.dmp

Download
memory/1668-290-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1668-189-0x0000000000000000-mapping.dmp

Download
memory/1748-206-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1748-137-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1748-134-0x0000000000000000-mapping.dmp

Download
memory/1784-176-0x0000000000000000-mapping.dmp

Download
memory/1792-166-0x0000000000000000-mapping.dmp

Download
memory/1796-188-0x0000000000000000-mapping.dmp

Download
memory/1848-222-0x0000000000000000-mapping.dmp

Download
memory/1852-308-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1856-157-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1856-149-0x0000000000000000-mapping.dmp

Download
memory/1892-161-0x0000000000000000-mapping.dmp

Download
memory/1996-144-0x0000000000000000-mapping.dmp

Download
memory/2104-132-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2104-133-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2200-185-0x0000000000000000-mapping.dmp

Download
memory/2204-183-0x0000000000000000-mapping.dmp

Download
memory/2244-152-0x0000000000000000-mapping.dmp

Download
memory/2344-162-0x0000000000000000-mapping.dmp

Download
memory/2344-177-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2356-214-0x0000000000000000-mapping.dmp

Download
memory/2440-205-0x0000000000000000-mapping.dmp

Download
memory/2640-261-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2640-264-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2800-267-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2800-236-0x0000000000000000-mapping.dmp

Download
memory/3060-190-0x0000000000000000-mapping.dmp

Download
memory/3124-153-0x0000000000000000-mapping.dmp

Download
memory/3156-156-0x0000000000000000-mapping.dmp

Download
memory/3156-158-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3156-169-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3196-170-0x0000000000000000-mapping.dmp

Download
memory/3344-276-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3344-278-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3376-146-0x0000000000000000-mapping.dmp

Download
memory/3512-270-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3512-272-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3636-247-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3732-238-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3732-228-0x0000000000000000-mapping.dmp

Download
memory/3732-174-0x0000000000000000-mapping.dmp

Download
memory/3744-225-0x0000000000000000-mapping.dmp

Download
memory/3772-209-0x0000000000000000-mapping.dmp

Download
memory/3784-250-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3784-202-0x0000000000000000-mapping.dmp

Download
memory/3784-207-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3784-215-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3820-233-0x0000000000000000-mapping.dmp

Download
memory/3824-260-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3916-165-0x0000000000000000-mapping.dmp

Download
memory/3948-275-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3984-154-0x0000000000000000-mapping.dmp

Download
memory/3984-211-0x0000000000000000-mapping.dmp

Download
memory/4000-163-0x0000000000000000-mapping.dmp

Download
memory/4048-241-0x0000000000000000-mapping.dmp

Download
memory/4080-251-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4080-254-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4148-237-0x0000000000000000-mapping.dmp

Download
memory/4176-143-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4176-138-0x0000000000000000-mapping.dmp

Download
memory/4176-269-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4200-151-0x0000000000000000-mapping.dmp

Download
memory/4256-220-0x0000000000000000-mapping.dmp

Download
memory/4264-281-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4340-167-0x0000000000000000-mapping.dmp

Download
memory/4360-227-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4360-226-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4360-213-0x0000000000000000-mapping.dmp

Download
memory/4416-148-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4580-257-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4596-218-0x0000000000000000-mapping.dmp

Download
memory/4672-196-0x0000000000000000-mapping.dmp

Download
memory/4680-164-0x0000000000000000-mapping.dmp

Download
memory/4684-210-0x0000000000000000-mapping.dmp

Download
memory/4696-312-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4704-175-0x0000000000000000-mapping.dmp

Download
memory/4744-212-0x0000000000000000-mapping.dmp

Download
memory/4820-194-0x0000000000000000-mapping.dmp

Download
memory/4836-182-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4836-179-0x0000000000000000-mapping.dmp

Download
memory/4836-191-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4876-200-0x0000000000000000-mapping.dmp

Download
memory/4896-199-0x0000000000000000-mapping.dmp

Download
memory/4900-244-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4900-239-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4900-232-0x0000000000000000-mapping.dmp

Download
memory/4916-287-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4960-178-0x0000000000000000-mapping.dmp

Download
memory/5024-294-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5024-293-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5040-187-0x0000000000000000-mapping.dmp

Download
memory/5060-243-0x0000000000000000-mapping.dmp

Download
memory/5068-221-0x0000000000000000-mapping.dmp

Download
memory/5072-145-0x0000000000000000-mapping.dmp

Download
memory/5116-284-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5168-297-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5220-317-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5220-318-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5232-319-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5232-316-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5260-300-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5276-306-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5276-307-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5552-303-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5552-304-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5660-310-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5660-311-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5800-309-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5828-313-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5864-305-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5872-315-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/5872-314-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/6252-320-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/6684-321-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/6776-322-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/6776-323-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download