f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8

Analysis

max time kernel
155s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
Size

442KB
MD5

ad1860ba37160c5cd9c8edfd9a6f244e
SHA1

afbcf0a29389b0dd2c404d3f510d9bad45c25766
SHA256

f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
SHA512

3f7df7e68ba4a6156cd38240248321dff2d0e0349c3f088430709c85e8e60a453091e8d81ea58428b4dfdb40809a62b6193da4a64a9671831cbf234e3a3049b6
SSDEEP

6144:SD5JMGANr/Uz1u2MZXAPwCjpeiOmxpoNYyaUYsq7q91TxfUwerPzVSWh:aD2Nr/EGCwCjpeiPxkwr0RUvRSE

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exeConhost.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exeConhost.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

Processes:

TYUcAAEk.exeHSEMYocM.exejiAwIgIo.exe

pid process

1620 TYUcAAEk.exe
2544 HSEMYocM.exe
804 jiAwIgIo.exe

pid	process
1620	TYUcAAEk.exe
2544	HSEMYocM.exe
804	jiAwIgIo.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HSEMYocM.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	HSEMYocM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HSEMYocM.exejiAwIgIo.exef680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exeTYUcAAEk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HSEMYocM.exe = "C:\\ProgramData\\cEMUkcYY\\HSEMYocM.exe"	HSEMYocM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HSEMYocM.exe = "C:\\ProgramData\\cEMUkcYY\\HSEMYocM.exe"	jiAwIgIo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TYUcAAEk.exe = "C:\\Users\\Admin\\wmMMQkck\\TYUcAAEk.exe"	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HSEMYocM.exe = "C:\\ProgramData\\cEMUkcYY\\HSEMYocM.exe"	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TYUcAAEk.exe = "C:\\Users\\Admin\\wmMMQkck\\TYUcAAEk.exe"	TYUcAAEk.exe

Drops file in System32 directory 7 IoCs

Processes:

HSEMYocM.exejiAwIgIo.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\sheRegisterSet.pptx	HSEMYocM.exe
File opened for modification	C:\Windows\SysWOW64\sheSendRedo.xls	HSEMYocM.exe
File opened for modification	C:\Windows\SysWOW64\sheSyncConvertTo.xlsx	HSEMYocM.exe
File opened for modification	C:\Windows\SysWOW64\sheUseLimit.jpg	HSEMYocM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\wmMMQkck	jiAwIgIo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\wmMMQkck\TYUcAAEk	jiAwIgIo.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	HSEMYocM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1132	reg.exe
2192	reg.exe
1508	reg.exe
3844	reg.exe
1816	reg.exe
3832	reg.exe
3408	reg.exe
1960	reg.exe
4148	reg.exe
3380	reg.exe
1056	reg.exe
3560	reg.exe
4864	reg.exe
1796	reg.exe
3956	reg.exe
5152	reg.exe
3408	reg.exe
5456	reg.exe
3320	reg.exe
5976	reg.exe
1688	reg.exe
5304	reg.exe
836	reg.exe
2260	reg.exe
624	reg.exe
1544	reg.exe
4488	reg.exe
5508	reg.exe
4280	reg.exe
1160	reg.exe
2776	reg.exe
2364	reg.exe
5784	reg.exe
5016	reg.exe
5800	reg.exe
396	reg.exe
5592	reg.exe
5864	reg.exe
4564	reg.exe
4620	reg.exe
3668	reg.exe
5288	reg.exe
1948	reg.exe
4208	reg.exe
684	reg.exe
5972	reg.exe
3980	reg.exe
4220	reg.exe
1404	reg.exe
3624	reg.exe
1404	reg.exe
2848	reg.exe
5004	reg.exe
6096	reg.exe
1380	reg.exe
116	reg.exe
2652	reg.exe
5436	reg.exe
3840	reg.exe
540	reg.exe
1460	reg.exe
4208	reg.exe
5944	reg.exe
2924	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exef680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exef680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exef680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exef680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exef680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exef680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exef680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exef680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exef680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exef680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exef680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exef680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exef680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exef680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exef680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe

pid	process
528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
5032	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
5032	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
5032	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
5032	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
4720	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
4720	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
4720	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
4720	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
1952	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
1952	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
1952	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
1952	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
4656	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
4656	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
4656	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
4656	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
4896	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
4896	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
4896	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
4896	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
3636	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
3636	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
3636	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
3636	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
624	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
624	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
624	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
624	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
2036	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
2036	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
2036	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
2036	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
4200	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
4200	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
4200	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
4200	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
2468	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
2468	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
2468	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
2468	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
3800	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
3800	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
3800	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
3800	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
2808	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
2808	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
2808	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
2808	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
1824	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
1824	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
1824	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
1824	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
2560	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
2560	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
2560	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
2560	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
3096	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
3096	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
3096	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
3096	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

HSEMYocM.exe

pid process

2544 HSEMYocM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

HSEMYocM.exe

pid	process
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe
2544	HSEMYocM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.execmd.exef680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.execmd.exef680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.execmd.exef680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe

description	pid	process	target process
PID 528 wrote to memory of 1620	528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	TYUcAAEk.exe
PID 528 wrote to memory of 1620	528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	TYUcAAEk.exe
PID 528 wrote to memory of 1620	528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	TYUcAAEk.exe
PID 528 wrote to memory of 2544	528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	HSEMYocM.exe
PID 528 wrote to memory of 2544	528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	HSEMYocM.exe
PID 528 wrote to memory of 2544	528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	HSEMYocM.exe
PID 528 wrote to memory of 1216	528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	cmd.exe
PID 528 wrote to memory of 1216	528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	cmd.exe
PID 528 wrote to memory of 1216	528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	cmd.exe
PID 528 wrote to memory of 5004	528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 528 wrote to memory of 5004	528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 528 wrote to memory of 5004	528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 1216 wrote to memory of 5032	1216	cmd.exe	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
PID 1216 wrote to memory of 5032	1216	cmd.exe	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
PID 1216 wrote to memory of 5032	1216	cmd.exe	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
PID 528 wrote to memory of 1696	528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 528 wrote to memory of 1696	528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 528 wrote to memory of 1696	528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 528 wrote to memory of 4908	528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 528 wrote to memory of 4908	528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 528 wrote to memory of 4908	528	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 5032 wrote to memory of 3700	5032	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	cmd.exe
PID 5032 wrote to memory of 3700	5032	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	cmd.exe
PID 5032 wrote to memory of 3700	5032	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	cmd.exe
PID 3700 wrote to memory of 4720	3700	cmd.exe	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
PID 3700 wrote to memory of 4720	3700	cmd.exe	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
PID 3700 wrote to memory of 4720	3700	cmd.exe	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
PID 4720 wrote to memory of 4088	4720	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	cmd.exe
PID 4720 wrote to memory of 4088	4720	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	cmd.exe
PID 4720 wrote to memory of 4088	4720	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	cmd.exe
PID 4088 wrote to memory of 1952	4088	cmd.exe	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
PID 4088 wrote to memory of 1952	4088	cmd.exe	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
PID 4088 wrote to memory of 1952	4088	cmd.exe	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
PID 5032 wrote to memory of 4564	5032	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 5032 wrote to memory of 4564	5032	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 5032 wrote to memory of 4564	5032	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 4720 wrote to memory of 3380	4720	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 4720 wrote to memory of 3380	4720	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 4720 wrote to memory of 3380	4720	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 5032 wrote to memory of 116	5032	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 5032 wrote to memory of 116	5032	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 5032 wrote to memory of 116	5032	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 5032 wrote to memory of 1600	5032	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 5032 wrote to memory of 1600	5032	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 5032 wrote to memory of 1600	5032	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 4720 wrote to memory of 1704	4720	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 4720 wrote to memory of 1704	4720	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 4720 wrote to memory of 1704	4720	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 4720 wrote to memory of 1284	4720	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 4720 wrote to memory of 1284	4720	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 4720 wrote to memory of 1284	4720	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 5032 wrote to memory of 2784	5032	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	cmd.exe
PID 5032 wrote to memory of 2784	5032	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	cmd.exe
PID 5032 wrote to memory of 2784	5032	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	cmd.exe
PID 4720 wrote to memory of 1676	4720	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	cmd.exe
PID 4720 wrote to memory of 1676	4720	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	cmd.exe
PID 4720 wrote to memory of 1676	4720	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	cmd.exe
PID 1952 wrote to memory of 4276	1952	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	cmd.exe
PID 1952 wrote to memory of 4276	1952	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	cmd.exe
PID 1952 wrote to memory of 4276	1952	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	cmd.exe
PID 1952 wrote to memory of 1404	1952	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 1952 wrote to memory of 1404	1952	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 1952 wrote to memory of 1404	1952	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe
PID 1952 wrote to memory of 1132	1952	f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
"C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:528

C:\Users\Admin\wmMMQkck\TYUcAAEk.exe
"C:\Users\Admin\wmMMQkck\TYUcAAEk.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1620

C:\ProgramData\cEMUkcYY\HSEMYocM.exe
"C:\ProgramData\cEMUkcYY\HSEMYocM.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
2⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
4⤵
- Suspicious use of WriteProcessMemory
PID:3700

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
6⤵
- Suspicious use of WriteProcessMemory
PID:4088

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
8⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
10⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
12⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
14⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
16⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
18⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
20⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
22⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
24⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
26⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
28⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
30⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:3096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
32⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
33⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
34⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
35⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
36⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
37⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
38⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
39⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
40⤵
PID:3728

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
41⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
42⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
43⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
44⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
45⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
46⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
47⤵
PID:3152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
48⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
49⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
50⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
51⤵
PID:3636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
52⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
53⤵
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
54⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
55⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
56⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
57⤵
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
58⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
59⤵
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
60⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
61⤵
PID:5380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
62⤵
PID:5608

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
63⤵
PID:5660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
64⤵
PID:5868

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
65⤵
PID:5920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
66⤵
PID:3080

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
67⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
68⤵
PID:5532

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
69⤵
PID:5512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEMgkAwU.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
70⤵
PID:5884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:5900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:5704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
- Modifies registry key
PID:5976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:5716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
70⤵
PID:5764

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
71⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
72⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
73⤵
PID:5456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
74⤵
PID:5720

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
75⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
76⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
77⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
78⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
79⤵
PID:5576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
80⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
81⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
82⤵
PID:5892

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
83⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
84⤵
PID:6040

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
85⤵
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
86⤵
PID:5832

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
87⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
88⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
89⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
90⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
91⤵
PID:5360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
92⤵
PID:5276

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
93⤵
PID:3692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
94⤵
PID:6016

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
95⤵
PID:5728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
96⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
97⤵
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
98⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
99⤵
PID:5576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
100⤵
PID:6112

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
101⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
102⤵
PID:6064

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
103⤵
PID:6056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
104⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
105⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
106⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
107⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
108⤵
PID:6080

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
109⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
110⤵
PID:5696

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
111⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
112⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
113⤵
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
114⤵
PID:5596

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
115⤵
PID:5760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
116⤵
PID:5300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:5752

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
117⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
118⤵
PID:5648

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
119⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
120⤵
PID:696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
- UAC bypass
PID:3656

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
121⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
122⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
123⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
124⤵
PID:768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:5636

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
125⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
126⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
127⤵
PID:3088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
128⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
129⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
130⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
131⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
132⤵
PID:5440

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
133⤵
PID:6076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
134⤵
PID:956

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
135⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
136⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
137⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
138⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
139⤵
PID:5812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
140⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
141⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
142⤵
PID:696

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
143⤵
PID:6056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
144⤵
PID:5144

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
145⤵
PID:5940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
146⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
147⤵
PID:5636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
148⤵
PID:6020

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
149⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
150⤵
PID:2820

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
151⤵
PID:6036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
152⤵
PID:5692

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
153⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
154⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
155⤵
PID:5596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
156⤵
PID:5740

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
157⤵
PID:1136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
158⤵
PID:5204

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
159⤵
PID:3420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
160⤵
PID:6028

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
161⤵
PID:5908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
162⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
163⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
164⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
165⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
166⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
167⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
168⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
169⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
170⤵
PID:5936

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
171⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8"
172⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
173⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
PID:5380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:4220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies registry key
PID:5508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
PID:988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fakkEgoI.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
172⤵
PID:5388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:5820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
- Modifies registry key
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egwgoAgo.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
170⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:5692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
- Modifies registry key
PID:684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:5340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYIEkwAY.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
168⤵
PID:5196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:5136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
- Modifies registry key
PID:3560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYkYcEoU.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
166⤵
PID:640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:5684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:3332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byEAMwcc.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
164⤵
PID:5404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:3640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:3608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\haEMAMww.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
162⤵
PID:5660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
- Modifies registry key
PID:1056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAsUIgEw.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
160⤵
PID:5516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:5764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
PID:6120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
- Modifies registry key
PID:5864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMogkgII.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
158⤵
PID:1444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:5680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:5780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgEswgYg.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
156⤵
PID:2304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:5320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies registry key
PID:396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQAQIIcA.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
154⤵
PID:5932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PykcUQUo.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
152⤵
PID:5372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:5552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:5192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NecoEwww.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
150⤵
PID:4248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:5768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:3556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
- Modifies registry key
PID:1380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
- Modifies registry key
PID:2776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYMgEMYk.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
148⤵
PID:4660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:5196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGQYIksY.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
146⤵
PID:3952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
- Modifies registry key
PID:3624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSoQEkAM.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
144⤵
PID:1120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:3160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQIgYUkU.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
142⤵
PID:5856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:6092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:6068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
PID:1260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
- Modifies registry key
PID:5592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWkssQww.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
140⤵
PID:2108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:3132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCUkMYkc.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
138⤵
PID:5516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:5584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
- Modifies registry key
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGssIokU.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
136⤵
PID:3420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:5588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YakEEckI.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
134⤵
PID:5152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:5792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:5796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
PID:5128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWMowYEY.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
132⤵
PID:5804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:5304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:5276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUcwscAg.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
130⤵
PID:5212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
- Modifies registry key
PID:5800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:5136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies registry key
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGUAMokQ.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
128⤵
PID:988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
- Modifies registry key
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWookEkQ.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
126⤵
PID:5220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:5832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- Modifies registry key
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoYwIkAA.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
124⤵
PID:2492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:6092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:5532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouUUMAsI.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
122⤵
PID:4260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:6088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
- UAC bypass
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:6096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaUEYQQM.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
120⤵
PID:5224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:5848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:3920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:2076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
- Modifies visibility of file extensions in Explorer
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
- Modifies registry key
PID:3840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EakcgQkc.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
118⤵
PID:5812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:6136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEgsYwQE.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
116⤵
PID:5436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:5620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:4236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:3692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
- Modifies registry key
PID:5304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:5440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQYUoYQw.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
114⤵
PID:5308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:6076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:3172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
- Modifies registry key
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkIscEMk.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
112⤵
PID:1680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egkAAEkY.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
110⤵
PID:4484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rekYcgMo.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
108⤵
PID:1380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMgMkwUg.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
106⤵
PID:4044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:4364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
- Modifies registry key
PID:5972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:5984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqAkgwkE.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
104⤵
PID:5168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:5636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgAYQIAw.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
102⤵
PID:5704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:6128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:6096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:3380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:3656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSokEgEc.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
100⤵
PID:5660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:5592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCscosAQ.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
98⤵
PID:4440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
- Modifies registry key
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LaQgwAQs.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
96⤵
PID:5140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:3048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- Modifies registry key
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewQQEQIY.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
94⤵
PID:5932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:5752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:6044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:6052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:5936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAYkIwwE.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
92⤵
PID:4580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:6108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:5136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:5328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCsYgUwc.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
90⤵
PID:3964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LSMgkgcc.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
88⤵
PID:2684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:3812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
- Modifies registry key
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:5772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BscAAwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
86⤵
PID:3756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:5228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
- Modifies registry key
PID:3844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IaUwcwUg.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
84⤵
PID:212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lioscoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
82⤵
PID:6068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:6060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:6000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:6048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BegkYQUo.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
80⤵
PID:5636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:4804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:3920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoksgAcA.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
78⤵
PID:4956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USokAUMw.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
76⤵
PID:5084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:5780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
- Modifies registry key
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- Modifies registry key
PID:5436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMksQkAU.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
74⤵
PID:5748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:4028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:5300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jckAcQoc.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
72⤵
PID:5272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:5440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:5428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUEkoIMk.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
68⤵
PID:5632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:5848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:5476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:5468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:5140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- Modifies registry key
PID:5152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkwkMEIA.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
66⤵
PID:5220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
- Modifies registry key
PID:5288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:5928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:5936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAgwwwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
64⤵
PID:5952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:6096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
- Modifies registry key
PID:5944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkIUkQYU.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
62⤵
PID:5696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:5856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:5688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:5680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:5672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMEUgkYg.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
60⤵
PID:5420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:5556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:5412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:5404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:5396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYkAYQAA.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
58⤵
PID:5156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:5312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:5148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:5136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:5128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MesQMgkw.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
56⤵
PID:3272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:3896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
- Modifies registry key
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAkscccQ.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
54⤵
PID:1960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- Modifies registry key
PID:4220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:2180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckswgYYI.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
52⤵
PID:3952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISgkEcgA.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
50⤵
PID:3312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:3680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
- Modifies registry key
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies registry key
PID:2652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEUggQwA.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
48⤵
PID:3040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:4276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCEcAwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
46⤵
PID:4336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
- Modifies registry key
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiMUgwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
44⤵
PID:4656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:3080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
- Modifies registry key
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NokgccMQ.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
42⤵
PID:4208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
- Modifies registry key
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCgogAMo.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
40⤵
PID:1480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:3400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqIcQIco.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
38⤵
PID:4148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:4532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EisAsMMk.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
36⤵
PID:684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMAoIQIk.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
34⤵
PID:2176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqYkIIIo.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
32⤵
PID:4592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- Modifies registry key
PID:3320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEMAscYg.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
30⤵
PID:2664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PasEgMYs.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
28⤵
PID:1488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- Modifies registry key
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
- Modifies registry key
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMAEIwko.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
26⤵
PID:5076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUMQwwEE.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
24⤵
PID:3816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:3728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMssgcoQ.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
22⤵
PID:4108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
- Modifies registry key
PID:4620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASIcIUYM.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
20⤵
PID:3128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:3920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
- Modifies registry key
PID:3832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgAMgIYs.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
18⤵
PID:4548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayQgEYcE.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
16⤵
PID:4716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQwMIQkI.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
14⤵
PID:4428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:3784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
- Modifies registry key
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:4460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:3692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCEAsUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
12⤵
PID:1388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
- Modifies registry key
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies registry key
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UoYQkIkk.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
10⤵
PID:3264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiwUIcIs.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
8⤵
PID:4852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:1132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies registry key
PID:3380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwUEoosI.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
6⤵
PID:1676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmkEAUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
4⤵
PID:2784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmAQcoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8.exe""
2⤵
PID:2304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4944

C:\ProgramData\vIAYsoQI\jiAwIgIo.exe
C:\ProgramData\vIAYsoQI\jiAwIgIo.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cEMUkcYY\HSEMYocM.exe
Filesize
434KB

MD5
68906058ce0d8c09314da0086ac6ce05

SHA1
bc7d2bb6dcaae163e99b2d92eb75b8e86a5c90c6

SHA256
4f01444323ec57a35dbf05fe91e051d0938544cc06e4b9705b10dc59c5e8cb62

SHA512
57f3b54a122e1a79dc4291f36f43517a890356acf7db49040616cc1a9505450c4e8910ccb50dfd833f11ab69681c68fba9a8ced2f5dd44d5b5382901c02ef860

Download Submit
C:\ProgramData\cEMUkcYY\HSEMYocM.exe
Filesize
434KB

MD5
68906058ce0d8c09314da0086ac6ce05

SHA1
bc7d2bb6dcaae163e99b2d92eb75b8e86a5c90c6

SHA256
4f01444323ec57a35dbf05fe91e051d0938544cc06e4b9705b10dc59c5e8cb62

SHA512
57f3b54a122e1a79dc4291f36f43517a890356acf7db49040616cc1a9505450c4e8910ccb50dfd833f11ab69681c68fba9a8ced2f5dd44d5b5382901c02ef860

Download Submit
C:\ProgramData\vIAYsoQI\jiAwIgIo.exe
Filesize
430KB

MD5
63450b2784278e078fe1bb1b96f27c28

SHA1
5c9d0b8f10998d78fc1a885f3c83372da3126aa9

SHA256
aa167ebb4c93cf51cb2720a9255d1b2530c4001d96d38aff0a755a26a808d3be

SHA512
2cd3c720d89315dfe3f0582ad1925b043ec142e7151fd4bd1edb3d62e8c2e2ed791e3ba31f7f31ee70d51d1df8759f9d244f3395871be91fee955ba8d3529b97

Download Submit
C:\ProgramData\vIAYsoQI\jiAwIgIo.exe
Filesize
430KB

MD5
63450b2784278e078fe1bb1b96f27c28

SHA1
5c9d0b8f10998d78fc1a885f3c83372da3126aa9

SHA256
aa167ebb4c93cf51cb2720a9255d1b2530c4001d96d38aff0a755a26a808d3be

SHA512
2cd3c720d89315dfe3f0582ad1925b043ec142e7151fd4bd1edb3d62e8c2e2ed791e3ba31f7f31ee70d51d1df8759f9d244f3395871be91fee955ba8d3529b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASIcIUYM.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwUEoosI.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgAMgIYs.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EisAsMMk.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISgkEcgA.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JiwUIcIs.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQwMIQkI.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NokgccMQ.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PasEgMYs.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PmkEAUMQ.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UiMUgwgQ.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoYQkIkk.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WqIcQIco.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZCEcAwoQ.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMAoIQIk.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ayQgEYcE.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bCEAsUsQ.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckswgYYI.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEMAscYg.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMAEIwko.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\f680331d4c0abf81777b43629de4be6ca10d2c808588f5b429d7b2efcfd7f7d8
Filesize
7KB

MD5
8995c7a53e0a148026fbd0da69be9f59

SHA1
05a9908e9e3e640a426214276de1cbca6f72307c

SHA256
d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3

SHA512
45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gqYkIIIo.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUMQwwEE.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wCgogAMo.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEUggQwA.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zMssgcoQ.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\wmMMQkck\TYUcAAEk.exe
Filesize
432KB

MD5
ddc57fb17b098fd204c9feceb730a8d7

SHA1
b3488de66d597a9a8c00c5e8da4061c2f3ed6a10

SHA256
334d1ff63a7949789ac9fa3b3de3efea77a807243bd9a021d4da730b6343f061

SHA512
529723131fd011a5ffcbcefb573617cdf75bf853c66d884f311e514b56b228707bcbd28a6d64c58f47037c97676f5ef5ddffe81be27fe15610894d7acf15d2c4

Download Submit
C:\Users\Admin\wmMMQkck\TYUcAAEk.exe
Filesize
432KB

MD5
ddc57fb17b098fd204c9feceb730a8d7

SHA1
b3488de66d597a9a8c00c5e8da4061c2f3ed6a10

SHA256
334d1ff63a7949789ac9fa3b3de3efea77a807243bd9a021d4da730b6343f061

SHA512
529723131fd011a5ffcbcefb573617cdf75bf853c66d884f311e514b56b228707bcbd28a6d64c58f47037c97676f5ef5ddffe81be27fe15610894d7acf15d2c4

Download Submit
memory/116-162-0x0000000000000000-mapping.dmp

Download
memory/228-305-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/240-220-0x0000000000000000-mapping.dmp

Download
memory/528-256-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/528-135-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/624-207-0x0000000000000000-mapping.dmp

Download
memory/624-222-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/760-311-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/804-151-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/908-229-0x0000000000000000-mapping.dmp

Download
memory/1068-227-0x0000000000000000-mapping.dmp

Download
memory/1072-226-0x0000000000000000-mapping.dmp

Download
memory/1132-174-0x0000000000000000-mapping.dmp

Download
memory/1216-144-0x0000000000000000-mapping.dmp

Download
memory/1284-165-0x0000000000000000-mapping.dmp

Download
memory/1292-276-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1388-194-0x0000000000000000-mapping.dmp

Download
memory/1404-173-0x0000000000000000-mapping.dmp

Download
memory/1432-219-0x0000000000000000-mapping.dmp

Download
memory/1536-184-0x0000000000000000-mapping.dmp

Download
memory/1544-325-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1544-326-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1548-313-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1548-312-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1600-163-0x0000000000000000-mapping.dmp

Download
memory/1604-233-0x0000000000000000-mapping.dmp

Download
memory/1620-258-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1620-136-0x0000000000000000-mapping.dmp

Download
memory/1620-148-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1676-167-0x0000000000000000-mapping.dmp

Download
memory/1696-147-0x0000000000000000-mapping.dmp

Download
memory/1704-164-0x0000000000000000-mapping.dmp

Download
memory/1824-264-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1824-265-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1952-168-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1952-157-0x0000000000000000-mapping.dmp

Download
memory/1952-177-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2036-217-0x0000000000000000-mapping.dmp

Download
memory/2036-238-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2116-298-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2144-282-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2144-284-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2164-185-0x0000000000000000-mapping.dmp

Download
memory/2192-210-0x0000000000000000-mapping.dmp

Download
memory/2468-250-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2468-246-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2540-225-0x0000000000000000-mapping.dmp

Download
memory/2544-149-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2544-139-0x0000000000000000-mapping.dmp

Download
memory/2544-257-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2560-269-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2560-266-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2560-234-0x0000000000000000-mapping.dmp

Download
memory/2780-216-0x0000000000000000-mapping.dmp

Download
memory/2784-166-0x0000000000000000-mapping.dmp

Download
memory/2796-321-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2796-322-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2808-255-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2808-260-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3092-209-0x0000000000000000-mapping.dmp

Download
memory/3096-273-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3096-271-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3152-300-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3152-302-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3264-186-0x0000000000000000-mapping.dmp

Download
memory/3380-161-0x0000000000000000-mapping.dmp

Download
memory/3428-242-0x0000000000000000-mapping.dmp

Download
memory/3528-175-0x0000000000000000-mapping.dmp

Download
memory/3636-306-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3636-212-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3636-190-0x0000000000000000-mapping.dmp

Download
memory/3636-205-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3636-309-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3684-218-0x0000000000000000-mapping.dmp

Download
memory/3692-192-0x0000000000000000-mapping.dmp

Download
memory/3700-153-0x0000000000000000-mapping.dmp

Download
memory/3784-228-0x0000000000000000-mapping.dmp

Download
memory/3800-254-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3832-235-0x0000000000000000-mapping.dmp

Download
memory/4032-206-0x0000000000000000-mapping.dmp

Download
memory/4056-181-0x0000000000000000-mapping.dmp

Download
memory/4088-156-0x0000000000000000-mapping.dmp

Download
memory/4200-239-0x0000000000000000-mapping.dmp

Download
memory/4200-245-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4216-189-0x0000000000000000-mapping.dmp

Download
memory/4276-170-0x0000000000000000-mapping.dmp

Download
memory/4280-193-0x0000000000000000-mapping.dmp

Download
memory/4348-230-0x0000000000000000-mapping.dmp

Download
memory/4380-292-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4380-290-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4400-316-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4420-236-0x0000000000000000-mapping.dmp

Download
memory/4428-211-0x0000000000000000-mapping.dmp

Download
memory/4460-191-0x0000000000000000-mapping.dmp

Download
memory/4548-237-0x0000000000000000-mapping.dmp

Download
memory/4564-160-0x0000000000000000-mapping.dmp

Download
memory/4656-179-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4656-178-0x0000000000000000-mapping.dmp

Download
memory/4656-187-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4716-221-0x0000000000000000-mapping.dmp

Download
memory/4720-171-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4720-159-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4720-154-0x0000000000000000-mapping.dmp

Download
memory/4808-208-0x0000000000000000-mapping.dmp

Download
memory/4852-176-0x0000000000000000-mapping.dmp

Download
memory/4876-244-0x0000000000000000-mapping.dmp

Download
memory/4896-182-0x0000000000000000-mapping.dmp

Download
memory/4896-195-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4908-150-0x0000000000000000-mapping.dmp

Download
memory/4944-231-0x0000000000000000-mapping.dmp

Download
memory/4996-280-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4996-278-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5004-145-0x0000000000000000-mapping.dmp

Download
memory/5016-315-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5016-183-0x0000000000000000-mapping.dmp

Download
memory/5016-314-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5032-172-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5032-158-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5032-146-0x0000000000000000-mapping.dmp

Download
memory/5040-286-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5040-288-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5052-295-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5380-317-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5512-323-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5512-324-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5660-318-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5920-319-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5920-320-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download