b5bc9eba7dea50a283115771c3e3c0c7a25333ce729537fc96fc8782e4767128

Analysis

max time kernel
7s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a1e0dadede90fff9bc3e115c3e71da6.exe
Size

484KB
MD5

1a1e0dadede90fff9bc3e115c3e71da6
SHA1

58c93beec97df100f565ab9533353cd456a72380
SHA256

b5bc9eba7dea50a283115771c3e3c0c7a25333ce729537fc96fc8782e4767128
SHA512

88058ea2048be2f80128654c743e57b01fa02bd1987b50324b0c44cca345789b7509bc063faadabb6c1a024a4ae29a49c63b8a1a61bea4f79de39c308199201f
SSDEEP

6144:Y03U3tjQGgI/NaqEuaIhI/Igpzuf8B6O13ALfTeotio/wwp7LBHpY9yTirt3O1hs:Y03ZGrIq9V6IaG1Q3GfhtFZl6XUS4EN

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1436	FuMQEEgo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FuMQEEgo.exe = "C:\\Users\\Admin\\BMgooAkw\\FuMQEEgo.exe"	1a1e0dadede90fff9bc3e115c3e71da6.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2312	1684	WerFault.exe	362
3520	1520	WerFault.exe	517

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3056	reg.exe
1144	reg.exe
2116	reg.exe
3340	reg.exe
3820	reg.exe
1532	Process not Found
3804	Process not Found
3776	reg.exe
3832	reg.exe
3656	reg.exe
4300	Process not Found
1760	reg.exe
1884	Process not Found
1532	reg.exe
3020	reg.exe
4648	reg.exe
5116	Process not Found
1372	Process not Found
5000	reg.exe
4484	reg.exe
4652	reg.exe
1656	reg.exe
964	reg.exe
3332	reg.exe
1740	reg.exe
2960	reg.exe
3608	reg.exe
216	reg.exe
4348	reg.exe
3384	reg.exe
5020	reg.exe
2168	reg.exe
3380	reg.exe
3892	reg.exe
4688	reg.exe
932	Process not Found
1524	Process not Found
3768	reg.exe
4536	reg.exe
1836	reg.exe
4268	reg.exe
868	Process not Found
2760	reg.exe
1884	reg.exe
1888	reg.exe
3936	Process not Found
3348	Process not Found
2540	reg.exe
3328	reg.exe
964	reg.exe
2924	reg.exe
404	reg.exe
3660	reg.exe
1160	reg.exe
1172	Process not Found
4208	reg.exe
2440	reg.exe
4992	reg.exe
4708	reg.exe
1464	reg.exe
3600	Process not Found
684	reg.exe
1360	reg.exe
684	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4552	1a1e0dadede90fff9bc3e115c3e71da6.exe
4552	1a1e0dadede90fff9bc3e115c3e71da6.exe
4552	1a1e0dadede90fff9bc3e115c3e71da6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 1436	4552	1a1e0dadede90fff9bc3e115c3e71da6.exe	89
PID 4552 wrote to memory of 1436	4552	1a1e0dadede90fff9bc3e115c3e71da6.exe	89
PID 4552 wrote to memory of 1436	4552	1a1e0dadede90fff9bc3e115c3e71da6.exe	89

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
"C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\BMgooAkw\FuMQEEgo.exe
  "C:\Users\Admin\BMgooAkw\FuMQEEgo.exe"
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4332
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:380
    - - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        5⤵
        
        PID:672
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4276
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3820
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:2744
- C:\ProgramData\KMcEwIAk\oIkYAMsI.exe
  "C:\ProgramData\KMcEwIAk\oIkYAMsI.exe"
  2⤵
  PID:4472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKIYYswg.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:228

C:\ProgramData\sYYgcEUE\LasIMkIo.exe
C:\ProgramData\sYYgcEUE\LasIMkIo.exe
1⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgUIAIss.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:1144
- C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
  C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
  2⤵
  PID:3384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoosIoUg.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:372
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:868

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqMYgIco.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWIEoUMY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWkYgQos.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:332
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4128
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2428
- C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
  C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
  2⤵
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:3012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:2220
    - - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        5⤵
        
        PID:4736
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAYQUccI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        6⤵
        
        PID:4512

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:2220
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOAMcYYQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:964
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:4928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:4672
    - - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        5⤵
        
        PID:4336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:212
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWwUoUYQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:404
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3008
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2416
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYMIUoUo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:392
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4536
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3004
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAAgwcIE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1888
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:5100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:3208
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:3640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygMUQwso.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:5048
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3804
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysgEkooE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        5⤵
        
        PID:228
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:4120
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4908
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:5000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        5⤵
        
        PID:3376

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:3704

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:2816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:2340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4640
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1420

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:3892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:672

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:3820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkQkcUkY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:1664
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1172
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:1912
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:2428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:1348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:2212
- C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
  C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
  2⤵
  PID:4840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:1756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIsMoQog.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:1300
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1164
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4876
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:4488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
  C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
  2⤵
  PID:3568

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:1896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:3240
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sswAgYoo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3892
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:2252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGgQYMAs.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:3960
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2316
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:684
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3340
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4888
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1324
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:5092
- C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
  C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
  2⤵
  PID:3980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:3768
  - - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
      C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
      4⤵
      PID:3004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSMAwMUU.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:332
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:5020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:3672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKsAQocw.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:968
- C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
  C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
  2⤵
  PID:116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
      C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
      4⤵
      PID:4608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAEcQMsI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        5⤵
        
        PID:868
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:1840
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3460

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:2108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:4872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEwoMUEw.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:4276
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:372
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4092
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4324
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eewYossM.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:380
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:400
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:1884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:4996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAEUggMA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:684
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1616
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:5028
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:4120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOkQYgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:3568
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4696
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3704
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2168
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3048
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYoEogkc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:4140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5068
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4380

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuwskMow.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:2412
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3208
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1420
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:3600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4536
- C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
  C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
  2⤵
  PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcUEEwYI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IicsUEUw.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:4988
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:216
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1884
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:932
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:3328
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:1472
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCAwkQss.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:3856
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3292
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCksMYkY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:896
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:4780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YekUQkQE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:2460
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3248
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4844
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:2884
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4856
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEcEEIAI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:3652
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmoswAks.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:1476
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4380
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2536
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3676
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQwAQgwg.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:4536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:3672
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:4944

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:2164
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2420
- C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
  C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
      C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
      4⤵
      PID:3768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        5⤵
        
        PID:1836
      - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        6⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKskIEso.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        7⤵
        
        PID:496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        Modifies registry key
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        7⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:3044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwYMIgUA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        5⤵
        
        PID:1116
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:3420
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4268
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:3808
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:968
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAUIUQok.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:1220
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:4208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:4740
- C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
  C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
  2⤵
  PID:4388
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:1368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:372
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmccYcoQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:4536
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3064
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:5048
    - - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        5⤵
        
        PID:2884
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3820
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3340
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        6⤵
        
        PID:2316
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:1884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:3568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWkswwYY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:3608
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3164
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4036
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2644
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:812
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:4644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SggYwQcM.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:3144
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:216
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hooowssk.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        5⤵
        
        PID:1532
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:3456
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4876
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAkIgUMw.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        5⤵
        
        PID:2952
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:3340
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmossgIU.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        6⤵
        
        PID:4640
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:1160
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1500
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        6⤵
        
        PID:5040
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:3652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        5⤵
        
        PID:3928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:4376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIQAgAss.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:896
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5048
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4252
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4624
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkYcskgc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:4348
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUUoEMEM.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:2808
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:868
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:3044
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:5020
- C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
  C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
  2⤵
  PID:4624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
      C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
      4⤵
      PID:3164
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        5⤵
        
        PID:2328
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:1756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIYkIwIk.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        5⤵
        
        PID:5068
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:1556
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3680
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:3776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\siscAgYM.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1420
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4920

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:1524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:2112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\paUoMsQo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:4988
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4484
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEgMgYAE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:1164
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3144
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:5032
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:3656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQUEwsgM.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:4856
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1656
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3292
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3652

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:404

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:3468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYUsEYoc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:812
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5020
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4652
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:4216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:372
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:3600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMkkwkUQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:4036
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:4848
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4012
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2824
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEIUswEc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:2324
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUEYYAMU.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:2164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bucwkUcI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:5056
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:5104
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:4332
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:5000
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4876

C:\Users\Admin\iYIUAgIA\wGEAoAIY.exe
"C:\Users\Admin\iYIUAgIA\wGEAoAIY.exe"
1⤵
PID:5092

C:\ProgramData\fcYEoEUs\OgoEccIk.exe
"C:\ProgramData\fcYEoEUs\OgoEccIk.exe"
1⤵
PID:1520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 312
  2⤵
  - Program crash
  PID:3520
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1520 -ip 1520
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1684 -ip 1684
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 416
1⤵
- Program crash
PID:2312

C:\ProgramData\ZsYAYIMk\hAskMgcs.exe
C:\ProgramData\ZsYAYIMk\hAskMgcs.exe
1⤵
PID:1684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUUAIUsk.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:3520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOMkMYQw.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:2556
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4376
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1520
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwQksYos.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYYgwYUI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWsMMEUc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:1472
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:3268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyAwskIo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:3332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEoAokMw.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4908
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
  C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
  2⤵
  PID:3656

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgcskEAA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2460
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:2612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:3656
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:1784

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkQkYAIY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:792
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgsgwcAc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:880
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:2520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:1216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:404
    - - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        5⤵
        
        PID:3408
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAkggMUI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        6⤵
        
        PID:1896
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1172
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2416
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4072
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        6⤵
        
        PID:1740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCsMMgQs.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:2008
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3904
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:968
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4780
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:2824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKUEEgsI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:1420
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1888
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4944
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:2940

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:3020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGEsswgI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:3676
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3808
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4648
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqoAQIAc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4672
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:1540
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:4644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeccMwYo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:3384
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4992

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isMwkAgo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:496
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3932
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1144
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4484
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:3656

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:3608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkUAEwgI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:2328
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:880
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:496
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2904
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2312
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2536
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:1932

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:4888
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:3568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:884
    - - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        5⤵
        
        PID:4548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        6⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        7⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        8⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COEgwgUg.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        8⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCAcoQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        6⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        9⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        8⤵
        
        PID:1784
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:3332
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4740
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3768
      - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        6⤵
        
        PID:3980
    - - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        5⤵
        
        PID:1932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        6⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        7⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        8⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        9⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        10⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        11⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        12⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        13⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYocIgUk.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        8⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        7⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:3832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQYUkoYI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        6⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4484
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:3804
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4648
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:4708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSsQswYI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:3012
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4012
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1932
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:1656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYIIMwIA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:3508
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4276
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:684
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:5084
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4484
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:4720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugQgUwYI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:4672
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3668
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3380
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1500
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2156

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:884
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2960
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIQYkIgY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:1684
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3520
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1068
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4672
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:2824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKYkMQEA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:4320
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:1744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:3776
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:2924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1876
- C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
  C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
  2⤵
  PID:500
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3608
  - - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
      C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
      4⤵
      PID:5108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMUQgIgE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:4012
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3044

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:880
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGQwQcIk.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:2904
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3608
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oowcoosE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:1836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aWMYwgwA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:1760
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1848
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:4708
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1884
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:4908
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMgkAYkI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:4740
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:372
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3532
  - - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
      C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
      4⤵
      PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:3044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAAMYYwA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:2668
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:5084
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4828
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:1668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3704

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:2852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:500

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:1876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:1784
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:4480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYokMYMU.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:672
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3656
    - - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        5⤵
        
        PID:1744
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:1216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOEsIQQc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        5⤵
        
        PID:3384
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:772
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3208
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:3904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeUkUYYw.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:384
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:4352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IecUYoIs.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3656
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2268
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAYcIkws.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        5⤵
        
        PID:372
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:1176
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        5⤵
        
        PID:1664
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4268
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:868
    - - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        5⤵
        
        PID:3460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:5088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1788
- C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
  C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
  2⤵
  PID:684

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:2976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:3780
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:3776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:1836
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3948

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:896
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:372
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2904
- C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
  C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
  2⤵
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:3280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:1368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\geIEAcoY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:4688
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1620
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:2904
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCgIwYsk.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:4012
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2132

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:3672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:2540
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4792
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:884
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQYscosE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:500
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:1788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgQkoQUc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYEIcAwg.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:4608
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:884
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:4548
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmwoskEk.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:672
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:884
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4944
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3676
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKMsgUAI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:1852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUwUoAcw.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:3820
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3776
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGIMMkMk.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        5⤵
        
        PID:3704
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2428
      - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        6⤵
        
        PID:3208
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:772
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:3020
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGgsMgEU.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1740
- C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
  C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
  2⤵
  PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsEgMkYo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:4860
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1472
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:792
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:4016

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daAkIIgM.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qakgUQwE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:3832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkQQcggg.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:1848
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2412
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3860
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3992
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:4016
- C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
  C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
  2⤵
  PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buMooQgY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqksAcoE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:4140
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3060
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1068
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4860
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
  C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
  2⤵
  PID:4512
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeoMgcQs.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:4488
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1300
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1748
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIockUQY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:3208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgwAMYAM.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:1068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:4320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eogQcAMc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:1472
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1520
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:384
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2960

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OScQQUUU.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:5012
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2116
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2604
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ViUUgUkA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOYAgQgs.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:660
- C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
  C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
  2⤵
  PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWMEgEcI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:4780
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2328
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAwoMooE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:3936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAYgMMEE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:4444
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3768
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:964
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3964
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:896
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1464
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:5020
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duMoYgMM.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwYMUAoQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWUwgIcI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:884
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3668
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3224
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diQoYsEY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:3508
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4276
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2548
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:660
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:3656
  - - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
      C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
      4⤵
      PID:1216
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1068
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:1852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:2184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmoQwIQY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYwUEYoE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:3948
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:1888
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:684
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emsMAIwE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:3640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWUAwcsQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:4352
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2420
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5108
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:3608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UcIAgoII.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VKMsQEsA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:2548
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEcQAcYs.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcwcoIQQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1172
  - - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
      C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
      4⤵
      PID:4220
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:1496
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmIAUQYE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCAsYMEY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4352
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGgMAEUA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        5⤵
        
        PID:1008
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:3892
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3012
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMUUAosA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        6⤵
        
        PID:3048
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1048
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:228
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3568
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:3860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        5⤵
        
        PID:3704
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:4484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
    3⤵
    PID:4480
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:3704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:3224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIcMEwAg.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:4164
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3608
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2164
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swUMEUgA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIYUMEcc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKkwQMYA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:3508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgkIwAMo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwUUcsYQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2024
- C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
  C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
  2⤵
  PID:4840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:1172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkAwkkQI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeYwMMUg.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
1⤵
PID:4772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
1⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:3508

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KMcEwIAk\oIkYAMsI.exe

Filesize
25KB

MD5
02b4f78a09727069265fb19ac03b4a8d

SHA1
df6ec60706f73dfb7505dc51d611794671db33e0

SHA256
fb630707d04fbe35a08e9fab05528eadd763e3e3de8422d633f5fbdd8fe1fd62

SHA512
57b4b7473e28387f31e386953c56cef65434ae0260278ba45e3d0395c4c8589aef48bc0a4c7e3072ffe7e12e24b8e44a662a4bb2ed0c29177802afa8d0b34e6d

Download Submit
C:\ProgramData\KMcEwIAk\oIkYAMsI.exe

Filesize
10KB

MD5
274812dab39ac9ad4fe7f41e38459e6d

SHA1
6bc24e61d5729bb316e4131fad0feb5ddcb780bb

SHA256
a21deaa576752d27876a94af10dd717f7eabe5113ad0ee08141ca9df5746232a

SHA512
f46608aeb6485043096ae8054c38143d844c404ca3b906c25864bdd93edf71d8e899dd927db687ef1ab34280988a6426c06f39d55b29c26324de13c26559f688

Download Submit
C:\ProgramData\sYYgcEUE\LasIMkIo.exe

Filesize
23KB

MD5
ffb66cc82c65ead31d0a709421eecf18

SHA1
21bd8a40ad3293fd20e1884decc41b983ee1df5b

SHA256
e93c01ffbf3edee179cbc7dd003427490e0bd8c19470e36428442b2ce58a066c

SHA512
27fb71bee31055c5ffb424c5c69172bdd8ecfc32865d732cc1eff17a960d323ad916916de707f4aa018a3c6f8a040ca8f99928f42c241d6a5b222294c1968dbb

Download Submit
C:\ProgramData\sYYgcEUE\LasIMkIo.exe

Filesize
1KB

MD5
de4e312be04243c68c07be27ada4ca56

SHA1
b582b71e351277cb02a809be4f4553db131e08bc

SHA256
4edb53089a5c52843cf913491f1769107bff69dcbf96b76ce90970f88d9710ab

SHA512
a698190a4da7f29a03b399e6b9633b8890f4000ed01ae1278b782d656c614a73b0a6879d609343ae321500894a6725749f28ec86b50f6a0850dda1e4b43d77d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

Filesize
455KB

MD5
1be0504d4549020a183be874a288e7f4

SHA1
2b5bc8419da8a143e5ef6e7547303f6c480d4565

SHA256
2a6a15f0fd47f74a96d90ea0f5a61a74fe6552edf209f1322add601351387fd2

SHA512
06cd130e92d35a7d6db3657619cfdbf0dd7dc2cd506d32f63787e76b43df845ad76ef7f1d52dbb60ba72fd6570f35aff8d46a3f3b09358794d01a058b555046c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

Filesize
71KB

MD5
36b65834d5c733b16b6627e9f87c9ad9

SHA1
164a942df1f58e8738043933604844fe27ae8dc3

SHA256
d6ee8fbaab6d42e081464b0f2830384acf45c8dbf874bf6c2b71598e5df78495

SHA512
8b589507225a87b1508fd62a9664967baf4168edb123ebcd8251af776dc8a1ebc28353be831340f42746dcb4f20a68b2f9c827ec08efc830f0ad6faacd66f487

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

Filesize
5KB

MD5
cc87c1be332aaf3997a84127e7736863

SHA1
85647e3dc329bd7a950e09676f3088f963b044a3

SHA256
2c117a55ca3d55e0e45c12ba725bba994c521b76010523f21990097284b28235

SHA512
784e68032ff49f0ff93b6d70d6ccb2120a32c6de5cd1ea82a5dd3d370c0f954e699d6a34219465d24d4f2abb4d8e023ae1a8aa978a2b71a30b8ddfeb2aff69bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

Filesize
9KB

MD5
f37678948a14770e7dbc93b92a0455ae

SHA1
71bc706a7d44371b2edfa3ca8017e5dc6119c074

SHA256
cd3de54ff59650d3e8911f6a8cd2ec4145913e0d320134408b7512b8a9ad9208

SHA512
99d62358cfbe3adc320adb6292dcd9736c1c1724a9e0fa98ee6569472856203f0b9270fe1b3491bb46c34d9b9fb7f123b882fb0408ac3cf0a1756af37643477c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

Filesize
433KB

MD5
22b898a23f741f7de765dd5de4afed89

SHA1
2ceddf44b41b6282affbb9e1500f0e95474cc9e8

SHA256
3105fc94f11031581d6bf3cab24687c521d4db355aea5f51fec3f0d2c408c11f

SHA512
b2fe626504a0370ae8e5bc470a19faaa5486dc894d622927a03439036f798cb745f3f91b084adccd9b9f40a0a6f5953195c66eb94d47a081f2ac051766a06bac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

Filesize
50KB

MD5
6becc97221fc196b445c252945194f5e

SHA1
60cda315b0693ac8068268a4effc1c8ae7f246a5

SHA256
c9aebe8c7d197c0e8f3b02616b2cc5271b0bb6ade72dc3c573bb3349158765e7

SHA512
9cc44dbe48bde7af6a23491dd2243856d1bf5e624a9b1db6e28211ef1f8e49c3ba8de4b91e8a90a4050c034699347d8a4cfa136a292f65cd2421edbd34439666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

Filesize
5KB

MD5
8d9330385e1753e8a0ff79715487916e

SHA1
e4ff7b08a8d6527496b6dfcaec7e0420cb7570aa

SHA256
08ea95b635660dff3e58eb604cc8238566ef2b4571052c1970fcb2c6b28cd653

SHA512
2ca7ac58603aeed1c68ef4554e9769fdaf940a4fa8f5969987bf690debecb6dedf0db88885df26a6e1ada79fb8dbb3aca792b0256266b29107b63feb8d0f9c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6

Filesize
26KB

MD5
aecd0284dbd6a3a7705d115169503989

SHA1
f12f62c301480764eb47dc41f9f7e9e70168a6d6

SHA256
1a7e7d64be753740578b8d05c11b19058f29576890f0e72b9ba58299fa1b9793

SHA512
80d82a72103656b3fcc2975ae11e2fb9ccaab32fab0e85a62bb866896fa3ea67f4c4ff00cd38ad54d3a551bd16a0a98b21b47e097cb199c107d32cede768f25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6

Filesize
48KB

MD5
44840b46ae11971c62f6ea59273bad91

SHA1
79477b9308b0fb13e7c274c4b8f06f7c36a91543

SHA256
22326779f5599fe87151ac35ba694b47322eb990967d7b22c4a45194ff53e08a

SHA512
4883d0e061cea60681dee0fb2afbfb1e64c068291d8aa04bfddc527abf3f81cfbf176fd2ebbcccacff7fdddc0ee76bbe88de711ac133d8ea0fd689bff5db6a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACwM.ico

Filesize
1KB

MD5
53243acd3c93bfda3016f17609f3b122

SHA1
417ab120bb94afd0728e53fe60ae5b7ff207fdbe

SHA256
230c4e93e5c4bb1c77c9422551b28c04570d40d6960bd3bdf8953ac95787cb72

SHA512
e7698fdaeb0030f5fe7e70226b85aee1ce04110fe609cb23c043ee5193793f224ae13302aff279cf1df9e4c63a19ff027c343fbbf16948e64cb7840ba3e1b239

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMMc.exe

Filesize
63KB

MD5
fdfc3f022602426abcf0ceb822eebe06

SHA1
f05e50e47c33cb70b6eb7f866a749cb90dac5529

SHA256
397863644f7e7e7e00dc5251c4b59ad3650d08f84fff4da8ee1b1afb8c55bdb6

SHA512
f3d34aaa77007d20603fa885b9625b9012d9e1f13307ed7c7fe0ca140e4cd04771b0789216539cac5e3f3fa56d6e141006161f0e926fc66cc2d2cb1dfa19f3f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUkS.exe

Filesize
50KB

MD5
1b246565f0263105a88e841ddff8364b

SHA1
c0df9e17f2d30414bae5f3b1dfda5ffcf4bc46a0

SHA256
b8c8b0c2720edb19a55d7ae144bc075482c086f9737db2b8ba7da40e4e1208ad

SHA512
f3f38413ebb695593f6b44fc7168afd60fa534fbc6801b449ae62fe99ea118fb628be129e576e85e1a9a49b0d412b9b0061da8bb1051062cd40782caed36eded

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIMY.exe

Filesize
1KB

MD5
e2879bec6337200fe8b4b6c1fca659d0

SHA1
a1ca71817321b08aeba84efea81813f94eb8d66e

SHA256
cdb2987b05a35e7830be3b34bd972f4e9d21636991787742ae4678adb5476e71

SHA512
4d3bfc6e42699d5074ac3f99f78a610c6843d0184cd6f6c7471d4d11f3d07135afbb88a36eb793b1350229e18ab46ef51780dda8d1a00e740537eaea0955ef4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYUW.exe

Filesize
27KB

MD5
c7c696f708189ddedd7383ebdc842e98

SHA1
fbf58c1933ad749cb81912f34b82409929612b1e

SHA256
e1d53b87338044d39bd551379e330326a82c7ed30ed3dd481af163fe7dd07d1a

SHA512
2aaf1aab843365ec2d46277677eaaa0d2840153e5393f65b4353e90ad6651c3424c740ad0a0353fe9ac1fed62bc4288102cffdfce5d41718be8177e2b74d51d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkwA.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\IosK.exe

Filesize
1KB

MD5
c5e44460add16ab8ee6f2e3ee4be22e5

SHA1
1effd51d6581c964e1b211e6f3a7152f868e349f

SHA256
666d19164b344d0579057c850301569f1d4efd1be51f443682832c47ffbc3eeb

SHA512
c03d7d4bbdcc880d1ef480961e294103553abc2b14ef241df5fee06303ce79040dfd3b3d4282dac33b8e384249ec6ca50c23e1478b125f591d103fecbbcc3f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEYy.exe

Filesize
1.0MB

MD5
dd6c021c7fc7af438529e8b039a854fb

SHA1
85acea6ea50686af25461894cf131cad0c531db5

SHA256
9dab0e07361b960dd94ccd4ea27a89e9a4dc7b71025bdc4f64cc1fc39bdaf68c

SHA512
ecde92f34204f2758467109b9549a37b02f2922d8eb72ada5afa6ec40dcb9330bab49d3e5a2d731fceb24f265134c573096756c82631eb295fe6bef8d9275451

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lcko.exe

Filesize
427KB

MD5
8c3ad71256266b11ca5db9a9732e43b4

SHA1
44fbaddda5e573866cb4661a37b88ce7b1da1412

SHA256
cc18c249642ce07a4a6b9fa159cb195f57820ad90e819a1c9c080ac2c6f75131

SHA512
61c8e55fe9d978df8ff1625215b508468e036b63dd3c218009a0c9737c2958fd3de08c8435966de77db6d5c8ef368fcfc69be7ccd8849e2949c92c3dbf6de5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgMM.exe

Filesize
502KB

MD5
4bb103e0f721904a72060d3d1ffeefca

SHA1
dfcb644d185bd87e667f32adeb1aef810a5d043a

SHA256
3897a588341a1470a6c38604a978f317c3961e3dc77ddbb736106c6391763d11

SHA512
85952ef16b935caecc4987da3b1557948dfbfc7f48993963e0ff6d9de325287dc2f3f33600f88dc28d647c334e42d022d185537eafe84e0aacc68e46d8fa3523

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUsY.exe

Filesize
439KB

MD5
faba961912db22a60c829e3c5505f53f

SHA1
dc855b902613e8d39cd702593c7c525ed6a51e84

SHA256
4a1cd0096d4e415c67dc706438262c05674a4e130b3c88d347b4e8f1512078ac

SHA512
5f735ea59fee0f356eccdd051381a282e5abae33d8c5b30863708df56124a884e529429d6bdfb8a7f7f9461ff1e37bb4b70e6aa2ab69e8d837fa450a50e71412

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEYO.exe

Filesize
42KB

MD5
fc306107a116046e2a90ce41f2446a50

SHA1
7f65e5901989d0c10f2ec029cfa71b05b1308731

SHA256
7fa62be6fc76c50a4e4ea81c3f5ffd432da59ee95f242a46336424a75a84eb05

SHA512
2a57e226bd7656c12b50df572f9023cf6f15b238bff0f6b1424bfd5a25e009a9b230a95b522eabe443e607166431f471fcbd48003ee5b720c7fc90a5f3866713

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUMY.exe

Filesize
1.0MB

MD5
b688a5dadec4ed1bf5322687ed21df22

SHA1
996d3b98fdfd8dfa58c41456faec07bed045a21b

SHA256
45dc840433205a5be81d60201126e852b88cb4aba4758a31bba97c62e144a351

SHA512
bab43ae0294216af86f203fc8d08cbb171858035c9769ebc7bb9c14efafbf9ea469178f475e9ce649d5be2f8c386c955643071b0375b6697afbb3c4b30f4e96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PkEU.exe

Filesize
556KB

MD5
0f7a85c780d8dba948d617270b45e41f

SHA1
b5453dcb6bce66209766dbdc4abc5e2ab3e73a56

SHA256
9ab7d479dd62494a20b0f80f8978234d255c92a3a6aa5763e7d6d32f6fa1cbd9

SHA512
cbe80d1fc08041bc432e2b4d7389a7a0e14a48ed4a08f8c453ca6db8324be324c5d88a35c2fa1404ff986b12c865855900de86023524833599d85975f6b33d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\PsMG.exe

Filesize
147KB

MD5
114c3fc034b5cbfb6a968a24d702234e

SHA1
7ee2fb43ffd2b7c0d361c8fb6cd39c12d04cfdb2

SHA256
ece2e824326fb2c32b2f6e7d1067c6ddb5fc7ec4766958ee7621af1ccd6b0908

SHA512
dbbb2ce66143e0463a1a8a86dfb56048daa1fbf99636155b3c3c28a0bf15bcb1128d6c8ae17ba7f35d9afaa06457ca7d509e6bf7084dbf4cb7db16a8b7c8a498

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgEa.exe

Filesize
45KB

MD5
f0c21f1d02a516560530fbe0f67dd476

SHA1
5997338fdad7a9d0b945ad960f1051f742a0236b

SHA256
aa42bf2aeb20a6e3ddf7129f4601dd0eb2ca0c9d578459ba87b7b223385b4b13

SHA512
bcec21ee9f02396731006096889e7765b136d106b2b72e4331e157eb818baf4cc8a316187e1ddb01dbe5d937e4cd66be6b7de3a29f1e28a71284052880d79bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkkO.exe

Filesize
29KB

MD5
d97a9032c65595af7135582fec1efed9

SHA1
42c0214954f9b33039fe9d6311476071489f9c0a

SHA256
2b44997fa98d4c87ff7129ce99812f6555912b00a232e2580664ca56a3954271

SHA512
294bc7bb9f7e5a35c761b5535d6e0f3f3468c493c5ee6bd4a9ceec75985cd2ad17d92727d47f1ff039de8946bce40baf85c06cdb62e74cdf10fc1b4f21646336

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwQq.exe

Filesize
413KB

MD5
f24b89f763ba57a4d100819ffab22e4c

SHA1
ef9b02b6f4140b9546601ba8b64a9235f754a1f4

SHA256
92b5218095d1e9c30b185745338a2ee489b7854c5b766d6ee91c12b41bc66df3

SHA512
a739212bc6a9500ec5a590c644558984d8229ba5e73e35575578020e37cffbd88abbfac4041bb81f36df0584241c8f468d329c08f6b5acea66d4ff4e9def2526

Download Submit
C:\Users\Admin\AppData\Local\Temp\REQw.exe

Filesize
92KB

MD5
fef51de3151dc7201704eb3ac07fee16

SHA1
cd8651c93bd21aa0395bc5b9e43c1adf7202b07d

SHA256
086d9ce782f15ccf0333231f81e94d5852463c3f7c343a6485ab1e53270b6def

SHA512
a05473dcda225ddefb705c61d09acaa76d57009614149ae4dcb141f598629f0468f7187f7180afca4fcc185ac119774a7ff31f9341aefacba4e45b19f43c9bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkoK.exe

Filesize
91KB

MD5
30188579d451331b79014791bf949e9d

SHA1
388880f8b7f6c6871ddc46c8445cf9ce0926697f

SHA256
80c9c66ed351eb565390c16da4f42210770de970c493d0a429ee3bf09a6b8ba2

SHA512
10f79cb50cce1e4973175110c90f3b7c09e92f81a13589ac1cef8eba2277ebf57e2aa4a6716f47334572eff10167159591676209b056c0fc77276fd70b72e6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwgQ.exe

Filesize
1017KB

MD5
d59dd063ef6b70d9b9ab474735e0dca1

SHA1
22781957e64e2a579de932b730d4c04176369770

SHA256
606ea4697991ae5b39a9993196e93f517300301d5b92384dea364036e4dd6637

SHA512
edc4141ecac4b69854d339347a7e10905dd84ad92e89da41578ec1165a91fea24751bab601bc3201792573a8ba1455b54125755aff9d6dc05fe50ab4d8c301d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgUIAIss.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUEO.exe

Filesize
38KB

MD5
8ff18aae4974068ef487389d05275849

SHA1
48887d10a80fca42a400139a1322bfdda7f0b252

SHA256
9d304c72bbe737cc39b0287dae6ed8cb576f74047dee4097358fed0a0c4ec539

SHA512
0d2c4d66d01bed6ef3092628d4e6c61ce5f80a2f9a679298666a1d6ec9907c7794ff83a9b53f3603cba6d4807fb852c67fb093d3096847a07eeefe0bfed71c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYcw.exe

Filesize
460KB

MD5
03096afe729370f267dbe1b057a198a6

SHA1
a6afd4d5ac7954e1079b4f22f974fe9dfb2f494d

SHA256
968a527eac0b82fb004119fb6bc72b19065962356fa1e5d5a5ae8033a46d4f29

SHA512
789f553599914468342f325c5902510d64de78afbff72cb7204d0eea4ca6f618d33d1bbac39b99f92ab26dfe9d7062451c22ab4ca898afe0b0ed0a53471111f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwoQ.exe

Filesize
439KB

MD5
23d4f847cb47ac2ccce37d73fe0abd21

SHA1
05e499478c4147f886587c676f555c85912fc2f1

SHA256
ac94e24a5c2c3e44e2a35bd8f48e3820b9ceea47f9adf881131652bce4f07948

SHA512
9d322834fe1df7a3911975b380601dfeab05a80019e3e088a0919d9a5737a2bf2939c2dbbe3c198305399caa30e503a7c2eb4f027b2a9903599f2be4c2b9e476

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAce.exe

Filesize
38KB

MD5
ba0abc7dccc6a21681a35365fd78e536

SHA1
dbac78a53fb1860f76ba101c337f05bc53ddda14

SHA256
722a0aa5e275d98b41257eafc0649626c2c4fb2e7ad2fd4fc866063858f55e14

SHA512
1dd4b7fb941b2cb05e87edd53989b5ca6bd67e34b49652fa63d66e17ab3de6971599c36707cc0876f15c6c7f24ddf04307efffcd8025749f7b66ee092ea5ca67

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIAy.exe

Filesize
156KB

MD5
3beb827debebad66c1c382b20c6185b1

SHA1
3e9569bcfb6fbfcaed77fbabd5cb52527e303188

SHA256
f7cc2420e5c8e60b2519b969362f12e31220821ef3d7da5add9b1b540e6b285b

SHA512
0e5e9e365fa6321c4760a4a336f731e7a246b411c28f4a124f9e22132512d0d9ddc039d5cbbab7c65bb9a05522703312abb0c60696b137e3cd86fe490d7f32a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUwu.exe

Filesize
26KB

MD5
574e60cbca69ae5e40c163a3e76ec0b9

SHA1
8c8fa030fa69bcd37d6d24afc26fa1738742004a

SHA256
7f6f8dd3863f0c9e95e1a053ac084e0f86bafe38eb9a50758ce1e654d3efa019

SHA512
951ca9d306a88eb8308f66d2d368dd0f2f59abe31919dc17f1702a1642001f2a612f7809cb041ce4690392317bc4554f9664971cffebafa55bec92ca83b77877

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAgA.exe

Filesize
35KB

MD5
7018638ec744f40969d7d20b8988dc9c

SHA1
ff4ceff618c80a985edb22dd58836111542c5176

SHA256
696d4c56138655abdef878e19998fc6b5b870e710284a71ce8ef6c0344f77e60

SHA512
e227a2f662fbb68df5c133dcc2de07e038b264f3339e48cefbaa9083e3ed95717cf0a6aa3e1309c00f8f5ea402eca4e971c2e89496cb54769500cc96e3a5398a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYgQ.exe

Filesize
12KB

MD5
e03403252a6ef780277759af9fbd16bc

SHA1
168d28feedf1688a27347a9a057a2becf1909606

SHA256
dbb1c648f85e2825992c3c8210db690d71f93f66d49ae4daaff3d8a030821153

SHA512
ddea6273d4f0b55b90cc5e71dbcc0494dfe01e10fddcb9233ec88987566a1b5a610591874f2927ce3edbdcbdfa873780434dcd89650f6868fb31ea2b82d76c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZkAw.exe

Filesize
889KB

MD5
1c3fade27ca5e0a4ea8c39ad2cd10546

SHA1
ac46c1c95e4770475ab8a57f11eee72ce82bc010

SHA256
43786d3f253e8fd9ebddb12a12f85f4572322548bf1273c2cb2906b5893612b0

SHA512
da24f0d05b16880120a97e867869414fcc3b4f39acb356788e251b435c55dd93660d528411a522c440f7e998552cc3d59ef984a68fe33c976374d68ea52b9e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIMe.exe

Filesize
23KB

MD5
038ae8bb92ab2f7060c52f6ea008cad3

SHA1
48043f5a4a67909d589a4cef7bb6c561f5b73ca9

SHA256
68a518c3204910b80a63f170a7c1b846c7fa6af6fbdb6ca4db4dbbf2c845968b

SHA512
587c382c8dd10f952e3a63f78ef738292811f4413eee9267927827e5c3380d147ab6ce4b5daf422240db866ab7d92051a4841e754d42f7c21d3436eff3106414

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIIQ.exe

Filesize
1KB

MD5
04fc7280405326fb08c7e2ea8399dfb5

SHA1
a7d17dca11c7b8182b5f01eef71bb664f7ca4e68

SHA256
07017d10d73feaa91907926a5f2ee577511d8aa74a3189c16a38870c2fdedca2

SHA512
c2b66b480b94638960d81ee42c2585b68b701c6c9ddd3c514a30e21c67aad3394280d7c276a3596ef47cfc2a1044f48f1861b67aabcde4262176beef462db37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecMC.exe

Filesize
4KB

MD5
e72423edc0c463c3d6bba9b1c89c71f3

SHA1
905ff7eac941dd734fe27996ae97acde40b7248e

SHA256
fd433a0b438148cfafa91c848d6c621032ba6f3148e3c91a1610b5883640d724

SHA512
50a7edae45fc40440426677437a8848c18a3f1a60c7f2ad98cbbb657ca0d705e8ecf1e8be56670bb36f85e0e2b12e23df90c1c4a06d86687fbc59c24b986deba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekMO.exe

Filesize
36KB

MD5
cfc32e0b341591d365d02b4995ee02d5

SHA1
cd8feca647d47f7a561414bf611c6132e0410c0d

SHA256
70555cc441195f815481c448725bc9288b6d4a2c2669369406733efa43b79d33

SHA512
06560d0996b910ba359383b6de9dda9832e9f339a96aa6c26f97ac6ae128b7a3ddd5dc6802d1b619ff91d78866534a7b0341358aa4e616a87c939db8f97e6a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYUY.exe

Filesize
211KB

MD5
ab446bd697b7a6e93a6153c186a74b50

SHA1
1a6def9a2957db86305097f86e1dcb309940af16

SHA256
d626cdab91d503c322e0eb39c09577096bf97e07de27dd8f7ac61e233ac76f59

SHA512
57ce6e0b32e87c04356845f3927737a67ca49a56eaa400abc34d00866e882bdfe61945c8b9f21ad027535e50e9bd54d3ed030e5d7030a42982d419f664ed6615

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQQe.exe

Filesize
92KB

MD5
aa9123b54784ab2c04fd24b529e3338f

SHA1
baf4b0c329c4d2f0670ed53af343af087a003061

SHA256
e9842e0604d54ece4e1e940137fd45e21467ff9a3b3646cf229af230f5fafaf4

SHA512
8a79adb7bf896918b5daf11c060cac1ee12c3784246f2b4ba7a71b731fcdf0cc2e571eab2c711f49e8406b05f8756addec37010ed0b0b07db0862ceb3386d907

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUsY.exe

Filesize
1KB

MD5
3956c925949ce42eea05dc1faed07b77

SHA1
2f5f7a26666a5a6b96d5b9eec37574322927cfeb

SHA256
c661a27f0eb8bd8a272e13bdee4e92f25fe94a06eb7f330e575eef560b5e2ee4

SHA512
22ae15986cc7824dab57cbd4f23b417efc17603918bb3fcc3bf50c72b962234f32fd9100942bcf22490e5b8df0c5dfb3cc7e0d2ddc15600b867039395b788b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcMs.exe

Filesize
5KB

MD5
80e7a94c326b98f711a3c0fe54ad7b6b

SHA1
2fdebf0967f51f0536d9b0d66a70710bfd598a31

SHA256
7bc034f69fc8cfd26e934a1457bdd76ebfc2a1c6ba21cc4b034ef0b5183e4b24

SHA512
a9685acc408727f2b638a87b49112c2a7705a6ea0fd0f5ecbd0db0e885f197f4477bda7460254f5ab100e45ca3b49d525fbc7f22800685901a3a342d8e112944

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkoM.exe

Filesize
12KB

MD5
9ca4f387645bda0fd00b82fd714506c1

SHA1
e0b2ffae6176dbcb924741712f72aa24d09719a1

SHA256
236847c344c1e53fcf881c0ca44c76ebdff7c963dcb3fc3e73852e2f0ece79cc

SHA512
e1f785169a44deec3dd7b3a35071663c5680d35f1822369d50d479a265a91c75931bf835cce316c02627459b7b3d4c2dea13a879420bf56e7efc5a3a45b7f073

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwYY.exe

Filesize
1020KB

MD5
c6dbbfc2c777111dabdf6b4bc38fe2c8

SHA1
dfde7cb900848711496c6323f59b7660a1375abb

SHA256
993648e6bdc1ee164e33e6edab3c28121f797f86e58f3d048af45cc48bc76c34

SHA512
383fc06840791a9f00090fd2ea4cd3a3069dccce0ff6f44351acedd320e5b2b04e69f7eb49e4d8f7fddc256fb4df1d7786c0458bad5d55035a4df1d0ef9c200a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAEy.exe

Filesize
2.2MB

MD5
cb5d3423ca103c30f50026fdb00158c6

SHA1
89d7852bdb5a8a64e6948deaddf3e7479633836a

SHA256
50002d664bae75b0c63009161a0faffdad1864d27c29426d3faa4ed3ee9f562a

SHA512
73f99d999ec40e125d8506194923b2b2d808d54ed11a8702902a5fceab0b955fb79474946099680186218b04181e8f9fe6d7a3ceedc298287a6adf29e92bc5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQEu.exe

Filesize
43KB

MD5
7832a1b658b38d63d19815380464bd19

SHA1
d411d3d6e3dcb8338c2ccfe029c2056c03290c5b

SHA256
fe0a500140e53bce057549c88356dc8bdccfe7d0b7cae370144a82dd0b514a72

SHA512
2ac34b10e5f63fe2c8a2d3e0ad96b6112b2be6e12534755c6857d09969b8fe8258daa7f1153cd8e75045f79924a61fa515cbbd9cfaac3fde67b7825c6acf5a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgkC.exe

Filesize
1KB

MD5
381da7c4929c15a01943f27f5ebd29e1

SHA1
34073a6f0294780f5d2ef5ef17324a6a5af41b97

SHA256
af1b99e47783eb5fe9e990fec5b5d46790a2b8204637956efc2324806bf50c9a

SHA512
475f45914be04f6608d07883a0cd5ba92f00a4811c95829f7ee6c98d8985cb99048f81c5a7b21e304bd97c2065da504b44840c94a4ade6a96aa6dd2732ca5801

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsQa.exe

Filesize
191KB

MD5
2a7fae0c42cdee0316cc708c6bcaa460

SHA1
a4de6b51e7d7f562306ad089b48f9abf3d1e600a

SHA256
44e95fc479a77629f72fc7cb46cd234f7b2d93d227d2056ae218f92e28002bdb

SHA512
4326b68d51ed4edbbe76d82021ae3a16e8fc0e3b74e99f3762aafdd41db181e5f2309e50a91796486efd24fa228d3367d84a5b985289739171b18c2dbc292ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYcc.exe

Filesize
92KB

MD5
c710ac6ffffa27d749036c072dc58cc2

SHA1
1d0ddc41b9d1df1c283a6c0e2e0583f2ccb6b557

SHA256
74f1c8c029c2400e8ba2d76e7601910e2438f98b4297bba13f382d02f3d1ac8d

SHA512
5b4cf69abb9fd5565e363673572b500349cde4a014bdc4e765faf60173046799195f18c2b15233499c672ae14724fa0dd691bd03156f5dc93b13cdbf59c7ad98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQIK.exe

Filesize
380KB

MD5
c9faeda787dab69f9a4942f3dcbb1ab6

SHA1
6f9a45fe3f9b6678e468b23ab7d08ca79d586e64

SHA256
b6bbd939db7ea5b5a2a2c9a511d4c571038d067355033fdb00aca7998f5d827c

SHA512
5fd97596fa6a09c1e42f6b5ebfeb4726dd2b30f5d388c834f2196fd7736291df697aa056b6af4856a3b4a463219f9ef16b6ac6bbd0a7c26855015d012fa92257

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYEM.exe

Filesize
501KB

MD5
76b35c45909faf86d5277d51e845c735

SHA1
49fcf5af21183c733f8441f4d2635e117a750436

SHA256
3c78ec6bcae27faefab31afecc36ff0f1925c509dd89fe103502f3d6d37fd266

SHA512
38d832bd69734e3b34cd908675c93e2ac08d352c8ae0b93c2fe4cdbd5a36187111584fa4d7c60746cafdd02544d0705257ee5ef613bbaa8504132984ead8159e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYsi.exe

Filesize
50KB

MD5
722dac23efe6d6e18eaf1ab8ef4c4f84

SHA1
36fec0695c493fe712b787b7368436bc58b2ff21

SHA256
76a0d76e5a4790d20bf37ed22ff7a9fd47dbfcccd830a87a4ebce2f5ff9370b6

SHA512
b6be4d63ff3eee9c2903758703c068238ce41cc86d2bd5ca97c4de1ad5096222bf3e3f62a5b5b5982cbb48a91a18fa25c67fbe0c5731c5a18b0f17331fde8504

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwwq.exe

Filesize
9KB

MD5
9cbc93fe5d3a4a0439f98ce2f65443b7

SHA1
781ebda9b2f2ea406c48d4977348fd2479f1594b

SHA256
fa805bc6dfb6ebb54d0b307217b205878888b0d29924f531b21b9738adc7725c

SHA512
4774f56827e419d8423285de6f6e64a0898ced659a1569049b5ad5dfd324de49ff3b5c4ebd3361f5dd83a6e2b7023ca4149903ebf84e42e3b150f96c2682576b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEkk.exe

Filesize
488KB

MD5
2afee57247d011f4131a5277ab6d93d9

SHA1
73bbcf207d813a3443c5a1bc5ea38752191576f8

SHA256
e829432502f227cb6c5dcd4dd5038565eb6f08652dba630c36cc42ec776e0037

SHA512
4c4d21a19167631d6cee66a22dc6e2c7d0961b338a34227125cfc8db63274acf935cd595cc6e8cb20ffd5a6279a9474703d4304b6bd7b852d908a10f1ebfd1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIgI.exe

Filesize
34KB

MD5
9121e8128b8fd4fcf02e1a21bfc9cdec

SHA1
9a67b3d7d64a51965401937f107a49bd03571cb0

SHA256
cff1c6415750eefd44c57008f93d4b81729efbf67ec82dd9a2ff2a8966998802

SHA512
61951e38046faf48d80d5314af53aed2626d9c6f089edcd2b6b3b3d55ea3939f08fde03c942bfcb12b9a39c93ec21c9678b8deab10b81e58944c03fdd3765051

Download Submit
C:\Users\Admin\AppData\Local\Temp\owoG.exe

Filesize
19KB

MD5
42710d0c6e9a9fd69b945b4057a32825

SHA1
f6de1c9a76a050339d42ca8340597349358eebfc

SHA256
326148f65797ae955838598bef329a785c14ac173264a2eb454a8723b38c5f26

SHA512
6083068c16e656bbfec46a6653b28b97504f39810b17d98bbf425b10ecb7bf166eb64afc43f9c0682d016bf76551826e770e7bd5907d869f9cee961310ad92af

Download Submit
C:\Users\Admin\AppData\Local\Temp\qooO.exe

Filesize
1KB

MD5
0e38dfa3044c8ccbe2c535ff1af54ee2

SHA1
e1d2a0d26ec49e4aebe310fa95126ed880cd19eb

SHA256
79fd70f8663a0cc3ce3f4176e449c427569d37c65211bc54e2b108005b7224ad

SHA512
9636c457be4e68da820959abfa287d2a060c851cd9b21ea7d9ef0b6df2ee82fb60a2f94c88d965d3de7bb12973856acf85bc25304548105e0e3b55d7a6f2d021

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsIG.exe

Filesize
473KB

MD5
24b55ee0c6c48c13ec67277e9b8354bf

SHA1
9db235c9d679d62555291236dcdc3f81ac877523

SHA256
ea7d20ccd14c596889bbe346f6ac3d820f674bddef3bc7ffe38fd8a0c750f073

SHA512
57d952c7f33ac87e0eac63a07aa3c9eccd3d3e0ed1e2e90db39c9b3588bb51ab8124ee4a2cda8f43ae4eaafe14523be351fb2d29590d5cc28feb9427ec9ce54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgYU.exe

Filesize
885KB

MD5
68672d8a9038d86e94dfd8372a41830f

SHA1
d08a614ff9f73564d7198a2576d7dc8869c0b409

SHA256
b75448052221ab4a3609b2db380c4095f5c3534c71186c829675dfdb82cfe99b

SHA512
5d64c754d3a66aaa5ebd99a4d9e153e5c7b4d9f0288ed7887b51f5d7bd3e8c89f54b7082835ede8c54706769044501e24c05a92a7555072508cddce94bda5917

Download Submit
C:\Users\Admin\AppData\Local\Temp\toIo.exe

Filesize
477KB

MD5
202b90eed33031480ec5699a256968a4

SHA1
7cc5a328be446150fccde2de34fb68a9b56ebc62

SHA256
2c3778ced604391b9630d6d0f249b6266aa4776e1d79f99b372b5bb910e890cd

SHA512
cf3cd45624f87de4ef939c4ada08c7b6b1f73148b2aeee785029a23b7584269431c926ad3e51c7a1ee631b8cac4dec227d531e80c9a41ff1b9d21831afba07e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukAs.exe

Filesize
502KB

MD5
86211de37d906729deb37b39e41b188a

SHA1
0970fa9107162e447c402e8618633fefd45af4c8

SHA256
5544a686ea3f91311fb850e8330e51ec9a5e94e1163ab331e04d43416cfeae23

SHA512
aa4598d7b89a5a42cb16fb475075395f6f5822cecd94d4b6adf58ffa0d80537cc14128aafe9cbed89d78e7ccb6dd0cff4e89f73430fe3ab4a6c6395f46a86b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukoC.exe

Filesize
439KB

MD5
30f92635cade861e7cbef4b7bc3c34cd

SHA1
848bdb7af0b1fb0860108c6175736db5c4a1ba3d

SHA256
ec912545465cd469928b1dc03fae23c5f6f95dc10c71db9a17b8b148c53ab7eb

SHA512
97cd368cff573a42157c4caa04bd7d12ab915d64d5465fc462bc70391e36f0f4a11235e2e5b3b5e39ba857ce5fbaec97596cbe6d98276ab58395922ba5c12414

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwEa.exe

Filesize
440KB

MD5
0fc7f6888db18a82f6d2af74f283b9b4

SHA1
ad7ee05da41eea7bdf6698d2146c8a87eddf1a64

SHA256
da0393b3c548f74db959f6bf73d553c3e293da4f09dc5d145008b80aa0df5c6e

SHA512
2233cc4191223faf7e87770d8ac5b23c56c59a591f01801114203842beabcf7bcb956008d0fdb7571694aa29a4b02ad87030013cf760a72a10ed30dce80020d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsYM.exe

Filesize
878KB

MD5
726ec78007543475c3ba960756e9a4b1

SHA1
9bb7bfd34ab7f6ddb9a6ac3c9490d362a82f7e4e

SHA256
c233ac94ab6bbcf503438d773f348557dd00b0a21d99c2c578cd1f5cc50b18bf

SHA512
896399d4d72359236bad4430ccbcf517086f39072da56e1c901c7e21e5bd4ac2b6d64221628e4ceda78a5b881960d6383f80e192eb6b4cf2ee9fa6558faaec70

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUEa.exe

Filesize
66KB

MD5
562b9f0ac7a90ef7fe4c0dc2f9772215

SHA1
60f46924bb9b5280b2f74809f724543b4cf7e5c6

SHA256
25b490c0a817ed21bfef4836c1c7199911e2a1222f94f4fe7049b7b0a565be15

SHA512
21a63e9b0260df3a4add72a5b88c7168a0ca050efe9272177f0777a5417ab900c3731008482f45a0abbec2be4f37bbc1c86fbfefb936e673e40c4867c96147ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycMG.exe

Filesize
436KB

MD5
3aabac0021bce68cefa615333824cdb2

SHA1
200c2430e199da4d9cb5de9f7bd597a00351b125

SHA256
44a83736b54ef97a8be0efc3cc2336a6eccd1e4e3c255aa0e6c1f6dd79e3eefc

SHA512
cae39f858340d07053c08606ab82950917fceb04189b98554edde4d1e938d2076270454c2905e79193e504a0f1a472cbe2cf538f4421b1f6dbc185a688e00b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\yeYU.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\zUwS.exe

Filesize
462KB

MD5
483a1d3074c5781143797228791d38e9

SHA1
c2e3294f703fd21b36b908811db9ff20efe1e266

SHA256
6988996d2e7d0c9f61da8f6e3a90b73ab95fb32abbff3bf1552cf3f991ececac

SHA512
948c0ff23af306fa2c2e05309c04c8689e484b7db6e65d7aa703c524a50b6ada49eb77a02340cadb3ebfd2303034507ecf867068d1c6eaaaad29f25745dc2c83

Download Submit
C:\Users\Admin\AppData\Roaming\PublishWrite.docx.exe

Filesize
1KB

MD5
7957fdef814a969b619f6ed998da64a8

SHA1
ecd6cdb8d48c3f8715dedbfdc76bf4556a65bdf3

SHA256
5037859085212393426577e553264e0bd25c2c78f636dcc86a73b45ccc5e47d2

SHA512
da0162a154de8de154956db4dbd880fa5026ef2f50c30d289e85ffc6d58ec8b54e9ec903e5c52b53908c3648e548341fcec48d6396379d0ea69a44fc0df29cb1

Download Submit
C:\Users\Admin\BMgooAkw\FuMQEEgo.exe

Filesize
83KB

MD5
f9e2e97b24b68681fa72df0a362a291a

SHA1
9eada8717020472b0c9dc0b6b75ffc0c0b398e96

SHA256
9a15075f614b4e66fbb8863e98d157ac698af0914e9f6568d98f3e873cad3beb

SHA512
bcc05ca6cb3c231c90af57dbd57d4e9c27485c536bc31f102369bc8e0eba55720323b886e180bb86c7628471f8961b7e5c4cd5e8613fb21fb2400c4292b3cbdd

Download Submit
C:\Users\Admin\BMgooAkw\FuMQEEgo.exe

Filesize
1KB

MD5
da0b7e6d269ad0e7d78ff01f4a016ae8

SHA1
785e813c25770d41a988d63cbf91e491d1b1ba9c

SHA256
f4e43fe976dbf70d5f704a767efb4f433d6c63726b4c7f147e90a40c078c53b4

SHA512
0e3d0a2bcf5eca63e29f345f9f898bf818e43c91f23d626d5e01cccc680b93b9932043c447cc2b597c7dceb8bdf6eb7d547ccc414b50e532d3f45cbb62aa70ba

Download Submit
memory/212-590-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/212-581-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/332-100-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/332-114-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1436-99-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1436-8-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1912-779-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1912-756-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2108-77-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2108-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2220-433-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2220-486-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2428-616-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2428-625-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2460-22-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2460-30-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2816-608-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2816-617-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2904-654-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2904-713-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2940-147-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2940-170-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3384-41-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3384-31-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3608-186-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3608-79-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3608-91-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3608-229-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3664-65-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3664-50-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3704-589-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3704-607-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3820-803-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3892-798-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3936-626-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3936-653-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4056-529-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4056-520-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4076-87-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4076-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4076-42-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4076-104-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4128-269-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4128-311-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4208-553-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4208-541-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4288-526-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4288-540-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4336-576-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4336-563-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4408-390-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4408-340-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4440-17-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4440-131-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4472-112-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4472-12-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4552-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4552-78-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4688-513-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4688-469-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4928-564-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4928-550-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5084-126-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5084-113-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download