c0244afed3690a87a66c05bc6d01d332046a10967892bac2fdac7fa368fa7be1

Analysis

max time kernel
1s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f05803da10720180beb9ef2dcd399bf.exe
Size

484KB
MD5

6f05803da10720180beb9ef2dcd399bf
SHA1

71e81b8e18505c93bc357a8898bf59781d63e604
SHA256

c0244afed3690a87a66c05bc6d01d332046a10967892bac2fdac7fa368fa7be1
SHA512

cf791d76bd62f2faf506a2ef3c9e5eee99e4871fca1ec0d742a1ef9724aaab0b1974041451a9407d60cf34f8c76ddb74a0593d008978f7b4c7501c7718226d45
SSDEEP

12288:CG6AEN4DzPEo3h5SWB0nD42SZPMJtSkpr3xZfc:CzN6nY6thktSghZfc

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
4904	iAIkcoMI.exe
3288	aakcAsAY.exe
3256	ysIsEsMA.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iAIkcoMI.exe = "C:\\Users\\Admin\\ecUcUIQo\\iAIkcoMI.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aakcAsAY.exe = "C:\\ProgramData\\aaEcIkYo\\aakcAsAY.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iAIkcoMI.exe = "C:\\Users\\Admin\\ecUcUIQo\\iAIkcoMI.exe"	iAIkcoMI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aakcAsAY.exe = "C:\\ProgramData\\aaEcIkYo\\aakcAsAY.exe"	aakcAsAY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aakcAsAY.exe = "C:\\ProgramData\\aaEcIkYo\\aakcAsAY.exe"	ysIsEsMA.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\ecUcUIQo	ysIsEsMA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\ecUcUIQo\iAIkcoMI	ysIsEsMA.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4360	reg.exe
4064	reg.exe
1312	reg.exe
3092	reg.exe
3200	reg.exe
4724	reg.exe
3768	reg.exe
1800	reg.exe
3712	reg.exe
2892	reg.exe
1236	reg.exe
4680	reg.exe
3768	reg.exe
4136	reg.exe
5080	reg.exe
4304	reg.exe
4480	reg.exe
4456	reg.exe
2860	reg.exe
3044	reg.exe
1948	reg.exe
2332	reg.exe
4080	reg.exe
4012	reg.exe
4988	reg.exe
4340	reg.exe
4312	reg.exe
3920	reg.exe
4360	reg.exe
4328	reg.exe
1932	reg.exe
920	reg.exe
3312	reg.exe
4316	reg.exe
1656	reg.exe
1316	reg.exe
2996	reg.exe
3684	reg.exe
1248	reg.exe
5104	reg.exe
4080	reg.exe
4752	reg.exe
456	reg.exe
1596	reg.exe
2204	reg.exe
4216	reg.exe
1800	reg.exe
2428	reg.exe
2204	reg.exe
916	reg.exe
4576	reg.exe
3752	reg.exe
5028	reg.exe
1312	reg.exe
1924	reg.exe
1724	reg.exe
3852	reg.exe
1272	reg.exe
764	reg.exe
1932	reg.exe
3356	reg.exe
4028	reg.exe
4188	reg.exe
1644	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2344	cmd.exe
2344	cmd.exe
2344	cmd.exe
2344	cmd.exe
1868	6f05803da10720180beb9ef2dcd399bf.exe
1868	6f05803da10720180beb9ef2dcd399bf.exe
1868	6f05803da10720180beb9ef2dcd399bf.exe
1868	6f05803da10720180beb9ef2dcd399bf.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 4904	2344	cmd.exe	1137
PID 2344 wrote to memory of 4904	2344	cmd.exe	1137
PID 2344 wrote to memory of 4904	2344	cmd.exe	1137
PID 2344 wrote to memory of 3288	2344	cmd.exe	1136
PID 2344 wrote to memory of 3288	2344	cmd.exe	1136
PID 2344 wrote to memory of 3288	2344	cmd.exe	1136
PID 2344 wrote to memory of 4948	2344	cmd.exe	1135
PID 2344 wrote to memory of 4948	2344	cmd.exe	1135
PID 2344 wrote to memory of 4948	2344	cmd.exe	1135
PID 4948 wrote to memory of 1868	4948	cmd.exe	1134
PID 4948 wrote to memory of 1868	4948	cmd.exe	1134
PID 4948 wrote to memory of 1868	4948	cmd.exe	1134
PID 2344 wrote to memory of 3752	2344	cmd.exe	1133
PID 2344 wrote to memory of 3752	2344	cmd.exe	1133
PID 2344 wrote to memory of 3752	2344	cmd.exe	1133
PID 2344 wrote to memory of 4512	2344	cmd.exe	1132
PID 2344 wrote to memory of 4512	2344	cmd.exe	1132
PID 2344 wrote to memory of 4512	2344	cmd.exe	1132
PID 2344 wrote to memory of 5080	2344	cmd.exe	1131
PID 2344 wrote to memory of 5080	2344	cmd.exe	1131
PID 2344 wrote to memory of 5080	2344	cmd.exe	1131
PID 1868 wrote to memory of 3720	1868	6f05803da10720180beb9ef2dcd399bf.exe	666
PID 1868 wrote to memory of 3720	1868	6f05803da10720180beb9ef2dcd399bf.exe	666
PID 1868 wrote to memory of 3720	1868	6f05803da10720180beb9ef2dcd399bf.exe	666
PID 3720 wrote to memory of 4752	3720	reg.exe	885
PID 3720 wrote to memory of 4752	3720	reg.exe	885
PID 3720 wrote to memory of 4752	3720	reg.exe	885
PID 1868 wrote to memory of 1248	1868	6f05803da10720180beb9ef2dcd399bf.exe	1129
PID 1868 wrote to memory of 1248	1868	6f05803da10720180beb9ef2dcd399bf.exe	1129
PID 1868 wrote to memory of 1248	1868	6f05803da10720180beb9ef2dcd399bf.exe	1129
PID 1868 wrote to memory of 920	1868	6f05803da10720180beb9ef2dcd399bf.exe	1128
PID 1868 wrote to memory of 920	1868	6f05803da10720180beb9ef2dcd399bf.exe	1128
PID 1868 wrote to memory of 920	1868	6f05803da10720180beb9ef2dcd399bf.exe	1128
PID 1868 wrote to memory of 4576	1868	6f05803da10720180beb9ef2dcd399bf.exe	1127
PID 1868 wrote to memory of 4576	1868	6f05803da10720180beb9ef2dcd399bf.exe	1127
PID 1868 wrote to memory of 4576	1868	6f05803da10720180beb9ef2dcd399bf.exe	1127
PID 1868 wrote to memory of 1460	1868	6f05803da10720180beb9ef2dcd399bf.exe	1125
PID 1868 wrote to memory of 1460	1868	6f05803da10720180beb9ef2dcd399bf.exe	1125
PID 1868 wrote to memory of 1460	1868	6f05803da10720180beb9ef2dcd399bf.exe	1125
PID 1460 wrote to memory of 1948	1460	cmd.exe	1025
PID 1460 wrote to memory of 1948	1460	cmd.exe	1025
PID 1460 wrote to memory of 1948	1460	cmd.exe	1025

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
"C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe"
1⤵
PID:2344
- C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
  C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
  2⤵
  PID:3684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
    3⤵
    PID:5104
  - - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
      C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
      4⤵
      PID:3680
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:1796
      - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
        
        C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
        6⤵
        
        PID:380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqQYAUgA.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
        5⤵
        
        PID:4788
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkAsUAoY.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
        6⤵
        
        PID:3104
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2476
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2892
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1128
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1236
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
        5⤵
        
        PID:1924
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqcksMgg.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4124
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQEUkUIk.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:556
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
      4⤵
      PID:5104
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
      C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
      4⤵
      PID:1240

C:\ProgramData\LsQgMwYk\ysIsEsMA.exe
C:\ProgramData\LsQgMwYk\ysIsEsMA.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:3720
- C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
  C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
  2⤵
  PID:4752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1948
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:2680
- C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
  C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
  2⤵
  PID:1800

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:1408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKwQwAYY.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:3356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:3456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSIAYsQE.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:856
- C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
  C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
  2⤵
  PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
    3⤵
    PID:448
  - - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
      C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
      4⤵
      PID:916
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4932
      - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
        
        C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
        6⤵
        
        PID:3296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIAQgkIc.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3592
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:556
- C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
  C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
  2⤵
  PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
    3⤵
    PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
      C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
      4⤵
      PID:2348
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
        5⤵
        
        PID:1984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QoQEQwMw.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
        5⤵
        
        PID:3304
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:1708
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:4188
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:2240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:1772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:2996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaUIkEcc.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:4504
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2732
- C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
  C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
  2⤵
  PID:1932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:2332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWkIwMcM.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:4932

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:5048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmgcUEgE.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:2308
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
    C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
    3⤵
    PID:4108
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3920
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:916
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSkIgUcE.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
      4⤵
      PID:2592
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:3356
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2064
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4988
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
      4⤵
      PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:4444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3600
- C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
  C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
  2⤵
  PID:1160

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:5036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWYMQAYA.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:856
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4028
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4504
- - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
    C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
    3⤵
    PID:4260
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:456

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:2640
- C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
  C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
  2⤵
  PID:3120
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:2524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:4012
- - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
    C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
    3⤵
    PID:3684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWwwcAcs.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
      4⤵
      PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
      C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
      4⤵
      PID:212
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1248

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:4136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwcYoQMM.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:4360
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4012
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4156
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:4932
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3460
  - - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
      C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
      4⤵
      PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKQYwIcU.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:920
- C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
  C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
  2⤵
  PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
    3⤵
    PID:3488
- - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
    C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
    3⤵
    PID:3560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meMgIEcU.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
      4⤵
      PID:4752
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4060
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4724
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
      4⤵
      PID:2996
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:3712
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4972
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:3548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
        5⤵
        
        PID:2308
- C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
  C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
  2⤵
  PID:4872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\peQoIYkY.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
    3⤵
    PID:1924
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:5020
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
      C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
      4⤵
      PID:856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acAccccQ.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
        5⤵
        
        PID:1152
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:1800
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:1880
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
        5⤵
        
        PID:4480
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:1084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4540
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:5044
- C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
  C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
  2⤵
  PID:3720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
    3⤵
    PID:4148
  - - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
      C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
      4⤵
      PID:2712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:4872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:3992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:4360
- - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
    C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
    3⤵
    PID:3676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:4260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:1436
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
    C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
    3⤵
    PID:1208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyIgMMAc.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
      4⤵
      PID:2592
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3456
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zesgcIEc.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
        6⤵
        
        PID:4900
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4200
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4268
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:5020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
        6⤵
        
        PID:3460
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:5028
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2996
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1720
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAUcUkUo.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
        5⤵
        
        PID:3752
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:3548
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:1596
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:1924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
        5⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSwcoUMs.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
        6⤵
        
        PID:3040
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:5080
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4512
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4948
      - C:\ProgramData\aaEcIkYo\aakcAsAY.exe
        
        "C:\ProgramData\aaEcIkYo\aakcAsAY.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3288
      - C:\Users\Admin\ecUcUIQo\iAIkcoMI.exe
        
        "C:\Users\Admin\ecUcUIQo\iAIkcoMI.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4904
    - - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
        
        C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
        5⤵
        
        PID:3312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
      4⤵
      PID:1736

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:3676
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:4480
- C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
  C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAUAgocM.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:5104
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
    3⤵
    PID:1748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkEAEsEg.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
      4⤵
      PID:4148
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3488
    - - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
        
        C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
        5⤵
        
        PID:3232
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1736
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
      4⤵
      PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEsEwoYk.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:1644
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
    3⤵
    PID:5104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwIwgAcc.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
      4⤵
      PID:4456
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:4304
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4976
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
      4⤵
      PID:5044

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:2892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
    C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
    3⤵
    PID:5104
  - - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
      C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
      4⤵
      PID:4512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suwoMcQU.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
        5⤵
        
        PID:856
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:2860
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:456
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
        5⤵
        
        PID:5004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:2248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiwQEwUw.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:3680
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2264
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1312
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:3988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2504
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4324

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:2332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:2296
- C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
  C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
  2⤵
  PID:3312

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:64
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEQEEwcA.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:2236
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3720
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4540
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:1796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:2288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:1720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqMokkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:4060
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oMkoIAQU.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQcEwEYQ.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
      4⤵
      PID:1796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgQMkksM.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
        5⤵
        
        PID:1932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuosAYoI.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
        6⤵
        
        PID:1928
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2496
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2428
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
        6⤵
        
        PID:3768
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:4872
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2340
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:4328
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3228
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2332
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:3852
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
    3⤵
    PID:2504
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4456
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQoAsUIk.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1724
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
    3⤵
    PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3488
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:1508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:4868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmgscoEY.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
    C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
    3⤵
    PID:4360
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4312
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWAYwEYA.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
    3⤵
    PID:3676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EoEgIskk.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3312
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4140
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:456
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
      4⤵
      PID:1796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VesIwkMM.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
      4⤵
      PID:3308
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3044
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:5104
    - - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
        
        C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
        5⤵
        
        PID:4316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
      4⤵
      PID:4988
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
    3⤵
    PID:456
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:1176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
    C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
    3⤵
    PID:2508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKUgYQoc.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
      4⤵
      PID:4576
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCMQMAMs.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
        5⤵
        
        PID:3488
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2980
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2412
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
        5⤵
        
        PID:1796
      - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
        
        C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
        6⤵
        
        PID:3088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uawgIcUI.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
        5⤵
        
        PID:1268
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:4484
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4852
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:3248
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
        5⤵
        
        PID:5004
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1596
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
      4⤵
      PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYYksYYY.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
        5⤵
        
        PID:4040
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:5020
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:4340
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:4312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
        5⤵
        
        PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOcgUcIw.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIkYIEAo.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:3228
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2344
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JscwoYoY.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
    3⤵
    PID:212
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sagscsoU.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
      4⤵
      PID:2504
    - - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
        
        C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
        5⤵
        
        PID:4500
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4752
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
      4⤵
      PID:5004
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
    3⤵
    PID:1916
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOYYIwoU.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:4140
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4664
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3768
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:1736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3752
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XMYIcQsU.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwEEUscU.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSksUQMg.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4080
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
    3⤵
    PID:3200
- - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
    C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
    3⤵
    PID:1992
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1612
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4680
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOUooAcM.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:4108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1268
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:4960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gsgcoQcY.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:1312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKwYIwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4188
- C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
  C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
  2⤵
  PID:2004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMoQoEgc.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSYIMAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:3172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYQEgMEE.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:2236
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2996
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4768
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
    C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
    3⤵
    PID:4452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:3120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seUwIYMo.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:4124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1724
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMMIsMIY.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwgcYQQM.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:3540
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4624
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4064
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FikAUQkI.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:4452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQIQkcwM.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:1800
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4676
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3200
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4752
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeUIEcAs.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:3548
- - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
    C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
    3⤵
    PID:688
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1732
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4260
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4028
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
    3⤵
    PID:2308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGYgkosw.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3548
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryoMYUIE.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FIkIkkMI.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gswMgsYw.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COgYIEgk.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4080
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:4452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcIMUwAM.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4480
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1300
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4360
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2672
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuQsEMwk.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:1300
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:688
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5068
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4872
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2004
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3684
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1932
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:3548

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:3732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWYEMUwk.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:4696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIIIMUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3556
- C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
  C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
  2⤵
  PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\osQsAMEw.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zocAIIgU.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:2404
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3248
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2204
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:3600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOUQksoU.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:4464
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3484
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4432
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:3920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QsYAMgks.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zyYcEcIQ.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsYcwswQ.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:4076
- C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
  C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
  2⤵
  PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQksoYIw.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:1536
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4348
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3504
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:4076

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:4432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:716
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3476

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:2332
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5044
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3244
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:4188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUMgsQIw.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:3588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQwwsEEE.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQAsQYYI.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYswQYYg.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
  2⤵
  PID:4216
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4724
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
    C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
    3⤵
    PID:5056
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
  2⤵
  PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4216
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYQsUYIo.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:3556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:3456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XoMsgMcY.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
  C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
  2⤵
  PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
PID:2064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fSkQEwcU.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QoQoQYAk.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOkkAscE.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:1248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf"
1⤵
PID:5084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOAsgIsI.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKwgUQIE.bat" "C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe""
1⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1248

C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf.exe
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LsQgMwYk\ysIsEsMA.exe

Filesize
382KB

MD5
cf3bfb9653036341bbe5a76294877eea

SHA1
1bd6a9b94ee2ac1098e19fb1bcd0f18bf2cd3712

SHA256
8419505e899e6760c800dfb488732bad5ec05e62798dc0f64b9f485905d0b7e1

SHA512
55ff11c4c90deaa3babb0e865b40aeb6a0f234b1169bf1e8e74bd7005b07a09951700e41292c286a6d3c6250a75df0bc9fbdade6d1883798fc2ec7836e1dacea

Download Submit
C:\ProgramData\LsQgMwYk\ysIsEsMA.exe

Filesize
92KB

MD5
2d2fa989d746f6ed72f5ce1d8092af76

SHA1
e190f77ce1f46c4f89e4011e85eaec73138fd20f

SHA256
f4b696b5322e5ccca0d7b3240d2b6adeb9d5ed9e02e7f0d8a894e3b417c5f556

SHA512
c827a7d8b3a7734b07083fe986a865bde2aeaea3fcfaa72d7b892d5b9e880b6520470f5b797dc572f12513709321d3b1ebf1889a41625ba9dd09ba2bbbb71c4e

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
476KB

MD5
eb269da08121118e229f286220395ee9

SHA1
369979a79d10576746694887eb3f256a5876163c

SHA256
1feb27cd6738b5e93196b5b607274c4cb7931bd513de62296fcff61451f18116

SHA512
60d978ba3c00cf30755ae1603d66d3f57fe082de317b92fc8ede6450491f3c7c7bafdfcf871c63129156821caa4a2571c7842b663d9e6a2032b3ad15bd9c9768

Download Submit
C:\ProgramData\Package Cache\{17316079-d65a-4f25-a9f3-56c32781b15d}\windowsdesktop-runtime-8.0.0-win-x64.exe

Filesize
1.0MB

MD5
b2654aa1d0a3a9fb6474c466168f8294

SHA1
40f561926bc5b0c8cd762cc5d5bfc20ffd006be2

SHA256
aafcf55ee1a9a040e2127bc8f4ddc985becff8db3bd64da7b42674da40e10362

SHA512
536a2810cd4738a2ee0a16094a07c38c21f0f296fb2a01077d6628a62426230513ca268be7baa42947e45be447d6c02c467944331248efa04de5c14fff33aba6

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
879KB

MD5
a26386826dc207efb90dbe767e97d906

SHA1
55261e0105010b4ac2c78118a0c86130db9eb085

SHA256
39bde017b9a560f6fd7450435d57451f79b978552eb62380f56dbdb98f29d626

SHA512
cb6d81127866d625b74c9501a3b64e85904a6e70731c23be3a5876600984d59d90a48aa68a23a18068f52a02947a08fecf809fff9ce5c83801f5549b0f4ffc86

Download Submit
C:\ProgramData\aaEcIkYo\aakcAsAY.exe

Filesize
430KB

MD5
b3c25e8e9970a12a972efb2aa4f41ff6

SHA1
96fc2b339049debf3fd18fea431654629a20781d

SHA256
e8d0359c7eed18a9fb93f0bbd13d32016fea64705831f21dd27d8ca4405e860a

SHA512
995c94b11832306495f2c2af4c8370f43a5993020cb4fcdd7919493bee887cf8959b642cd3f40833cd25cc78f7a32554d8fc26cd855a294fdd7a2e2c0199ecda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

Filesize
433KB

MD5
dc9384f3a848655cf9b9c3182620b4f6

SHA1
9ca39182cf7462cbd8773b7e573a1c0fd74c1431

SHA256
db9a4e439eaba9233acb8059d10cdc7641ab89e451a80b08c595d4cac6ebde78

SHA512
e7895e3a0bb2766250bd3a6a2a14046483527f171d7c0d46a59dbefde2db46ef1c41394a38ebc6dddce10563f393d8e038a28b54f53a6a36c8feada36b6b90b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

Filesize
434KB

MD5
e2b63b84ce385426db7a78db7040a562

SHA1
ccfb869b927b2c33e3ea9157d579699c64dd9be5

SHA256
52b59a117e1fa8b7c80a9b82a50254a25de3e2579e0bafdee76d32f2994fee71

SHA512
89631eb79d53276ba83e02dad52336278b336281dd11ad1234f7efd95aa41d473a82a7167b638e4a9a36affd8633b4a456dfe4fa6ce9adebcd1a9f08a4dbd1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f05803da10720180beb9ef2dcd399bf

Filesize
48KB

MD5
5bbeef2274e18d8837659aff869d8f05

SHA1
203f71f7353bca2b6f6802acfe7c7f39c1be4a48

SHA256
f120cb4f7f7539412edf4e4c4fca3b5666e2dfb3196e8460584fd6c9a073265b

SHA512
72212cfdfd61b802f3dc0854223d975260392dd4e78b8bbe0ca8783ee6bc8c71bf35e45e971443cb86f7a361c485bcdc8c464c83d64e31253b1c56d34ccfab9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AqwE.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUIo.exe

Filesize
556KB

MD5
38feb50e6f427c678f59d1abba1f56de

SHA1
f25cb0dc331f3a11fbc75543b7d920a3dc7cb9b2

SHA256
c7cb8590d383d9abec6067a90d362349916a369436cca519d9f9712ca4652a12

SHA512
769ca66ac9b1cef57deb0c5012ab3075a95c80953e8231ab2fb7af99dcb4300fc4e143f4045947e42691066324d61e49a28a9ffc02f8cc5b4c3ace29e9ee1c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsYM.exe

Filesize
1.0MB

MD5
366b393e6304a6d5796ff75e15c44cc3

SHA1
5d0f5d8de6950ab07eccb1dbf0683f2759566245

SHA256
c79636d191cc83904fc0a8e3eb3183d7e5ca6bfecf3d9107ce74b0ae4d19a317

SHA512
1967b6970e6c947f78f36f2ce9a9036238560dc8e65ffd9f10c0d438e1630f93d58268ffeff40f6dac2928e5a8f96e65b488bb91d2da81e7f6afb4998779f1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQII.exe

Filesize
445KB

MD5
1702048ad79e84522f13ec08fd3856e8

SHA1
ed926f2e54693ef09b7cce88edfb82b595e19579

SHA256
224d84fe3aef7aac66cf0c648c5f992b333c9833befaa4b5b7f642b8bd7acbb5

SHA512
a0a4460c0096895e46141ba70df0eb584857d2518c4b472e0f4c5ae11af570ae95d86f1d3d6c2ad8ae9e837e0c5db77209c1d9f757339289172eec1cbcea99e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIYe.exe

Filesize
435KB

MD5
b657f738d89045fa82c757a3a21c0311

SHA1
b3ed99181086c77163921f7973270d0d5d32b6ee

SHA256
bdf2704b840e99d6cece8cacdd51b73638bffc5cb18e0e99e7cb287fa81c3936

SHA512
9797bdb5f887134a48228fdb6eadbe43f1ed737480a1c814a6bcee58d0dd22508727c07a7d0100ac4967c23f0ad97c7d6373ab79bfba6c1001ce780c145a69bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iskg.exe

Filesize
439KB

MD5
be843418898bd691afc2c17f28cac4c1

SHA1
c9590d2de6c29ac4282da7ecf0b3c0ead5e42b7f

SHA256
d82808375d744146f6e5fda6e84b7ad901868c940a247bc4737f81b1218b8938

SHA512
4778fb607438494bc0cc5bab07550fd675e693d3e85b21b96a8f10507ed44ab80936a90176de01b67eb9aa4bd8da609a1cd8566520b6bd2fcf51594f30ccf782

Download Submit
C:\Users\Admin\AppData\Local\Temp\Isog.exe

Filesize
434KB

MD5
50424942e9a8658f110397463ea96fe7

SHA1
c59b1759d7b4f9f38766392b66b7c6cad4db1553

SHA256
87872bb2ecc17edfaad73c5f0c232b6bc81a32a6cb06874dd42b1cc85e543add

SHA512
969aa3dbafacaed61f91d26cea83d6214b217b0730f0f8d88ba3d0e201ac5a0657d636f8e8efd37812bac0ed11a728e7f735c90b5b2f92f8b3fd15629f0a4707

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUka.exe

Filesize
687KB

MD5
e1bc1df0c97d8fca72e18d7d81b1e001

SHA1
2cd725bb147e00e8cfde0b30dc3beb55582f5bf1

SHA256
7066ba25b2bf2a0662a0d2831df30fcfc9094239e70966daca84e5898af04a55

SHA512
83e36643c4335d27d63e25e5d5fb81441d95ef15ffbd66a79ff09ba43da56a7ff888e9dc1960ecb5a6c3dc8055db8984a99cc352871dd3f7fde442d5c30b0281

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEkC.exe

Filesize
441KB

MD5
51fb4b7e61cdf8e5c34807fc7ac7d0e2

SHA1
0d8b16d5f33be61bac8325e4582461500e4b55d4

SHA256
f9d93629d604f912d097720ff629cdcdbf38056c229f8acf3d7b884ee96f4147

SHA512
42e6d6d132aa5b91d43c9c48c92ff1d2351fca98ca0b52849b6bd689c7d7ce06bfe1e55ecd0e5496ae6c8aec2df9d8a6a1a1d4c36d72d9fd81cffe5faced1ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUgk.exe

Filesize
558KB

MD5
dc79cfe07b9234108526a4a2930f8800

SHA1
5b9b05e28e14d42ef433b950555369285459587b

SHA256
e84cda8bd7df3fecd2d54f2e61422e0460e8812315186860bdadf9a0bcaa6434

SHA512
1f3283c282c8d017af96d6e7aea60449dd35a081294fcb328386bfa40b0a481a182547102739960866947c9c5c3279de01ff0cb2749e03c1a5ee0a0385734dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEMA.exe

Filesize
804KB

MD5
30fa98ffb7612e99e9f1bd156d2aad1b

SHA1
b5eb0eff4b64ba2c007a20a77b0b35098a628ac0

SHA256
0f738c6825bdbfe0e4b4b97cd4b07a394005a548062978ab24e2c70b81078d46

SHA512
6175a3d7545f3dcdf75d1b9e0419bee27a97084dc569bf357d2550a88c1b5a4aee5ba7d59fdd1e901fdd46795e3dbe3714e976c77502cf44716ef6346d451617

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYks.exe

Filesize
441KB

MD5
8d0ac1ed95a7be600587e81cc18d9756

SHA1
a928e3e5210cecd4a7ff2c8c6412cf04f70333a8

SHA256
7df89b0ee6a9bae8c7ca4a417e933f4b3e62eba1bc689b50a5e0a7af3906ccc3

SHA512
77f659658caaf637efb13d419472cdfd91368e830b5dca506b16ff8a9769843c320be5f4e46d17f34500e540961b3a7d5e382b4132464493f8f9027809990ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIgk.exe

Filesize
469KB

MD5
b8583fbc1cfd0a2b8d1b4c76eabbc8f8

SHA1
e1ea0306048c83391f72b3ef9b39c1cbcb2e58d7

SHA256
cb72971f7c004cdbf163913a6550af8607a07672ab7d5ad7dbf860f11d9b01a9

SHA512
ccafd83ed6b028ad6ec38c977342ffd33cab5c5f422ae79e38a71124d78f68651bee57a867c9ae4a80a41ba40e166e5999b9e3941a30317f26d80dcdc579a6fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQcM.exe

Filesize
439KB

MD5
4e05301a3b29eb18b26b55d6f6c3b014

SHA1
194c8bee4301a11a174c1aeaa5a72a311785eb97

SHA256
8563039db88bc639b9e9871012394f172d7a6f2e18942b85805d64c75aa94dca

SHA512
722667b41f63f9a208d1a45705a28f277c09235abcd4d56b66ad670530bba640d28836eea3087f658eceb6b4e2167b5e67409854bd249525829c4e2b98377214

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQUy.exe

Filesize
671KB

MD5
eeea9ad13012c58b4affad0524adee24

SHA1
3fe999f47b501326ae3c5ede055146ef88656ed6

SHA256
7fff21bfa7eec0e6b54735b33f8572eb0fa7b5886aee594c41bf0fbc94aa355e

SHA512
16793dc43f958151c9350e03dd6cf1a5e22c1cb0f19c6b33af345e98e7cf501caec76b9b07cdfdcc0c931e579e7a5253809da7b953975ab1c24f6a6a6ff93b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUkw.exe

Filesize
435KB

MD5
c1fc9b053ece953be73c43a66746b6bc

SHA1
22d0cde2e03b88720c85014f0ff7239c41f0725a

SHA256
baae2c1794295e51ca127ab50715d66d4f3e406e925cd401dd245d37f317382d

SHA512
addb4e098f8776b5dc0a529f05de81c6793666ad16e924c95140665ef78e62f7925d4d95273baccfee8a7524189b549f0bf9b2f9e6d441dd0bc0a44de6e4a761

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQAsQYYI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAsw.exe

Filesize
438KB

MD5
eb2c35222a7e0ed5fc49c898dd5353e2

SHA1
0beca4a78d52819d03f4542681c25a52228a63b0

SHA256
9cd470ec621907cbca069cccc639859b1a3ac5f0fa716155e44abcd8018bf7a5

SHA512
d010da2b16d0a9bcd70fb5a478dc287c974c703d1cced21387e3ab8b77b16b2da146eaf0a8cd8f8fa8721f0220d821b1289c1855151981673fe4d0cab15e635c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEYy.exe

Filesize
1.0MB

MD5
90781b45c55c377895c13054fcdfd202

SHA1
aa1ecbabfe2ec488987b9e1bb46b2d0d7c3689af

SHA256
e3e52d6dac39dd32cbfc11066b03bc5c7c647e86355aeb68378213c027293954

SHA512
24055bd9285d41071e67774ae8544862318bc536b767438c32a21554d9a749f6e79a11ac940a8506d4f47d2a043b7d7695f281e04b2fe51e315ec3e65957741e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIcO.exe

Filesize
435KB

MD5
bd67987e43005da7307850154d5c8510

SHA1
1ad776c54d65bb783dd7799515d8e87373416b46

SHA256
1bf07e3a7a8871d365b7cd3db45fe092dbc636a0f07af6e153b426d90ad0bbf0

SHA512
a81f9f691384f7c582faa436850889bf8301cb291752b6258380c956f4dd3d0990d34838eb45182ed545c625c2dc89e6b5afbd1221667c26ca9e13af8b492fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwUA.exe

Filesize
442KB

MD5
d8188a95606bb403c9c2cf6fe0a48480

SHA1
4a5382f628fc04851a4a885dda52988e7332a281

SHA256
1c727ff8370ad25cb695e7e3ae19175c77346f7f28684d8ef4931e6620b0b883

SHA512
e36ed06d7ad01c409a53392bfb6421e4b73a443f89e26203b12493239efb9633a3ab71ac44ffea73ad7347ca3b252091bc185e7479104a61d103a7ea6d5bc242

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywoc.exe

Filesize
442KB

MD5
ae190405fbb14c0e5229d7949a6e0e52

SHA1
36fc8f044f2e52efcc66b15127a73a7a8141976c

SHA256
b77ebd9dd2668a2a5804b8a5c4ef8122dbc013c06ab1fd9009af717e77d500de

SHA512
308a74f65bca074c4734bf41716127101734947a865964cfdfac15eb31540b430623ac9653cb4adba33566d22465a7b2133548c1e8dce24d5377c404b7a54d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\agEu.exe

Filesize
1.0MB

MD5
45596db8533ecdca79fe2459826adf57

SHA1
0922f6461ee382c7c41db6178f9ebfc71094e561

SHA256
10aae698632b477f501d9b5adb3deeeac4bb034ccceeb0e768e3e47324c31545

SHA512
f62ecfbcb907a5e53d371b04061ed75a430539b56cb66c276a9f1b3e082e7025ea9e63faa85cd441c5b8d89a569c9b18ea7b49dca13299288ade5b4ead2af1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\asMY.exe

Filesize
459KB

MD5
2a4e593c91f6147faab02b8b47e3a3eb

SHA1
99651c1718181f208ae49e4c1d215311cc012560

SHA256
3f38468c19782e0d4d379133bd9c82c10cb7099133f90829d3d941f49d23abc4

SHA512
76b133fbc3df38318e1c216634024049cfe1386e452f502c3c2ad056334547f51693a5bdf4239f7ed9319732ccd7c42b81204c3db5b49a38bb49f66fde6c67f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMMS.exe

Filesize
438KB

MD5
eee129ef2f30878b514ad465f99fc94d

SHA1
cca6121db06b6c37f7f70468af52972180376a45

SHA256
95d26b40dc28c569a7e1e1eb6d1090e6be23b1874c7d1d6be4e4f8744b857926

SHA512
75e2d48c9c128fe33a59e150f4859890723157f6c8c14d49d9b526774d96bc3c122279bdace139585edf6fb6aa2168f2bf5bd2264fb9b67932bccc2c587b08a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccEA.exe

Filesize
463KB

MD5
384d519017e806404389b9603102856d

SHA1
ee5139dbead7ea3114b1469c89dd7029a5758a33

SHA256
648c93f69cfb5d61dc643a7bccd1bd8146779f7181166d2868666905b5e5fc1d

SHA512
5ddc0e1f726f42e9e2be4449034dd9c68de0bf3ea9d47d373d184f71e524143197137c10bc8aaa9704d36c84f1615cf4cfbaad859d7c939ac781176598fa4966

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEEq.exe

Filesize
436KB

MD5
e84a5fe51e8b163e94b5193418cb0ccb

SHA1
d8defac8f7ed0ce40d2b5d99525cd736c6cd9339

SHA256
aa88da35c7c3950d5ab0d1598b3a1e218c7771e798e3a164e08dfe682fadb511

SHA512
12e58357435032f88f5ed571909c1db2ac0a8c31f0e559d0d424e362f2bd50982b0144fdda3b7ebdf39d27693e8095b3b2aefd5adb290574fef8263473c416f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIUA.exe

Filesize
439KB

MD5
27e898717364d0a5d83601911fffebd5

SHA1
4bef8f7854adfe4a518e32ef933be9d990fbbfe4

SHA256
03b46e044b72a292fbd94dd9362076d2632ad2f1a7961a71c771508baa1f51c9

SHA512
af5953bd5a65d9848c9fab83586f176d59ffad2389047a095d4a341f50277f3c30cb08892ffc7e32a5cd0ab1ba33c6df289bc16a2fd14c3fd084f7139874a4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQQS.exe

Filesize
436KB

MD5
bd21f614331cb498f5b5ab508f29c319

SHA1
e379e223ba3f2302dd0d351a21cce4410f51c8a5

SHA256
0c6da54f750bf0031f24487883d5d493ff6a08a740ab600d32a2fc2acdbdc9ae

SHA512
5baf41e78c7eca094e90c9a4ed650401119d2f30f9c608df08d8231621174a8a99d025d4a33d833933c9a19f1e20e062251d6d3b1c55bf58c06fe80afcc7d6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsUw.exe

Filesize
441KB

MD5
2134a710f0de2788aaa60b40ae328c5c

SHA1
8f78550211887aa2de6dcf0c3dde89753729c49c

SHA256
1943a2f019b7a68d4d57b7aae3aabdd282c9ecd47d454f695353f2f30d0d66ed

SHA512
e87892d0a288b4b2e4808b7b7be86ece72fd1ba1a3cc894280adebf77371e430f25e9f3ef76a8a3955a28469067f2a19bef3a2627365bcf0c95b6186713c4be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\icAY.exe

Filesize
5.5MB

MD5
1b368bcbcfa46e4cd217cfca508c40d9

SHA1
d4d870f138f7d8b11da47454f73663d7f0f3d239

SHA256
dcd611b7f437ad3801a50902f0a03e4942e9dce60439f8f23f3377042261e504

SHA512
69959026ad2d5b0bd056a3404baa61359ddf62bbcc5c5b93738b1689d730b84e03bb3025caebd1366eda5af800aa554faf51e1023039b22554995533f5f50af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\igMc.exe

Filesize
443KB

MD5
4d8e41581ac2fd6827e322d09376a0e3

SHA1
2d8bc81f54a2351ef9925b57f94d5e35122a8456

SHA256
ba2c335c803fba7e9733e56ab98e675447015284b8a228e738e750654ee5305c

SHA512
ce35b470774e87baec45f92a0c7d4c343ba89bd08745d8d687e347efc4f478b6db692144630eba6070f8f38cc523c215250c2339b9c4b6e23bc3adb8f388a885

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAcg.exe

Filesize
435KB

MD5
73b8c071fd3a8a4de600d4e0a1579d21

SHA1
f26d242344d5168722d496f73085ecbfb53c35bc

SHA256
f20d35e48fc6170229e55b8d686b5d7feccc5ecad9aec79feab63d1622bc40f8

SHA512
be9098cb64ca226105e6426debfe8c43c11d87feeb2444df1471a3dadd9510cd313c75b249c331ef55455e75980b1e4d236200d84baa91e6891fa2d8590f5d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEUI.exe

Filesize
435KB

MD5
e7fe4a084640caa5815be42981bce53f

SHA1
47034e8b1c1456b2d6d140683f3585c74e79519d

SHA256
23969b27e487d75e4a33cdcfd616f721e734141d52b26604197dfac0c61d0db9

SHA512
973404ac373c573a516044fa025d34816370510efbb1b9c2764b956a68a08a357a95aea433cc59cf0cbae2993395ff9e5a9f51846d28a737446d4bf3a5185929

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUIA.exe

Filesize
438KB

MD5
5ee44bc3b895285709226f1a41fc372a

SHA1
c982598f21db2736253f5e95f8a10404700c6d3a

SHA256
dbb9ebbc5054092de19de77abdf8d7d4b2bd71af0f9386d61257ad0406fac07f

SHA512
82ae86d80905f36d7176aba73ff4d949ec4415f645dd6fde3dacdf09de25c92ee70128e0dcf8718d01c7395f700a89b17b989318cc52d75acb60603207f0fa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\oocA.exe

Filesize
443KB

MD5
93034c7bce5237b828d430fa27daceb0

SHA1
e599eeba65bda44a15660a65ba45e56cd6c82a9d

SHA256
eb655353acff233be61730ddffd7b11a41d795940d03da779b9d7def906e7fdc

SHA512
fb3ca825585bb4b4a65c7eadc8d756aac65b4bf3a95d6ff6631dc947cea6f293b08ef11e0b8005f3a6c818f6f45ccf39acfaf571a67d0420709941beed7a987d

Download Submit
C:\Users\Admin\AppData\Local\Temp\soYi.exe

Filesize
888KB

MD5
63ba982484a14afd207287222182ad7c

SHA1
91ccef7bcf6bda80a89f117e252ac41d91dbb67f

SHA256
aaf2e663422ef3924c3a41858ffdc9b68a04c534e15c67b4633f5c748603c3ec

SHA512
1ab97f39b2a3faf8a225d727e677a7db2bd422a749662188eae8c1264fdb6f8720dc80f25acbb9ea9897db44c906719820ab926a993be0e14064aef41ca09571

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYsu.exe

Filesize
1022KB

MD5
1730ce66d71ac1682affb89411dacb3c

SHA1
1f3e3332c6c3431db98f0b09ac08576284ae7615

SHA256
71ed16bb060761c6b25212aa38e2e44445abdcf2182f7d9530e82ec77cf6b61a

SHA512
e993a4965990db6c98372d11ff320e4e2cd2035a036c0b3c6f3c67e882b8efc063ac6348a96567243308d85e70d178e0818d549d791be57b5c31e4759c65a60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugQA.exe

Filesize
439KB

MD5
d603307980849bc406ad73b43158d7cb

SHA1
a6500d40e42bd05f4c6a6728247094a68308bc34

SHA256
e92d3cabece49bfcc5ef9b125597a378ebe6d0081121fdd74523968c4bd50d82

SHA512
461ffb80b59ec42099b851e0b4a11d0c2d721fea6d620f768ed9e654d22ef6d3e728802c01874909b7f1e6ec5bf598e8b37a0d7214a2f2b018a5638d21ba3b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQoc.exe

Filesize
456KB

MD5
7be5f3f0239ea4b8d33d256a4549fad8

SHA1
8576a2645c1f162a8206be1c4587db50359f964c

SHA256
b71cb6817e87d92b54c6a8a19a50d4b200a2f9c7aced5f1be6762bbd39fd361b

SHA512
7ded890a12b22cc83300f6ef23d600579da3cf22b910ce852e62e03c1707d82d6e87da5830ae2c153d5743bb28cd549769db0961a9d532b5c7f8da997d23a888

Download Submit
C:\Users\Admin\AppData\Local\Temp\woEQ.exe

Filesize
889KB

MD5
6264c789551d10f1d5e38dbd1550d775

SHA1
b87eb47b600dd0950190085243fc98a48d4c690e

SHA256
f04967bacc9b39e11ae10f7273afb3effc351d07f9674681144e8a0dfc839273

SHA512
f467cd4098d0b108ba5c90654fb4306205c4697b726fbc3924a68bb89fc84bf06141eec56c4d0e1a7554656e3225304e4e2fb17f0a883e9c006d264e4e363875

Download Submit
C:\Users\Admin\ecUcUIQo\iAIkcoMI.exe

Filesize
433KB

MD5
7cbe113f6acadcecead4bf83a06d9b3e

SHA1
f3fa445aebfd303f8ce9a9911cf99bbe27b11d31

SHA256
edc60ee9921e97ff1278de2ba4ab473d5ee5a80d598e3aedfcc280e1d581fce4

SHA512
0126a9365ad7e81f2f0d0a59b3e36e2655c3150fbe6c8cfc1d6c8c321a99261a70d26d309465f5f4b8d36e528d8cc797ed08e423f75cf91beac1cb4805227827

Download Submit
memory/448-245-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/448-229-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/916-127-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/916-143-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1272-308-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1272-321-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1408-63-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1408-79-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1428-166-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1428-179-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1540-39-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1540-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1772-221-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1772-200-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1800-57-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1800-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1868-31-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1868-21-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2004-281-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2004-294-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2064-155-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2064-139-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2332-285-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2332-312-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2332-326-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2332-272-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2332-299-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2344-205-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2344-99-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2344-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2348-191-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2348-175-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2996-263-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2996-276-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3256-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3256-126-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3288-117-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3288-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3456-206-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3456-187-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4032-115-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4032-103-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4108-167-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4108-152-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4260-78-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4260-91-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4340-217-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4340-233-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4380-267-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4380-253-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4408-257-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4408-241-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4752-27-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4752-43-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4904-116-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4904-13-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5036-330-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5036-317-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5048-291-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5048-303-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5056-87-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5056-104-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5084-131-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5084-118-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download