b8f6ec072228855067fc2db2aebf40e26f1d94a779045ad9244a0a4aee39d50c

Analysis

max time kernel
0s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49a65d30709be68ba11acff16a647fcf.exe
Size

468KB
MD5

49a65d30709be68ba11acff16a647fcf
SHA1

0c6ec701428f29a90a13444554d9e95fb32ea334
SHA256

b8f6ec072228855067fc2db2aebf40e26f1d94a779045ad9244a0a4aee39d50c
SHA512

0e80d32243153bb874c8651db4c6f3f4d4db88d7ec4cb65a18d96b26c7766bd32e38ab8f81bb7c984b512ed1253638e0847bf584dd60d3b1f25d39106c1bb302
SSDEEP

6144:IwmkwZipSnj0GV9zqrPX6GH4flOx6h8/awhXyxlYPR2RZWPVlY2fI0BSdnvR4Y/+:FApoJx6Op4l/ZWLQ08n4794tqhkiukM

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4568	NIMIkEUc.exe
2848	LYEMcUIk.exe
4724	gsgIwIAw.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NIMIkEUc.exe = "C:\\Users\\Admin\\UKkMksQg\\NIMIkEUc.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LYEMcUIk.exe = "C:\\ProgramData\\NYsIMcYw\\LYEMcUIk.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LYEMcUIk.exe = "C:\\ProgramData\\NYsIMcYw\\LYEMcUIk.exe"	LYEMcUIk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NIMIkEUc.exe = "C:\\Users\\Admin\\UKkMksQg\\NIMIkEUc.exe"	NIMIkEUc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\UKkMksQg	gsgIwIAw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\UKkMksQg\NIMIkEUc	gsgIwIAw.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3068	reg.exe
464	reg.exe
2260	reg.exe
2224	reg.exe
3532	reg.exe
4840	reg.exe
3976	reg.exe
1548	reg.exe
2720	reg.exe
1464	reg.exe
3748	reg.exe
2976	reg.exe
636	reg.exe
4744	reg.exe
1028	reg.exe
1796	reg.exe
1884	reg.exe
2152	reg.exe
4440	reg.exe
2064	reg.exe
3028	reg.exe
3468	reg.exe
2064	reg.exe
4480	reg.exe
1676	reg.exe
3652	reg.exe
1604	reg.exe
2876	reg.exe
4744	reg.exe
3116	reg.exe
3392	reg.exe
2104	reg.exe
1384	reg.exe
3028	reg.exe
3416	reg.exe
2232	reg.exe
5064	reg.exe
3636	reg.exe
916	reg.exe
3684	reg.exe
3112	reg.exe
3664	reg.exe
796	reg.exe
4372	reg.exe
3296	reg.exe
2620	reg.exe
1712	reg.exe
4376	reg.exe
4720	reg.exe
668	reg.exe
1548	reg.exe
1884	reg.exe
1328	reg.exe
1044	reg.exe
1152	reg.exe
2200	reg.exe
1328	reg.exe
4432	reg.exe
4356	reg.exe
680	reg.exe
2424	reg.exe
1824	reg.exe
4172	reg.exe
1544	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2740	Process not Found
2740	Process not Found
2740	Process not Found
2740	Process not Found

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 4568	2740	Process not Found	23
PID 2740 wrote to memory of 4568	2740	Process not Found	23
PID 2740 wrote to memory of 4568	2740	Process not Found	23
PID 2740 wrote to memory of 2848	2740	Process not Found	24
PID 2740 wrote to memory of 2848	2740	Process not Found	24
PID 2740 wrote to memory of 2848	2740	Process not Found	24

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
"C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe"
1⤵
PID:2740
- C:\Users\Admin\UKkMksQg\NIMIkEUc.exe
  "C:\Users\Admin\UKkMksQg\NIMIkEUc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4568
- C:\ProgramData\NYsIMcYw\LYEMcUIk.exe
  "C:\ProgramData\NYsIMcYw\LYEMcUIk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2848

C:\ProgramData\JuAsQwYY\gsgIwIAw.exe
C:\ProgramData\JuAsQwYY\gsgIwIAw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4724

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:4248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:3420
- - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
    C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
    3⤵
    PID:3560
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
      4⤵
      PID:1576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoMMcEQk.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
      4⤵
      PID:3968
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:3116
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3540
    - - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
        
        C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
        5⤵
        
        PID:1092
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:60

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:3692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:3620
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4940
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:3812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
    3⤵
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
      C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
      4⤵
      PID:1676
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIsgYsgg.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
        5⤵
        
        PID:3384
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
        
        C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
        7⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akgYEUgY.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
        8⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
        8⤵
        
        PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:3384
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:3600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqAoEwIE.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:1884
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSswMYIM.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
      4⤵
      PID:3820
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4332
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3468
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
      4⤵
      PID:2096
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nygkIMYs.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
      4⤵
      PID:1184
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4248
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1808
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoUkQAcc.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
        5⤵
        
        PID:668
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:1152
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4340
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
        5⤵
        
        PID:4360
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
      4⤵
      PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
    3⤵
    PID:4544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmkUcAoQ.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
      4⤵
      PID:4688
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4364
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgksoIAg.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
        5⤵
        
        PID:1180
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOMkgwMU.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
        6⤵
        
        PID:5028
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:3068
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1036
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKkUwIIM.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
        7⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
        7⤵
        
        PID:4244
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:2620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
        5⤵
        
        PID:3444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yokwUUQw.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
        5⤵
        
        PID:2644
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:4636
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3016
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:5068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
        5⤵
        
        PID:4424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:4252
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:820

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
    C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
    3⤵
    PID:1796

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:3976

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:1548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4660
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwckUQYo.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3812
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
    3⤵
    PID:1824

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:4988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
    C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
    3⤵
    PID:3444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
      4⤵
      PID:2876
    - - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
        
        C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
        5⤵
        
        PID:1840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYkocsQY.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
      4⤵
      PID:4636
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4652
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCEEEQsU.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
        5⤵
        
        PID:2108
      - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
        
        C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
        6⤵
        
        PID:4808
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:3464
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4428
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
        5⤵
        
        PID:60
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:1548
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3176
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uegcQgwk.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
    3⤵
    PID:228
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
    3⤵
    PID:2708
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUUgQcoc.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
    3⤵
    PID:512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGkYUocU.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
      4⤵
      PID:2708
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2728
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
      4⤵
      PID:452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:4360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkUYEgQc.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4480
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEYAYkkI.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
      4⤵
      PID:60
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4380
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1384
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
      4⤵
      PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
    3⤵
    PID:1536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEcMkYIc.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
      4⤵
      PID:4360
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGIQIMAE.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
        5⤵
        
        PID:4032
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:1328
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
        5⤵
        
        PID:3400
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4440
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1464
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
      4⤵
      PID:4944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:4808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:1304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:4396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FyowYAck.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
  2⤵
  PID:4252
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3296
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1384
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3444
- - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
    C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
    3⤵
    PID:3132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:2228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2108
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:5020
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:1676
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
    C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
    3⤵
    PID:2720
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2232
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:404
- - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
    C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
    3⤵
    PID:4544
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:3212

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:1764
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysgkUAAI.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:888
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
    3⤵
    PID:4648
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3148
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:2244
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:620

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:1408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
    C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
    3⤵
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiMEMMoM.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
  2⤵
  PID:3052
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:748
- - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
    C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
    3⤵
    PID:1928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:3940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSscsAAs.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
  2⤵
  PID:3564
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:636
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2064
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:3148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:1576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:1300
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4260

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:3124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:4548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYYwAQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
  2⤵
  PID:3296
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyQEYIsY.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1328
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWkQgYEg.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
    3⤵
    PID:4984
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2424
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:60
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:1548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:3124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:748
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWoAkwoU.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
    3⤵
    PID:3116
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:3148

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:3100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKsYcAsM.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
  2⤵
  PID:1144
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:668
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4040
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:2920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:244

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:1184
- - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
    C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
    3⤵
    PID:796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqwUsUUY.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
      4⤵
      PID:4260
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:512
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4380
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcYQAcQk.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
        6⤵
        
        PID:4376
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:2424
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1144
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:888
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
        6⤵
        
        PID:2208
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:1824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1804
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:1668

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:3608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1832
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:4360
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2200

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:1920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:3116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:2832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:512
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:5028
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcEsowgE.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
      4⤵
      PID:3744
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3208
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1300
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
      4⤵
      PID:2956
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1548
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWEEMUgo.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
    3⤵
    PID:3968
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
    3⤵
    PID:3532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:4336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCMEQAAM.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
  2⤵
  PID:4660
- - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
    C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
    3⤵
    PID:3608
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3652
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1144
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:4524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:544
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYEoIgsg.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
    3⤵
    PID:1824
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4720
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkcEcIYo.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:1884
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
      4⤵
      PID:544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
    3⤵
    PID:4032

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:5028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:228
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyIkwEIg.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:2152
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
    3⤵
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
      C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
      4⤵
      PID:4440

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyMMUYwI.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
  2⤵
  PID:668
- - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
    C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
    3⤵
    PID:3116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKQYIYAM.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1464
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3748
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
      4⤵
      PID:3512
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4648
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4732
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1604
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGEEYsYQ.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
      4⤵
      PID:3564
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:224
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1572
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
      4⤵
      PID:2064
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:2064
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4376
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
    3⤵
    PID:1928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miMMkcUY.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4380
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3748
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
      4⤵
      PID:916
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:228
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYcIMIkE.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
  2⤵
  PID:1464
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1712
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:468
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqsQgYwM.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
  2⤵
  PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOcEgMAo.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:3684
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
    3⤵
    PID:4660
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4380
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1408
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:228
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:3976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YsUUwoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:468
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:2312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dsAYkccw.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
  2⤵
  PID:2968
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:5064
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEQUkgIE.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
    3⤵
    PID:468
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
    3⤵
    PID:1860
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4756
- - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
    C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
    3⤵
    PID:3876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:4840

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:3684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:1116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCUQYUkI.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCcYcoYM.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
  2⤵
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
    C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
    3⤵
    PID:1604
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4376
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2224
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1232
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
    C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
    3⤵
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:4756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmoIIAEM.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSQgcwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:3968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOEMooAI.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:796
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2976
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iycEIAck.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
    3⤵
    PID:3052
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1832
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:796
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
    3⤵
    PID:2512
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:4720
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKAQwwIU.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:2200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oScQsEME.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWIgggME.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:4032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zksgswsg.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:3608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOgQQkow.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
  2⤵
  PID:5048
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:868
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIUoIcII.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
    3⤵
    PID:796
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:3028
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:3416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgYAscYg.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
      4⤵
      PID:4432
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1052
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
      4⤵
      PID:1044
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
    3⤵
    PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
      C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
      4⤵
      PID:3416
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4840
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:2612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYskAYgk.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:3608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkMMocAw.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:4904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWAMsgEI.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zawwQYEY.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GqcsowUs.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:1180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKswYwMA.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:3540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCQocYso.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
  2⤵
  PID:1712
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4732
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3148
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgQggIMg.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcMskcgc.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:3548
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGoAEoME.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:3392
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
    C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
    3⤵
    PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3976
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
    C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
    3⤵
    PID:3560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUAsMYYs.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
      4⤵
      PID:3952
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3484
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
      4⤵
      PID:3608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3212
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckcswIso.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:3548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1332
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:5028
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcYMEYkc.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZakUAwoA.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:3976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqUcgswM.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
  2⤵
  PID:2096
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3392
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3884
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
  2⤵
  PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owwEEgwk.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4636
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIgEgkMU.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:4620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkMQgosw.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:3692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:468

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:4960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmcwcIMA.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:3384
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:2512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aooYEQwI.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heYAgMAU.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4372
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYcEAcUI.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:4260
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4376

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psEwEYAk.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:2108
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:3196

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:3256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3620
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOYgcsEk.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuwgogUQ.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CoIwsgMU.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAgsQQwc.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:3540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DacEIMkY.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGIQwkAE.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUMIEgUY.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:628
- C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
  C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
  2⤵
  PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSMIAYcw.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgQIkAEs.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:1144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5028
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:2692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymkUsYAw.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:2244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEYwIMco.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:1832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf
1⤵
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYgcgIMw.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGAkAokk.bat" "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf.exe""
1⤵
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf"
1⤵
PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NYsIMcYw\LYEMcUIk.exe

Filesize
432KB

MD5
0012d8cf0d2c06d34af1f2fa2ea44673

SHA1
02ea4391fd09523f6eb9e5c57f5a15040fdf6658

SHA256
b55e56a3669d5d8e1c5965bd3eda4f508507d35cdc56b8a9b28af4d882edda67

SHA512
1afc4c774a5fcfc2c0cbcc71f134b5cd7e024a33e14d92df384dfe179bf737d311a78895a0d989afdac3b0c2b2866a02feb2532a4fb0303ef450ca6221e60d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\49a65d30709be68ba11acff16a647fcf

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYUw.exe

Filesize
434KB

MD5
2fceb30d4018ff9e3d24ab8ba2eb0d36

SHA1
973289acadcb77d8408633559ae7e60ee684b2a4

SHA256
4f72c7f4d272e0c20fd1f6a164ea876a155919716d7131beb18127bb8a7c3a47

SHA512
87efbe3c9da3e24e1c15184958009b26c11acf5d667b96b888b7d2cc8fbd4e4569d0d4167810468bcd56c8aa1ba80f3329f06088e439dfa07a67a863d410eff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AyIE.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwIK.exe

Filesize
435KB

MD5
c5514df2194c474d42dea3e78e6268ac

SHA1
fae21eb896e9dcadbef8db88f00255b5529d696a

SHA256
abde75c9e998d79e8034c4b2c29588b197adb18080147f912884e76c39191309

SHA512
ed262514e1e60edf74fd7fa8d5fcbc6dcfe9f0d6252ef865eae4cef685678d1060831313fb41abe668d22e6f687c04e95f0611ed4c39f06494a97e172289b4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEUC.exe

Filesize
2.0MB

MD5
d2d95cdf8f6d901cef4bcd8231a50a38

SHA1
2f54c941537fbfce7ed69ed13193d35d9fc11e7a

SHA256
7df7ac86fafaf6ab28224e51d26db1897ddbdd618462a9e5a3b08e3b9021ac85

SHA512
55cbfd928fb49e0d608ef8c5ed70095bbd5d5ba10787f85845776fa28476b9f7df8aabc4b610272eb7408a8ad82183454d606139c461dc33e2fdd72716a69032

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQsy.exe

Filesize
891KB

MD5
8073379f567d090f7c33f4b4b3c6fca2

SHA1
6dd6f3f44acde563f8e3e62ff0dd60579176f48f

SHA256
f87b07205536e0b3be25af82d72804aae027412f055570a2df084dae5a35fd0d

SHA512
38fc8521ba34d8d8396c8146000b3617799b39d3341e132144806f51ed2494c6295067b64169cccdec4f461b1d798becddffbcc15a87b458da1846166fe497e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qkoo.exe

Filesize
434KB

MD5
d7c02f5580eaae54077d8f756e16ad51

SHA1
4a872129cebe3b41a0f3e3f2736da669c682b440

SHA256
4de6ca6443323fbfb5bfb0005c374959cd4146293488e000fdf0ac4ebd425900

SHA512
41bfc9d0da26931739e8c9ef63cfd53b1f68be41326d643dd66fdc89598c68747d07151b33ded5c754ae7a941002135090e2665acbeb221efb317380248d5688

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUwm.exe

Filesize
6.1MB

MD5
1ba916a5c13b156dc44069a85e1bf5f7

SHA1
073d229955c226b5979fa1ae591d1c73b52cf759

SHA256
9d351ccb4033110e8b12d267f8381ad382917b3b90964c317f567f1c7d331b1f

SHA512
f935acb9b138a4f908cbb0d3fdb2b59172275a33a49479a9135d1158566a2edff70a59095c02236a3145f4a6e1cf6db430e13ed981789c283fbe2c24c7d0fa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgcA.exe

Filesize
670KB

MD5
59bbf37e96b72358e4fb7a34ca4456fc

SHA1
b4008cbe24de56774c531f831089603b3b8d1cbd

SHA256
f86b36c7fb044ea4dd02fe46d46609d318f9b173dd6bbe0bed96cb66035116da

SHA512
606f95ce886830795fe3d5e54c66560652c776e1f0fdf2f1783af8f1e77b13412f97e54929fdb384ac4e0ae5289ff038dbdaf65f410d76e4240bc950da19eb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAcw.exe

Filesize
562KB

MD5
19950f8c78a5deadedcd9cff61eff5e2

SHA1
1cf1b9a4025c5df4d7f49fed7a5a71d4aacee5b5

SHA256
abd619f712670e9ee5aa4ba93b7bfbc975422165212a5aa25d34e4f4dab46628

SHA512
8dc8938d1a3b2d1648ed55d3e2e92d78f85530eb6cf79d4818fde87f6ef15392bd2291f37fe0c0361bf01949b2b44b1a8588285b69c981a788a30a8225701247

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYMI.exe

Filesize
92KB

MD5
4c9ef1319927b10eab108c3489885b8b

SHA1
8a092e6c6f070bac0bf64bc6b06062c656984375

SHA256
bd5db6eec829d4441ef6b40a6b13c5c5d3727129374880ca828ddb6f710887ec

SHA512
2a22ec14df95cf4027ea1f109600788957cdba44e255960fdc429765f5b60a559c7303a8f42dd97a2a3f8742a39c2fe010a81e18a27e81bfb5d3537bd3f4edc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwkI.exe

Filesize
1.4MB

MD5
90f6bbfc797c27f3f51cafb8601d4bfd

SHA1
543e9ed068615d39069c698a8df95b40d9b25add

SHA256
fce1a9523373722fd7a7b3969e1db92457d853977fcaa8b7627ae88611876c76

SHA512
c094125b5205ad52d4ac3dbfc1914b6859436aa378e8052f50b8e2237ce3799b53bb70102a7a8e97d75e8db31e96ec4f4d39205a5447358a53a7c7f0fd246e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\kowI.exe

Filesize
434KB

MD5
ce4b9876b7514bd9c82957615f8980a3

SHA1
f915a3fdca42fca5b38f63bd2795085390d9c06b

SHA256
28f3d413bc1d78b6d67d2b60c5983ad929b855e8230f6fbf14a6fcc7b08e355b

SHA512
af2b5cb198e0b3859e484dec52b06e5b5f4b2b33b4db9df4d6ba684aa88888366b8503ffe34febc84806ea0bff55c8d4297e1919d12be5c75e4eae8bc6eb5b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zWkQgYEg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\UKkMksQg\NIMIkEUc.exe

Filesize
431KB

MD5
6057344b2464dc69453df9ff5d2f90d8

SHA1
6fb8cfec1862c0cf23da8728ad530c3944213931

SHA256
ed85cb7a6385547091ca1a11faa9736c592c1f6fde2b2d2c5c2016b0725d4e91

SHA512
03ba60fdef8e0f1845af42cb1200278b575b8b0ed75a81fe288f0acf8c48f60e9480b0b4e517dfe76df6e105079689eb001e260e6a14da7d387a36d0536a8126

Download Submit
memory/844-221-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/844-243-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1092-173-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1092-188-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1152-165-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1152-149-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1548-213-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1548-280-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1548-201-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1548-293-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1676-320-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1676-307-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-177-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-161-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1808-86-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1808-103-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2512-141-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2512-127-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2716-65-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2716-77-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2720-255-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2720-239-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2740-228-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2740-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2740-85-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2848-12-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2848-112-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2968-74-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2968-90-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3132-302-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3132-289-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3196-31-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3196-22-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3208-271-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3208-284-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3256-251-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3256-266-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3560-53-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3560-325-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3560-44-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3672-64-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3672-52-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3692-116-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3692-99-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3952-113-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3952-124-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3976-185-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3976-200-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4248-27-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4248-41-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4252-153-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4252-137-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4396-329-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4396-316-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4568-8-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4568-98-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4724-126-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4724-17-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4808-275-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4808-311-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4808-298-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4808-262-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4988-225-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4988-209-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download