1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
Size

214KB
MD5

af970f81b48a8a0b82129ba4caf139c2
SHA1

cc878716b51f51499bb2710a4de49f02ca71cc2e
SHA256

1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
SHA512

06bf7fd4de10b6f5219dfebbd973666a97a9705f66bf5c6bef01eaad1b66f8ab95481c1f6c9e4fbf07908d45f348896fed2eb8b98dd232e69429b7f55a7e54d4
SSDEEP

6144:L+j7kB4xYjgBHDIuMqxa0BlgBAQYnMtXfG4k46EpJ5pG:LY7kQYjqDIQxHgKlM9IhSJ5

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

emMQEEUI.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation emMQEEUI.exe
Executes dropped EXE 2 IoCs

Processes:

mgEoQkMM.exeemMQEEUI.exe

pid process

4988 mgEoQkMM.exe
1132 emMQEEUI.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	emMQEEUI.exe

pid	process
4988	mgEoQkMM.exe
1132	emMQEEUI.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exemgEoQkMM.exeemMQEEUI.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mgEoQkMM.exe = "C:\\Users\\Admin\\xeYUcMEs\\mgEoQkMM.exe"	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\emMQEEUI.exe = "C:\\ProgramData\\YyMMYIoQ\\emMQEEUI.exe"	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mgEoQkMM.exe = "C:\\Users\\Admin\\xeYUcMEs\\mgEoQkMM.exe"	mgEoQkMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\emMQEEUI.exe = "C:\\ProgramData\\YyMMYIoQ\\emMQEEUI.exe"	emMQEEUI.exe

Drops file in System32 directory 2 IoCs

Processes:

emMQEEUI.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	emMQEEUI.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	emMQEEUI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
4848	reg.exe
1680	reg.exe
3924	reg.exe
3216	reg.exe
3624	reg.exe
3580	reg.exe
60	reg.exe
2360	reg.exe
3712	reg.exe
3688	reg.exe
3400	reg.exe
4472	reg.exe
2876	reg.exe
4172	reg.exe
2740	reg.exe
3080	reg.exe
2516	reg.exe
3588	reg.exe
3756	reg.exe
2044	reg.exe
2756	reg.exe
1804	reg.exe
2044	reg.exe
2312	reg.exe
1044	reg.exe
1632	reg.exe
5040	reg.exe
4700	reg.exe
948	reg.exe
1588	reg.exe
4204	reg.exe
2628	reg.exe
3092	reg.exe
2088	reg.exe
4204	reg.exe
3816	reg.exe
1536	reg.exe
588	reg.exe
2824	reg.exe
3648	reg.exe
4028	reg.exe
3572	reg.exe
1920	reg.exe
4596	reg.exe
2128	reg.exe
4388	reg.exe
948	reg.exe
3960	reg.exe
3512	reg.exe
60	reg.exe
4288	reg.exe
3308	reg.exe
1044	reg.exe
4004	reg.exe
768	reg.exe
1536	reg.exe
768	reg.exe
3644	reg.exe
1544	reg.exe
3924	reg.exe
3580	reg.exe
3988	reg.exe
212	reg.exe
1488	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe

pid	process
1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
3628	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
3628	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
3628	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
3628	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4488	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4488	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4488	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4488	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
448	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
448	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
448	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
448	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
2040	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
2040	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
2040	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
2040	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
3984	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
3984	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
3984	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
3984	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
3472	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
3472	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
3472	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
3472	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4776	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4776	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4776	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4776	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4172	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4172	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4172	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4172	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
1272	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
1272	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
1272	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
1272	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
804	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
804	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
804	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
804	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4396	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4396	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4396	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4396	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4100	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4100	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4100	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
4100	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
392	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
392	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
392	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
392	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
3976	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
3976	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
3976	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
3976	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
2824	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
2824	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
2824	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
2824	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

emMQEEUI.exe

pid process

1132 emMQEEUI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

emMQEEUI.exe

pid	process
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe
1132	emMQEEUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.execmd.exe1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.execmd.execmd.execmd.exe1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.execmd.exe

description	pid	process	target process
PID 1924 wrote to memory of 4988	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	mgEoQkMM.exe
PID 1924 wrote to memory of 4988	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	mgEoQkMM.exe
PID 1924 wrote to memory of 4988	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	mgEoQkMM.exe
PID 1924 wrote to memory of 1132	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	emMQEEUI.exe
PID 1924 wrote to memory of 1132	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	emMQEEUI.exe
PID 1924 wrote to memory of 1132	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	emMQEEUI.exe
PID 1924 wrote to memory of 2068	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	cmd.exe
PID 1924 wrote to memory of 2068	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	cmd.exe
PID 1924 wrote to memory of 2068	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	cmd.exe
PID 2068 wrote to memory of 3628	2068	cmd.exe	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
PID 2068 wrote to memory of 3628	2068	cmd.exe	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
PID 2068 wrote to memory of 3628	2068	cmd.exe	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
PID 1924 wrote to memory of 3624	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 1924 wrote to memory of 3624	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 1924 wrote to memory of 3624	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 1924 wrote to memory of 2424	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 1924 wrote to memory of 2424	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 1924 wrote to memory of 2424	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 1924 wrote to memory of 4180	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 1924 wrote to memory of 4180	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 1924 wrote to memory of 4180	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 1924 wrote to memory of 1788	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	cmd.exe
PID 1924 wrote to memory of 1788	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	cmd.exe
PID 1924 wrote to memory of 1788	1924	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	cmd.exe
PID 3628 wrote to memory of 1652	3628	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	cmd.exe
PID 3628 wrote to memory of 1652	3628	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	cmd.exe
PID 3628 wrote to memory of 1652	3628	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	cmd.exe
PID 1788 wrote to memory of 836	1788	cmd.exe	cscript.exe
PID 1788 wrote to memory of 836	1788	cmd.exe	cscript.exe
PID 1788 wrote to memory of 836	1788	cmd.exe	cscript.exe
PID 1652 wrote to memory of 4488	1652	cmd.exe	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
PID 1652 wrote to memory of 4488	1652	cmd.exe	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
PID 1652 wrote to memory of 4488	1652	cmd.exe	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
PID 3628 wrote to memory of 4848	3628	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 3628 wrote to memory of 4848	3628	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 3628 wrote to memory of 4848	3628	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 3628 wrote to memory of 1552	3628	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 3628 wrote to memory of 1552	3628	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 3628 wrote to memory of 1552	3628	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 3628 wrote to memory of 3844	3628	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 3628 wrote to memory of 3844	3628	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 3628 wrote to memory of 3844	3628	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 3628 wrote to memory of 2932	3628	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	cmd.exe
PID 3628 wrote to memory of 2932	3628	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	cmd.exe
PID 3628 wrote to memory of 2932	3628	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	cmd.exe
PID 2932 wrote to memory of 2044	2932	cmd.exe	cscript.exe
PID 2932 wrote to memory of 2044	2932	cmd.exe	cscript.exe
PID 2932 wrote to memory of 2044	2932	cmd.exe	cscript.exe
PID 4488 wrote to memory of 1960	4488	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	cmd.exe
PID 4488 wrote to memory of 1960	4488	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	cmd.exe
PID 4488 wrote to memory of 1960	4488	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	cmd.exe
PID 1960 wrote to memory of 448	1960	cmd.exe	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
PID 1960 wrote to memory of 448	1960	cmd.exe	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
PID 1960 wrote to memory of 448	1960	cmd.exe	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
PID 4488 wrote to memory of 3136	4488	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 4488 wrote to memory of 3136	4488	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 4488 wrote to memory of 3136	4488	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 4488 wrote to memory of 4204	4488	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 4488 wrote to memory of 4204	4488	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 4488 wrote to memory of 4204	4488	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 4488 wrote to memory of 3640	4488	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 4488 wrote to memory of 3640	4488	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 4488 wrote to memory of 3640	4488	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	reg.exe
PID 4488 wrote to memory of 3800	4488	1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
"C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\xeYUcMEs\mgEoQkMM.exe
"C:\Users\Admin\xeYUcMEs\mgEoQkMM.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4988

C:\ProgramData\YyMMYIoQ\emMQEEUI.exe
"C:\ProgramData\YyMMYIoQ\emMQEEUI.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
2⤵
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
4⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
6⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
8⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
10⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
12⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
14⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
16⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
18⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
20⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
22⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
24⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
26⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
28⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
30⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
32⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
33⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
34⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
35⤵
PID:4164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
36⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
37⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
38⤵
PID:2012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
39⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
40⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
41⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
42⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
43⤵
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
44⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
45⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
46⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
47⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
48⤵
PID:3812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
49⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
50⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
51⤵
PID:4164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
52⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
53⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
54⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
55⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
56⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
57⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
58⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
59⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
60⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
61⤵
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
62⤵
PID:3128

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
63⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
64⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
65⤵
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
66⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
67⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
68⤵
PID:3516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
69⤵
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
70⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
71⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
72⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
73⤵
PID:3604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
74⤵
PID:2524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
75⤵
PID:588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
76⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
77⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
78⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
79⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
80⤵
PID:2516

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
81⤵
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
82⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
83⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
84⤵
PID:3976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
85⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
86⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
87⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
88⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
89⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
90⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
91⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
92⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
93⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
94⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
95⤵
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
96⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
97⤵
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
98⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
99⤵
PID:952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
100⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
101⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
102⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
103⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
104⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
105⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
106⤵
PID:4936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
107⤵
PID:364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
108⤵
PID:1680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
109⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
110⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
111⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
112⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
113⤵
PID:4004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
114⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
115⤵
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
116⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
117⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
118⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
119⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
120⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
121⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
122⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
123⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
124⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
125⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
126⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
127⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
128⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
129⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
130⤵
PID:3536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
131⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
132⤵
PID:2824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
133⤵
PID:1168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
134⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
135⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
136⤵
PID:4776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
137⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
138⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
139⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
140⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
141⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
142⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
143⤵
PID:3372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
144⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
145⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
146⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
147⤵
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
148⤵
PID:4964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
149⤵
PID:3128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
150⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
151⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
152⤵
PID:3760

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
153⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
154⤵
PID:464

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
155⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
156⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
157⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
158⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
159⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
160⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
161⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
162⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
163⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
164⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
165⤵
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
166⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
167⤵
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
168⤵
PID:4636

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
169⤵
PID:508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
170⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
171⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
172⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
173⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
174⤵
PID:3256

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
175⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
176⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
177⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
178⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
179⤵
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
180⤵
PID:3128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
181⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
182⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
183⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
184⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
185⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
186⤵
PID:4964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
187⤵
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
188⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
189⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
190⤵
PID:1628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
191⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
192⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
193⤵
PID:4104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
194⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
195⤵
PID:508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
196⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
197⤵
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
198⤵
PID:1788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
199⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
200⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
201⤵
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
202⤵
PID:4640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
203⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b"
204⤵
PID:860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b
205⤵
PID:832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- Modifies registry key
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
- Modifies registry key
PID:1632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:4712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwEAUwwk.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
204⤵
PID:3476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:3760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:1260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:3216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- UAC bypass
PID:4912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOYwsYIY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
202⤵
PID:1200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies visibility of file extensions in Explorer
PID:2060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:4104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
- UAC bypass
- Modifies registry key
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zowcMQgg.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
200⤵
PID:4884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:4488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
PID:3412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aicwgwsU.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
198⤵
PID:4812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:4500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies registry key
PID:1044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUEgcUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
196⤵
PID:4712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies registry key
PID:3924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:4360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaQsEocc.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
194⤵
PID:1224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:3080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:2744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies registry key
PID:2360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:4100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIYMsUQY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
192⤵
PID:3772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:2016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
- Modifies registry key
PID:3216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- UAC bypass
PID:3220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUEIUcQk.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
190⤵
PID:4812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
PID:4904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
- Modifies registry key
PID:3400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
PID:3800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:1316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUIMcwYw.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
188⤵
PID:2632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:3548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies registry key
PID:1488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:3472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqksQMkM.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
186⤵
PID:636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:3816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:1916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:3484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hiIAMwUE.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
184⤵
PID:4356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOkoEccw.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
182⤵
PID:2000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:1660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies registry key
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmAAkEgw.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
180⤵
PID:1000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmUAwYwM.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
178⤵
PID:4788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:3384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
- Modifies registry key
PID:212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:4712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUAwowYc.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
176⤵
PID:1248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
- Modifies registry key
PID:3816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSwUkgwk.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
174⤵
PID:2104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
- Modifies registry key
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQgkkwkE.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
172⤵
PID:4052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:3148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
- Modifies registry key
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:4564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YaAIEwEg.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
170⤵
PID:1568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsYQMYsk.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
168⤵
PID:1660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:2060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:3884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqogEwAo.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
166⤵
PID:2936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
- Modifies registry key
PID:1544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeMEkAoc.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
164⤵
PID:4344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:3080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HScQMEwc.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
162⤵
PID:1096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:3372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies registry key
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diAcIgEk.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
160⤵
PID:552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:3384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:4172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwYAkEgU.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
158⤵
PID:4320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAEcUsYY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
156⤵
PID:1588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEcgkMwU.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
154⤵
PID:4608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSEAwEYk.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
152⤵
PID:1660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
- Modifies registry key
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqsIcIUI.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
150⤵
PID:2312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:1516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:2000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEUkIAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
148⤵
PID:3472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:3364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:3984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSQYkgIc.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
146⤵
PID:3400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
- Modifies registry key
PID:1536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIIMEcQk.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
144⤵
PID:3080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:3664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:1168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMgkcoQU.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
142⤵
PID:4572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOoAkkYY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
140⤵
PID:4444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:3884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
- Modifies registry key
PID:4388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSAggcgU.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
138⤵
PID:4356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
- Modifies registry key
PID:3688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:4964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tysAsMAI.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
136⤵
PID:3572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies registry key
PID:4700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgoMkEYY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
134⤵
PID:3212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:4904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:1260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGwcsosk.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
132⤵
PID:3760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
- Modifies registry key
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:3604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUksgcww.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
130⤵
PID:968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
PID:4608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
- Modifies registry key
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsUAIkgk.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
128⤵
PID:2228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:2628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
PID:4416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
- Modifies registry key
PID:3092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQgEYgsg.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
126⤵
PID:1720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:3644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugYogEMI.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
124⤵
PID:3476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:3652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:4900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaIMQggE.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
122⤵
PID:1680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:3800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:3760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:3608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcwQUkco.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
120⤵
PID:2440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:3080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:3364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWswIkkg.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
118⤵
PID:1660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEIoYMow.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
116⤵
PID:3308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:2456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:4696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:3536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWgQwYQY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
114⤵
PID:552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwwMcwQI.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
112⤵
PID:1488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
- Modifies registry key
PID:3756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- Modifies registry key
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgAskYAk.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
110⤵
PID:4976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
- Modifies registry key
PID:2628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zyUwcscs.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
108⤵
PID:1248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:3536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:4028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
- Modifies registry key
PID:4004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWMMwYAM.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
106⤵
PID:3988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGYIEAYo.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
104⤵
PID:2128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:2740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:2404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
- Modifies registry key
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
- Modifies registry key
PID:3588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQckocsk.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
102⤵
PID:3608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:1216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGkwAUkk.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
100⤵
PID:1316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:3888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:3760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSkQAEsY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
98⤵
PID:4848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:1596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyEQAkkU.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
96⤵
PID:4696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUwYgYAI.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
94⤵
PID:364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:3652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:3604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feAwQwwY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
92⤵
PID:1788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:2416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
- Modifies registry key
PID:4172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\toQwYQgM.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
90⤵
PID:2632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
- Modifies registry key
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIkoEEoY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
88⤵
PID:3652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAAAwwkg.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
86⤵
PID:2416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:4376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
- Modifies registry key
PID:3988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEEYUowk.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
84⤵
PID:2360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAQIEIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
82⤵
PID:1172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:4696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGIgMkUw.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
80⤵
PID:4784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:2152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:4396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COYokYIc.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
78⤵
PID:4600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:3256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkMAIUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
76⤵
PID:3652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:3080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:2312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoQEEcwY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
74⤵
PID:4564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:3372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:1516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daIIcEYs.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
72⤵
PID:4464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:2756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:3640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukAwgIcw.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
70⤵
PID:4512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIQgogIo.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
68⤵
PID:1044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
- Modifies registry key
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEwAQUkA.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
66⤵
PID:3608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:1536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:4968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQkYEscE.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
64⤵
PID:4984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:4744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DycswoEI.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
62⤵
PID:3924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- Modifies registry key
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diIsMAwo.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
60⤵
PID:4396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:4172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:4904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iwEckYAA.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
58⤵
PID:2128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwEIkMkw.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
56⤵
PID:2852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
- Modifies registry key
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
- Modifies registry key
PID:2756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\moAgowog.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
54⤵
PID:916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oakIsMIY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
52⤵
PID:4572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:2932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYEgoIkE.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
50⤵
PID:4376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:3608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LawAgwkM.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
48⤵
PID:976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:4784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiUkIksc.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
46⤵
PID:1640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYEQgQIU.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
44⤵
PID:2060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dggUsQQE.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
42⤵
PID:4164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies registry key
PID:2876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:4200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iyoQoIMk.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
40⤵
PID:3880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
- Modifies registry key
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqMAgUkY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
38⤵
PID:4848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:3256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAgUAYEE.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
36⤵
PID:1712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- Modifies registry key
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ykosQUoo.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
34⤵
PID:3228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:4052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAsIwYcg.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
32⤵
PID:3924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies registry key
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\veAwowwU.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
30⤵
PID:4564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies registry key
PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- Modifies registry key
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmEoEckM.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
28⤵
PID:4916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:4644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies registry key
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsQsIYUg.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
26⤵
PID:2844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:3872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMUAYsww.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
24⤵
PID:4612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:4600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:3580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
- Modifies registry key
PID:4028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imIoMEQE.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
22⤵
PID:1824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:3364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:3372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OigkswMY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
20⤵
PID:2228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies registry key
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- Modifies registry key
PID:3080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCsosgoM.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
18⤵
PID:3844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIYgEkss.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
16⤵
PID:4612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:3216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAgIAogs.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
14⤵
PID:1620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
- Modifies registry key
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkAYQEAo.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
12⤵
PID:3432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWoUsgUs.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
10⤵
PID:1804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:3512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygEQccIA.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
8⤵
PID:3084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYAwUAQc.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
6⤵
PID:3800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:3844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySAQYEcY.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:4180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeUAksEQ.bat" "C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3872

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
236KB

MD5
ea289898652f7ac8a1ffc5f7447bd64e

SHA1
948b5db0b356f67fce82ab988f8fd324af9d546f

SHA256
9932e410c3e8de51c7e6be6c01b9d6fe24ede99a88f159ac504906e2cd79bd03

SHA512
e46f97591bc6b71daf188096b3fe0e5843d6ae97502e664f34e269424c2530072c448bc33de883c7a3ea011a31e972a323440d614610138d5f9ad535698b9c9d

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
242KB

MD5
38e1afb95e4c6521b355e7708fbb6714

SHA1
e934bc488322f6c5df4adf763839684bff777bc0

SHA256
6017eafbc6b7c898b55f401d15de95d85250e304ec285d9d5fbade2b9447eef6

SHA512
a8707401d6fb0e9f1981a8820262e8b293c82b790053f1f6c6d65162f71ee98110a3ed3ed20c7df5726dc21fd72a4ad6f3ee3f6268c61adaade43d4511d5cf81

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
698KB

MD5
3194f148a1b90c8def4b8e11494c9400

SHA1
ab11b362fce88c21111022d064b276cd08ea37c6

SHA256
f3f237c5f4b19639f4405b6fb65c1012f40f47078ceff7bdeba0fcdf829f0ec7

SHA512
c250177f74d6f4b967d99b4d849cbd59a701d7fe4502ab2e9a3fb625f391782a76411ba24d371ca03f173587f47b75172c2004e77c7a989d1f6c1386a893f985

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
556KB

MD5
a332163a323e16853e17bc2c7bc7740d

SHA1
68d9e5571c0a611d3fbd56c662b5671ca712f2d6

SHA256
34afd1471d9cbed3becf980e966c20972119b191d312ce14075a8463adc3ca1c

SHA512
3a2eb73e4b4b2e93cd9d82ba3178f11735e6bb5cb18e01001dbe663afc02a52bcbade950869d415e5c0957ddc0860572ea2d54c519de933b17f7ccd2f8b69271

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
556KB

MD5
5b826ac7278ef622fbbe83d42c03c152

SHA1
633c32c35602b9f1eda7f6a851bd0b7bd24bc67c

SHA256
46787bd0b5259535b9adaaab7a9f1b4463c9236b3861ab2fbe1edcb07ccea48d

SHA512
322b33360b761c785eeb9b52e963fb866362599785cd59ba9afa342392df2964a93b9b951f07b0a5dee7bc68a570fe5188e31311880a226b01373d6e74ec6bde

Download Submit
C:\ProgramData\YyMMYIoQ\emMQEEUI.exe

Filesize
109KB

MD5
964144d1bc2669a200b5d000f8e1b06b

SHA1
b2ff6f26a413c90924168030917588e409362eb0

SHA256
09ceef74abc2ef46de532dc264a2cdc1113cfeb92988005203fad2cf4d7cf7e1

SHA512
217e3e6755ec871fb0383e22886ffc193cee93a861d1446aa9052a8112d5685532c7f7f23a2eaae373420f799820698c5efb2c807e1f127d86dfb7cde2c6f9ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\128.png.exe

Filesize
114KB

MD5
eea189016c85189813e12c638b531070

SHA1
4257ec601edc7d02e7554b57e6a7acae11ec7910

SHA256
fe66a2743b36ce2ec9732068701557e8bbb83dfdd9bd33896f9627be919c6030

SHA512
f91945dedb5bbb2950e0c3767d849a8dd283c84f3544205b0d73d17d42cd9c84c4b52722a7a238cbba24993464089a383ce67adcae1ab8cf96e3bb2a9533ba78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

Filesize
115KB

MD5
dac2952f50a9988f8ba4703d9542ad0c

SHA1
0d7eb6945d2dd10e70de991468b2bd5ba9fefcfd

SHA256
c713d1d5a29b6384bf3b94b97b1aad32eecfc1aefb86de616516f771ca080a9c

SHA512
9200f20e957cd2650b3e87ce1b37ffa528c995d183844eb7429a21f7df66dcb0796de4620e4351c0f132c697a10b681300a93ddab1c03214b210fb58f6c8a566

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png.exe

Filesize
112KB

MD5
3e16798c6ecb4dd2018f6ff7a30b1eae

SHA1
e8210a1281652b9792faa4141d1f2c0ad2c76d46

SHA256
1f7e4ffb135b856698e8e910dedc29b695bd103c042b3bd034dce8820b3f12ff

SHA512
61983b9848410ce96492f6317a5212dfbd2418be923f6169fcf0c9e5425b712798638ed47148aec32b47a72494bd4fac5fafddc93cc8b50558a6b76913215711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
7dc98b7853161724bc356138ab86575e

SHA1
fdddf7353d0788964d421a6ffd2cf4bb1a1e56ac

SHA256
6fde179469ada3f0f54be266aa4b82ca1018673de25d8507e0571dcc6b2bd355

SHA512
11b35013c1ba1c277a0b784c7a872124001ff43946e14412fd8f45eb93d2246869de8481334103841db4b82cc55073ddab1273ae2f77c303d7cdc1ba77d2ead8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bf9d170c078c92fd3d6044390c6a4612299463e5f2d8953d2e86aa04601671b

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYMg.exe

Filesize
721KB

MD5
029e9d8447b9b64c36957a8403f02a70

SHA1
299a989b775bb47c8a9b826b26bef20ab8c734a7

SHA256
a9de0e39f65e726b29ffe5894430de57f8cfc946778dac3cfd4e3e9358d21096

SHA512
6a979caf182718b84e3153b21628d10113f2683fd8f1fc940caff5810345f5b01e55ce3dbe3e612a46dcc83c34565ebfc59489863139a789db616aa6c8e25309

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYwE.exe

Filesize
375KB

MD5
230138d8863b2e373076c4b90cb7b8ab

SHA1
c7f917b6347bc0bdb1dbadd451358728bb7ec478

SHA256
67af97a75e4c635574cb3bc105c81293578676f225cc3eebaf6ff14d70575bf4

SHA512
fccd1e4227db1f750b4b0702d0219e5e159af90604360e444295ac7fd92bbd81e52ca152f2b44457935c91f021255977f4f252a312128ceaa07558f4b54b0b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgcY.exe

Filesize
118KB

MD5
13eb4d39d0c1b3ee9b16a891b4bd8bc4

SHA1
7f8b752dc59e3acbfd3b37efd26c5af912c76fb1

SHA256
d3b335d3af5883c5336445e0eb2f130ab4eada9b8c489ba8c0262a3b4d4e66e3

SHA512
5ecbe30ccaab4460106119156456be76761ecfd4b031c31604d6d8bae5082fb467fcaae2c25ca5960d0dfc134e21e15dabfbf251eecbac524914d2b3f105baa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkUM.exe

Filesize
138KB

MD5
3d5e435433300cb77c7e612e78bcc0aa

SHA1
00d3c5622d830e55de9f867b6f21d2b523dee8d7

SHA256
266fd6ff31b8c150a22040e6b398155af6ab6e7d682c94bfefd47b304f498d53

SHA512
86584901cb6f6698780d77d105ad707c3cd8467cf4510f3e65d636fb4df6f43815d997a48b1bc1a1cac74fca0b372d30e541a3feb384225c7bcb8475f7efafc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIMy.exe

Filesize
110KB

MD5
7dedaafb4c5230dc7208ec0398078d05

SHA1
a7d5f7d765478366999c021e2cde74cbe7b23eed

SHA256
ec394c3d9580b3771f1ef6da7ae708e7cf10904d8d28f2c19ef77df01c5b31ee

SHA512
eef2c31fa16e2a7f1d2bbe182b904394b22736f11cbec610866b227c51aa6316e6c1c0733edf462f20895051f6c89e7245421507e9e072eacf8c3b41c252d43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYYM.exe

Filesize
768KB

MD5
23e81739f194ba6e79c4c1cc37e584e0

SHA1
cc97ffc36ba8040d1e957a0a788f50582f275b0f

SHA256
72e5f41a3917f8f3753bbdb4c6b881d7eef12f5eefc920cdee4ce08cf77c95ad

SHA512
1c43901cbca9c8355e2cced8d4707f83dbb4399a4a8ae2cc27883ff0c7fee240e936860f86581906b97d7d1a7f9c781caaa28d25d58c350af08bf7795a652329

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcME.exe

Filesize
114KB

MD5
2f914a58cac83ba7af8e47da5b894da5

SHA1
85223942b311558bdaaba5cfd47b7de386444a2f

SHA256
7b2590e0a4d8b72fd0e271530fec67a5d3e77888a2f44d9c4b67acf7296feb4d

SHA512
1e11ed5c548d9ea0c049e5744699322f54c6f7af23706779e9d3ead2069a25a9c5bbc55aa463c52dd463ad65ee69a5d0f4528201952becff27727f6062b3556d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoUw.exe

Filesize
110KB

MD5
333d3b8a7452594b02ebcafc1c499f43

SHA1
117d6191e1ea85fb8487dc94e3936e83e98a92a8

SHA256
ddaa9a69617c532ae8bf1c49f60236f724e31fa78169ee783265a148b2e7948b

SHA512
7690f1fba49ec188dffab91594971ee6752d71e7a7c9e20229e098670472006a3155fd9ac7cd524dda3de60a98b47a84a3ce6b94705b4eedca3f9b755ae3d640

Download Submit
C:\Users\Admin\AppData\Local\Temp\Coww.exe

Filesize
1.6MB

MD5
a0cc411b6205082fbf48c47936d01d46

SHA1
b641716f364cb1043a720ea0753e83adb23e3440

SHA256
6ab57553dc0548e393df9c6358ad121e71a3cbe11afe81c86600fd789bb423b0

SHA512
c0d5e2343d7cad1cc9563029d576c535978994adcc338f1f3b679745b0915ec61cbbfb4fc2e81a77118acb78c802e180dafec4e7f40b7f92d86418491321a9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIkk.exe

Filesize
860KB

MD5
0c9a945782c0a397cc6e21ec3e72fe71

SHA1
fe64e6118d829b04aa0cc2c50e4c91daf6a8bfea

SHA256
4a4ac24e0989c1fd34b8906a535e22a18e7bfa8fca94c34e30f4422dc2703771

SHA512
1d6466915c560f3e43e76a0fe267d03ca8b56cf4eaf7171c82ec366c2213d7ffc9aa673ddb5d4a0a83913342c72973c91ba979e6f12014cb346b08c06eaf751f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMgo.exe

Filesize
112KB

MD5
c3f99373eaaac3f90cbde9a3a7295c87

SHA1
4c4e1269df08287632048b9e83e8bb74a1a64b4c

SHA256
ae4c5c9d9d7c06b470e39014f9b0af0e1b902af70421fda007e6019b21f44ddf

SHA512
9c0427a1ce668ac1d5e0659fd0523778d3548eb5eab35868610988a3ff7d7294f09e694585dea4cfa1c4f54c52b14036a24331e7856e27fcda752085d35a228e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQEI.exe

Filesize
119KB

MD5
3a3e0d92cf71e4498ca28879b1ae1dd3

SHA1
9bc9a7916d618ff1ed55b3f9e21a68c2424d88e5

SHA256
f8de245afc0ac92fa764ff4506e20d554c329a6e4967f147eb8aac98ff6c487a

SHA512
cfce4971f09be8bae260afc26e5e9ee9c5f68c85abe0f005c81d6fdb13311eb2f8c93abb968b84e0d7cb0642ea8e2c751a863d5c4c7c3a191da53f44abb79ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQgm.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYIc.exe

Filesize
113KB

MD5
f3c0d5e9b89faa0477c21ba47e50ae01

SHA1
b97fb6b1f5ba6c136b1812dc701985d29ae207b5

SHA256
2a5d492c6a93a68783791116a8d9f545c082595ef7a5244e79efdbe121771987

SHA512
2b9e13e86f706c292ba6378833205ca6417f3b3920214b3427c64abb20c82429859b63607466c1391fe6aea7ab817081e2bd42b170472726d2dfd4ef9ce89328

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEQI.exe

Filesize
5.8MB

MD5
e302f7d32c0e08713d33c128288280c4

SHA1
95645cd264d1c7bd7707fa3fe9deaa2cbf821f69

SHA256
bc8f4debce965d725d65cc0dec8e4b75846262726ea4ff53bdf88e7eaaf15ea5

SHA512
35b79829b0bc1a21e4b24936a96fd970755f0fb450731b4f21687c3e0631e93f89a6a7de6d68e8f1792ff2ce483ab3fc4a6b2938b8d7710547d20646fe3fccc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAUI.exe

Filesize
117KB

MD5
f55f732254ac43350bb9628284cb137f

SHA1
4fdd1195d1ed6503109c961c27c9f7797fa4c9bc

SHA256
4d992b98afa952cbed3141265a47bcb2aebb4bb77d76cb509359b7bdd911477c

SHA512
e680310f03e8b3bb2bf3ae62a9fbf609207e6abe2a4a0a841d5bdac325e1c7ad15432e815323058d5c6921be44340beb99c48da6511ca21ba3dd5268aa64de14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIEi.exe

Filesize
238KB

MD5
bcddd3f413b81cba3544c4b2d8e386bb

SHA1
4f81a5892f29dc0dca98fbb8ce96be000e96260e

SHA256
04edaf7f3e5e00b66f33e987cbfa7a2a253752a8c4c1f8f34394d6da5472bbf1

SHA512
a56da46058022c2b099b95d01e1f9fcba0fd6425ff707891af19b89ad486659c974e53f70f68213a869e29d076408cd1169deac420569ece89c4a169273e7685

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMcu.exe

Filesize
111KB

MD5
ebc94a4bcb792997cdb655267db1edd9

SHA1
c9eb7f6276a63c4d03b4fa40a25dcbaa8d44b8ad

SHA256
9776e67dc698d5117c91bcaaa9de3334ac414f255cd6c15231e2bb32a0617c60

SHA512
aec850aeee0adbe3d84b97d1f8d3a0d34a7385f79a4d3a8d7a2ceb27aa567bcb16e45b57dd4920b6520f7fdddc5b4183c5e6720cae507a0f9f78684482f2b777

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwEC.exe

Filesize
116KB

MD5
9119f7a623d5dbbdcca82c0b729cc03e

SHA1
1f3776d387d0b95198a7aff3702a3fc62d86581a

SHA256
7e1a00c872ac4e053ed772895c6a7932ea76849f7784069323251e39d8bde09d

SHA512
c554f419c9364cc60f5d0c352162c67bd7b100c16a70e530b88300bafeace2ac397dabcd5e961a9a25b7c0a855aa95921281dfcb1b4fb5395c2faf1ebd8a21c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAgm.exe

Filesize
111KB

MD5
4823449b0d57141eaad1c93d6425ac82

SHA1
3ec8f23de1f011d9c66712d7a6b6d8ea9e0135a1

SHA256
a822a44aea42ea26ef36251e7ae4275ed188f56e9d00582adf1f41632d68f222

SHA512
a88d66e13febeb3e8033f57d985c86bd49b49a2cdb301b64d1cdac84c88ab3ce70c242e12fbd06af126987034796b37c0b563d7e463c30a6f848a1689e43c69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEIw.exe

Filesize
111KB

MD5
27999dce6bd19018a471d491e45bcf3c

SHA1
91088b0295c20bf47eae6092fcb33325dcea708b

SHA256
1ce567e35fedaddde32f67d6baa6c98792e6265cd2f845d0d1dc664b1ca48862

SHA512
afdda0db23ca6aed5898562cf7ff3e27cdf9ad991c4980d451442c48d6a912781536d3c945665cc94047764f3d76811b6d7844a174e826a53a5f51a75c07cb03

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYkq.exe

Filesize
123KB

MD5
a894cafeee51549efcd439e2876a185b

SHA1
8b679fd71dd1db16c7217fce1617aee941d71aee

SHA256
284b37bef78a92a720c4e071c9a01b27645c05169d3dd6a7ea750ef12483dec6

SHA512
1e03818d24b0ea200ac3ce2ffed0c95a607e380964d362f779cd4d904fc6e7442391585c14ce7b81b161ba5a22ca352de544742f3c86effad7798c5b8d76ff0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeUAksEQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIsI.exe

Filesize
111KB

MD5
bc4ae4195cb84c431fb6cdbb790b8418

SHA1
e37c6a07df1f100e817a4b0f283f3c63c42bd833

SHA256
fae60ddadbd872fe8dee0cb77a30dde561e0d3c0f077e4982d61e2475e2caa8f

SHA512
9fbb1ccc9c6581a1d534117442515455db41ff54814b41201af7e2ccf3cb30e8d2f41a89935e778071697fe34f1738ee215f047f2cd27f2d7afb40e75b59b578

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYks.exe

Filesize
149KB

MD5
cdfdc82fe9530e7f6bef38403bb1ab28

SHA1
5eb0a6a1bce99d95f18438531e33e3743b1a0e85

SHA256
53c0014ab2a53a68450db2403f92993926192edf4482943a33ee2ff8607a7c4e

SHA512
6fd42896b125a6311a84ac2c29435a496fc19791acbc30fd3cc5c6b30313e75c3d0823a6f9855217052538859eff2fc4b8a8e8baeb924761a3ac1182aa928512

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIsQ.exe

Filesize
110KB

MD5
426fe17c839a24773b02bd29e0975dcd

SHA1
de868f9ba4843f253e9aacccd765716c2042464e

SHA256
205e11f5c87b6ffb990d618f00528dacaf211e0dc4a29067b31307b61179b2c4

SHA512
31094d3e980044b690400385997e29b2afbb7cb8d83616c19732d62ee6f0fe91c170f372947be7d750d241c314546f695318d2c7275166e46172e058418d858a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUsE.exe

Filesize
1.1MB

MD5
cf65de872927586b6868a537361c7e8b

SHA1
05ccca9e2ba684ed2cc40a7c18ee0fa7262cb100

SHA256
a31dab362b7f79b9a0af377ffaa40f6b6a2ff6bdc11b77832db81f90111ef55c

SHA512
60cb5806f7002230ef868bfede912de72e1534511a36d52994a09d55a6d230ce0f1d5476af585c155e9d0deacdced46941de0377bcee7c1592f8fed2af90e14a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYgc.exe

Filesize
720KB

MD5
7e37315e549f82e04a12c41e0cfd0289

SHA1
7be1800de8df9df0a767602bc5ad5aa70bcc9ad2

SHA256
68fd3d3dc2b211f99e8b846493c68670126366470fc0f7bf41f6ab6e46306502

SHA512
514c189c18cadc4d2ef8073bd96bb721e18d5561ae930e52524b7a8f16313996711ca0b2000bd8c47713e1591cb197f8d1eba77966af9b3793b9370c32718c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEEg.exe

Filesize
120KB

MD5
ff0292f0d6ee29f6dd4c482df688b89b

SHA1
3c810362d011f14e6fffa0f5b6036b15f60ae913

SHA256
545885dc02ed71c0230214a47b252c6771cde7e83149404d7f23b3f735c7f221

SHA512
13682d691e1c2db22fff5c4ad9cfa3c8fb5563924ad44407f62905b526d5c245e9244e3a7294158ce19551d82bd6b5f308c56b6abe6d8ce3a1848efdbb3b8d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcEu.exe

Filesize
111KB

MD5
cd5249f2249e29b0a400d9c7256f58cb

SHA1
4b0832355798c6f65d179fb42884808861ff55b5

SHA256
6ba1325eba9263265bf64a6358f5563747432b9acb9f3486c69fe5b93a7802c2

SHA512
afc6c6085bbe69340a6c9d943641b3a9c8b965e88588d10bff2c28b7ce70fd0d43a717f25ed0a1bb6b93996fa53ec66581f6b6d841a1955043bdcadc24f62082

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoIA.exe

Filesize
113KB

MD5
3c3950626ed02a725a7463aebac50f25

SHA1
9e3e31560eaf7ab97558c2b4854aa236c4ddedc9

SHA256
8fa0be8e62984185c4cf5a01c8ba9c2a7f31529faec60b1ead45c5783e0b3c7a

SHA512
30c10d7a6706e1f02f91a767c62c536b30e54721f91f72c5d12c05439ef365fc8216334354b1f11d50e2faecca4e6048c625a6466b2a428c4e4c5d7c0f198b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgIo.exe

Filesize
112KB

MD5
1a356206b24ec697605b25a0371cc410

SHA1
4d5d4dfa786a1dfd92d7f3429a06ab0ebf56d46d

SHA256
916c5d107640cba62bcad4ffa566b6ef724266669bcd54ff56fe71abffaf2bfe

SHA512
21d20138729e12a7cdff750d8e3d729f8af3a2d04fa5baa37f03161cceaf425e5208b48d87b6c07068eb775a6f94a04ae72562cb8280443df3c80277a2185017

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkUs.exe

Filesize
5.8MB

MD5
0342b6e39e4021900db7daab36fa34cd

SHA1
52e1410eb3cd69b55cd6dd695e47b9ff26dfb069

SHA256
a6a6afae0bd99f0dc26c2bc465d69713321fb072d4c85cadc92cdbaae3e2d06d

SHA512
e2ed1a81dc0ada41cf46e2e599579d82df2a68b69dac8f6d7b76cd961280b401c8d306616aa38e28b403b9a223a026302717acb4d8cad3586c525d54751ba093

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoQg.exe

Filesize
113KB

MD5
e47f32fefb02789129a7a4d5bb570c9e

SHA1
4dd42abd2ce4c7d79ecb47ff360de69ecfa88f2f

SHA256
63aac1bf0185691ab4ef8dbe346549e6ca4f654e29485bc32ef580d81e5b0293

SHA512
b9029c8ced93a03809061c40020e7bca81c79eb70be3f853f9c035469a0867adbfd021cfbd4f6cdd11cbb150e3ac3bb52e12f9a606c304b72ed4b2b917d06d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\SooM.exe

Filesize
139KB

MD5
400d074217d8f13b981842c2259245df

SHA1
cd81180a5e01b232bf27e990abb71edee240e624

SHA256
984eda990f7e7276e7dc35a2751cb58ef084e1601c10adcea49bbbb8286d9918

SHA512
b73ccd1b6740868ab262ba495e42974f697fa74a1174cc45d1571ed5525f7404aadb1d5595883686f551feabc4dc64ac678e54ef7d8ecf71cc739106191aedd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsMy.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sski.exe

Filesize
111KB

MD5
aaece3de7b673b7dd4bb1bc0b95ee766

SHA1
47e738456a0cf34474404f08562aa88225412e82

SHA256
6468989210cc78e19e2110bc896b4cd4182b74cd030ac8e32632374b2898f0a8

SHA512
64c416c7c6cf0e6d7a7ac45edbc428d1b5219e0e43740cac5087c3169097f42a5657b260a087d45f470cd1de3c2045f9d7648ff803d27539e322c8624440c284

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEUY.exe

Filesize
112KB

MD5
3cf7f13a2e658173bcee978222f397ec

SHA1
eeb66befb8be8a0e4e03b4549768ad587ff854ce

SHA256
75ce6578533110e751f6c160b23c4111198d53c45dff581cc5ca5e1f9db6d863

SHA512
938e8f82534eac9a1599e2cecd3d39ca343e452092aa273ff7124cb41d28bbbedae76918c33caa1693b58aec11f3136192fe886791e1557b37f43702b319fa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEsS.exe

Filesize
114KB

MD5
22efabf10e016dd19f8e09e512f3fb0e

SHA1
0d4a75f36d59cc98f5435fcd3ee333fd84bd6c27

SHA256
07aed1a70c5116ba58e8931c74a0905d0575f1bea7d2bd5350ea8f930bf69449

SHA512
d75e9c6cf7dc9e61a93ba0086e364e985a58541124e9ac47f18483bb116d9de6291319e163e502ead7b604fb7e4872c649da755cbfde5cd5479837c1089284a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYsk.exe

Filesize
110KB

MD5
1e668d1fa2aa9036d8a827c7537e342a

SHA1
954ee58baa7017f982596e92d485f2562a85d200

SHA256
362c231f578937f76085162ecc0ba1f023b25bd0c2590cbddec9c28c760e2400

SHA512
5c81d3328bcb17f3f895c285bec104da5793ea791a0b29de82bcb8858dacd8fc5ad6b2c9f435b13dfa579d49db2c319bebc2d99cc96f619f4cf254241756c17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkMm.exe

Filesize
111KB

MD5
0830ac4b0553529d80f82865d018d994

SHA1
f48286f4f7e34656affc750dfecb21fbeb3f2a34

SHA256
96870dfc01a6000d212cc9ff9c1c9c70ee8f283afc034ab797292cf7e71efc60

SHA512
82ca25ebb998ddcc15c8d36232be83924d98f412d5e9f116e53ba3288fa12ee12825a2c2583d3934e0f76d87275f74293ea97933cb5c46ab25b336c0fca591c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAks.exe

Filesize
111KB

MD5
ecc5329458dcb6ac387e342de1a6d087

SHA1
6785f0cc6de04c55c4ae4e60c345aee989e5e26b

SHA256
6d63d9f0c4528f583e41f99c72c3f0d73d580bf5393e3f2cb6e027ac6947c8ca

SHA512
715c45513e812c9cf8453bbf3b08c7263cab30ccb4c29ab0e709dcb32f0d79c033c466d49c129e7b72fcc480740c0bb6ef66412770a2263af0db4f6f78d7a412

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEoi.exe

Filesize
565KB

MD5
0a0d38ae1092eb50bc137c4f131173d6

SHA1
cf38273822dfd5b00a3931f31bd9ab7421abce79

SHA256
e41a82a6128683c8fc54eb75188bc6225ee3b0f6ac27a79e6fa5dee45079c3ad

SHA512
5bf8cf5486dcb4557489d62ffb1b372d20d494c6d871e6a734f1d7c62d394152f4330471ea20e2c531cc1edef318b6809edc701f207b2cfb4bec8c1ca10dc377

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIQQ.exe

Filesize
111KB

MD5
ab0492a54e6ee75a4106dca973d4af4e

SHA1
9798cd0840c576b98d5b3eaf73341e541eb4f272

SHA256
f76120c21209fe72098f21d978b20605be62cea4a92a786a22a7fdd8f8cb0dec

SHA512
16e515cd70af50570fc1504565caa61b3527bcf337baaa36f14825adb909b3859a52e428ce6028b8320a88e39b9cdffe8d5bd0b1d8da4cce2b8e87349198c869

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ycww.exe

Filesize
5.8MB

MD5
c04223049cb2cd1e4ef8796aba99472b

SHA1
aee2c810fd08cecf35b07bf0e270410468c764a5

SHA256
18627ce584fc0e7a54109abd404e40d0e0363e81d2f4e1af7ca336d14849193c

SHA512
466d3bfaad8d8097e7f079702e0f8d3c5f6ce0054125fc361268914bfb1c957cec00ce404965fcda7b4550e24dd99bea99a7ac58c5da23c88c0c6300d0cb407d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkMQ.exe

Filesize
111KB

MD5
c221bdb4529963d723185e14f3feb9dc

SHA1
3dfc4c8e469446289d71743ccfb521ea83c6468d

SHA256
ad405a6c98e8be8e1ae23be95401cf2eef2e80ba23061ece65bfd498bec1b4d1

SHA512
83e5d833434bb87c8e564aa2e34a885e8255462e7fac05ee393af27272a0349f50f2d77a00ac182472064cb3e78aa539433047e9b0cd871c4374c79710fe068f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEUC.exe

Filesize
113KB

MD5
13b337f64ab607feb23bdb9649bed8db

SHA1
05ba0b3fea225364cf1a065ee864a3992ef5a8d6

SHA256
59b12346c069d528209a88697c29b44bc47703caec067ecf9fdfa76068c5a0cc

SHA512
365ae99854284a7cf0c6f971ae388dab0a062b6cea2eae3974b6120a01c5e72df6c4db6dbcd317872e572a6116c075911d982c64c31e1896a968912142e43339

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUIo.exe

Filesize
113KB

MD5
aee32262a2e9187426170ab0ec40f228

SHA1
bd67603f8cb8fdaeb1ff8ec89114464e80b2420a

SHA256
91739b6c15fa16deb29b83f3be1f5b37cc9f5628288b80bce5c3accd53440eb0

SHA512
0adab7fed6044297c4f011cd34eb1483edae4e7ef0593e2aa2d164c6d5c0fd67c889a8209a571592adb490c22e80019b6b3ea00a188f08f6b02f4aa3a5697c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\agAW.exe

Filesize
744KB

MD5
43b5ca9a4b04c14e6f3a5f1308875125

SHA1
e4dfbe6b6923099313fc34904c453da56b13e15c

SHA256
9ed2f8d9af6a793876f114c16fce31511be7282134aa91a813cc6fdea5eac4cc

SHA512
cc20dc77fadcb4a80b2217beef2111407badbd40eda46312c55d459a2b65a173c4500f62bbbf4c34c97815ee6c61789266710811f6fe773e5e5b89523eb0050a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYEG.exe

Filesize
5.8MB

MD5
417ed9eb1fbcfd4c5036007c946e1225

SHA1
b1c8f9c42bd659c0db9e992af7b60e028adab636

SHA256
b2bfd707226f7ae8c5115e6522d42304966bfa3f67ef1d1015d8deb5d570e8c2

SHA512
c5056dc813ce3fc07858d1b9016b4cfea9fa0fc41d663822b00870dc63b392d7f5c28ef90d7c1d770956057626fe85bf27773428b79dd3cc461983984e78414d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cccA.exe

Filesize
820KB

MD5
9acfa7e5970a53af9311c92567f4b486

SHA1
ddaaec32e5f869440565350da2d63486cd51beba

SHA256
4cfe58321a3b13360321e721c717ec498ac9256ca1fc0a1621a6b5cd977aabb1

SHA512
8980a3e7085969f50583bd6ee3cfa758cf00c0eccbb52f5b90ba34384bbe3ab21280430d4857947aee3928e8ca069e2462c541b3a5e200aa75c3d69a98912272

Download Submit
C:\Users\Admin\AppData\Local\Temp\cggC.exe

Filesize
113KB

MD5
297cd15a2114ec21614d55314ba6694c

SHA1
ad2fe4afdf787e413e9a4c587c26a5c9536662d3

SHA256
99d898c8796c4f1a8fa7e4f1c1dc7a18850d4a6597dde05438d936c58fee671d

SHA512
7fbc02ff3348a52fbfe741a6b64ab0be70436cecfb3892d2a5f93a763d1707604637bcc6df30908bfa2580db75050e7347c95e05551906acf307d538244ac92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cswY.exe

Filesize
120KB

MD5
197cdfdb22af063e730e8c60e08079ba

SHA1
421ddadf74ecdd02e24b435d33e0ad74df889504

SHA256
f799eb584bbb87bf5ba56f8687caafa9c912b0e75e45decf5dfaddc9b6ef973d

SHA512
79d3d92ab38e0e62cc4e71d477c8924ebfae8a9d701940155ee1e1ac7d333c609ae7fe87a38569749af71a2b1a70d6bfec5b096b08b91250b2279befcf3eb05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAMg.exe

Filesize
5.8MB

MD5
707783584daf9b4780e7ed8c61304d53

SHA1
25b02459d5d02a29aace9f4196da2bfd8ed7b9a1

SHA256
8571bef22288f511d5c9c6f7f0e001a85281498237f66ff1fc37d23bf31319e2

SHA512
c5ff29a7546b56ce8e4cbde49ec770e350b0bb5c1f7e008b6b385566b1ff9c8c2107267ac3894e36f0a049c1e1617895a4f626e1acca5362d79529ed48f8741f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEcS.exe

Filesize
743KB

MD5
87545e59bd9e0a597fc66d29ee8da8d3

SHA1
9a9336c409964479ae4697a4325817676db60382

SHA256
7457ec50d1908a5eab2873098c911a92d91e58ad3a70654b63b96615f0e6b03c

SHA512
6047829ebf7a39382aff8b30e0b2412f54bcc570ffb4c3e5cc46c03b0ed0fa4dfbe42ab7946e77a5d204b0f3e6daf26fe5860b6a4172ee089ef2a25e1c16d994

Download Submit
C:\Users\Admin\AppData\Local\Temp\egYU.exe

Filesize
697KB

MD5
c68da566460f98f179791ff1cc94f13b

SHA1
c2c3940237a68bad14c71198dfe3bb93ce4474a4

SHA256
688098e229d7bc135839f0031f772c6ea3a2c20e4b0ccf54289718d8fadd5dfb

SHA512
a4972f80f806a32e5c04f70a357a7959c954ae19721fd51f3bc1a06b0ef15300ef7168651fcd0d1857d0895b3f8910bccd713aa842740b7ab1ebc6ba455351fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekws.exe

Filesize
597KB

MD5
c507c0495b499bcd72b7c505eb6912e4

SHA1
1f5938f2bc310992438eb2726b698c8876e55288

SHA256
73bd5036ac7ed2ba3a521b00e2b68312f07f7c2ca30a336c64f2a0d2df30fc50

SHA512
d9a7380b475733bade361cc39a8db64b164e4415a749d442e5ae92617fa6ed86cf9999ff8ac7d759aa3f0d15f11c3bd699ce7f0ae8c49cc78d7ed6ea6b3ecc79

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEMw.exe

Filesize
109KB

MD5
83ce10a55ac414e3c3dcea4207567d45

SHA1
b95280d78c9ff2058fa29531ef0e7298d627b54e

SHA256
a9cd2c2ff0ede0362475ea40983b8c99396e2f131a0afdb5efbb4fff4ec3a587

SHA512
85e0e46042f98db4f4d02dfab4f855000843578c89ada653396ffaa5f94d4b1263ffdf9ba3a3c66893a28e5a0908bcdd56dc1321956c2d8d13fd3502ed300902

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIEi.exe

Filesize
117KB

MD5
d51149ab1f5e6afa5d1e4eb120128bb2

SHA1
daf4bee363bbcd1e943f29d0c3ac53517e9d33c4

SHA256
6516bdb46ec3de874c9f9ac94f727d1a148e9b125a7194ffddf105323fa2f3fb

SHA512
88737c24f31910217595b6f77e01339e653723e86c44adfd5b03b98a39be490139ead8dc5310a70aaef9c6e11ef72450544ec06aa9af36fc4586fa070dac629e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkkG.exe

Filesize
112KB

MD5
652624aedd7fc440ffe1f1729b48882a

SHA1
509252bf8cfffcc7425bc1f19f376200584a0d7a

SHA256
d04e464f142b8e2a10d86b3a716fe2ee70fb4d6f1cd8b9528fef5e43120897b9

SHA512
49974eda0dd964573391de15347b240f0fdf32029b3f96f56a0d4d4b1118b7fa8bd40cf09cc5eb0309c80ce142cd5c9623e0f14ccd8f13a27a9061d276477ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIQq.exe

Filesize
149KB

MD5
63822bda81aae297541a738a129c104b

SHA1
f0bca62bfcc53fec04286dc9b1e0d3ed20de771a

SHA256
14c3f02dd832efdff225cd3f2e1d945580490c03963cab8978e7545c73301b5d

SHA512
c010139722952b7ac5d1ce9b23e7a03b566ec3b44bb3600e8f63b83a0b0967a4b3ab0cc584f1c243c4b3c60c4ebe03db7b2791f678a42d231df3c5dd5285f110

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIYS.exe

Filesize
121KB

MD5
01a5f479734c774c04c17bcbe550d254

SHA1
ae58704b62be6587db260a59130a3f09da2413ac

SHA256
48cdc7817c5a8494d7cc1c73cfef0353ddd2fbf029a06fc471291bda3e9e85d1

SHA512
4e5ff498e06394a21a37aae5c18ba3a0d0d95e3b55b582b64a5965487ed750af17823cc63dcabc149563f0fa00ee341e8a64d017c0a7b0cfac329c3b93f663e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIcK.exe

Filesize
1.4MB

MD5
b2874a044b55adad8e183d6b61729640

SHA1
aec30406656db57dc37e29333fd9f3794dcb9493

SHA256
26e3beb4e5bbd3eed1e89749325c08edeaf2118093e2f9b2524f3823597e7bff

SHA512
5d7607014378b58bc9359c8029bf1095b7bec71b7fa80e5e107a206405d226d0f4602c069a298fdebf8a07cd4d106a4ed1d2f9a9ce0b8be229edf4086b11e86d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQEI.exe

Filesize
110KB

MD5
49f4e4cca45f8450d0354325328a74c1

SHA1
5b9a5d73dc6469083eed8a34eb13d4633834f20f

SHA256
d9638941190f8159ae196adc457cd7fe3ba9b7d358858314b01371d0836bb8c3

SHA512
e693af540e91e6ae4a336db55af653520ecb5556ba03ff034fd36bbd5b4d7e19670713306c216f2f22bea0e6562219e17ef628a9c42da625849a7c0e4d1fc448

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQkq.exe

Filesize
565KB

MD5
da2ba01926b45c617a3439882a3f647f

SHA1
6fe85934a6e5331bbde969d750d854ff7e6f960a

SHA256
f3a240f3a43e1b48289918a4bb4257c23fbbf5da13c5dfa9c90a202460935d0f

SHA512
52ebeea980c9971434a8d3afe26cf1a9ebd2fba3c24e0195c9b9c82cf35c95787b8b1e47077f9bcda8fbd0d23add3d6c9921db9fd45b8474a91802be25b75f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\icEy.exe

Filesize
139KB

MD5
0b80cea6382e79b4995922db2fc94e60

SHA1
9846fbf214974852a2d8ff55947b54fa1cf5d1bc

SHA256
82978e4cbf8b7035877f788d668bb15160263580ff163556cc52bcbaafd15765

SHA512
d6d06ad58721169f4381c225de8ea2868e02a0a029eae11c8f26869e0b18c452f216903a326ecd6335e933a34138a3e49f80ebce4a9df7f8d0ebefb77720f5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\igQU.exe

Filesize
950KB

MD5
fef3edde50e583ef70e408060d4695ba

SHA1
450e5886ceb46fd8e2d904be333f542c541c002e

SHA256
579ed1b71ac59399508bf301a86f4022d68a66752ffd6469fa20770bb94f9e26

SHA512
6165386b9bb9fdd5300b3eb7dbb39e265c040145cd9415ec1a84d5425540aee38642b0e0e253621e526852139a8bfeb622f5b7823d1f3a30dc1d713dc27c88a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\isAi.exe

Filesize
153KB

MD5
0b7bee79700843d3d5a927a4a8127e9e

SHA1
7b60fa13eb20d53b5de3a7b3286241265658f792

SHA256
dc67db1794f2fb87e16fdcee5e50c1768f0d6bf600aaf31fe4ab449c2b554335

SHA512
beadb534bcc6dba50ae7c903f00cd0db6df5a10e2ef12c6140e8a97f87f7113c0fc3943a580a6ed1583729a6605d75e362d570041d17f18e8f73f7613d6e5b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\isci.exe

Filesize
117KB

MD5
cedfb0ef4617ce2f77ec6fa1f9a9d4b3

SHA1
44aa17ee33ab2faf051bd13671f77af038596550

SHA256
56e6a1e7e8f6d7583eb7c837ad5cc8c0957dd0f6ea52ed25de10c0eb8e9a0afa

SHA512
52e69f52a620844d05889680f8c99860e65b0d855308d01f7e007581fbb7e3b974eff8f19b5666a22062e151f7a81f50cfe9f66b9dc3edbde0872876a35bb319

Download Submit
C:\Users\Admin\AppData\Local\Temp\iskI.exe

Filesize
113KB

MD5
d55033b61be1d2d23fff052745e81f87

SHA1
b996b8898241fe548dc3be43853c10e435be16ce

SHA256
d285ebc36718db253bbbad97fe1bb4f5f8abbff1226617b32aba54ae8515c944

SHA512
2e181b9729de1801598230ec0c4752461030fc34080ed37ea56cb54b888e1709c0d2a9c1110116ce7b172d0fa7c450c3a7ee540157569f91834dda2582355ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEEa.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQEW.exe

Filesize
110KB

MD5
c4cf0460cd42b6cd05d0b42b2b1f64c3

SHA1
9f183f6964b7531d2aba24b5d905aa84642cdb81

SHA256
d6cba4460628389cd243176bf51531287767c6d00b4f81816206d9424f4b99a0

SHA512
01c8f07a2bd77413ee710d912d30b48050209fb790e7da18c155afac59119822f3e42f87de256992c02a7cc4b36efe55b0031096412e2ff2f9aac2bcd2b7db6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUQI.exe

Filesize
111KB

MD5
b39b31c4518c7d59175d3a8a4b2e6ebd

SHA1
c9e16585f7babc992c336ec6fb9bf24b4bd5ecd9

SHA256
e699f189fb26fa812a6b44f051f3a3806e57b24e6c724b688846c190eacfddd3

SHA512
05005bd159795c048b796d8ddf04f6f29f0824cafe867400b0140581def77f4b1eac877e75ee62991062e53a0a39592459b9893db03a37110ad2a01c612926df

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUQQ.exe

Filesize
112KB

MD5
01e804b4f78d72a73042ccb43a1b7a2a

SHA1
b73c5480d3eb4314f18902e27d32b371ee5d80a7

SHA256
174611a3e7a335567479dfbdbfca9a31ac3a8d16d6aea870e77e237a86aa398e

SHA512
14aefbe30c3b63b55b8f4cd0e9bcc17b325b8ca56f4ae72fa1d5180bfce235ed64db29703f6784785990e0f393b4d10223fe76536e0fd4a09a2f33440d38820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYUS.exe

Filesize
112KB

MD5
d0cc86b45e2e5d1bbf99ca982f9434ee

SHA1
3cab3c523dc2725e66dfc4e0951f4d107d11ca1c

SHA256
541c3dd18e7b01765b791d4b84a011c4edf14f3abd0a028f43dc14d6734ce61f

SHA512
640c0cb869531ed77151831222f79fef7262fe9e91c3be80aa252a999dd52aac12b3db3b8ba7fa7cf0f796342ac21d21605268988b46fde038ffe091ddac2e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kksa.exe

Filesize
113KB

MD5
1c6d212c3bc2c6e965208951f20f0715

SHA1
b6702f9f711bc58634ffaa2e674c649a691d9095

SHA256
77568d502d64e9f3ac80b374b7c3f5126d845254fc86589ef081c1925e24a3c9

SHA512
3c8a492d688fb52c175768ee59aa95a269c8d1cfd450a51f3405598aff99d0eec37722bcc62d3d830d9180ee4f24ef3bc0df4053efd18bee7029e5b798017591

Download Submit
C:\Users\Admin\AppData\Local\Temp\kssS.exe

Filesize
348KB

MD5
4e47042f76ed050caafc4a165cb09abf

SHA1
4bfd4ea73eaa8b4d6d265b4ecafdd4d3a81d68c5

SHA256
fbce5584dc6e064609609104bd8e90371e9587917e1fc946055069531dca6a7e

SHA512
f7b9121218d72c8fc3d412bccc4c142d2c7c09dde27432f9b07419bd4341d0ffe843086363f3f4b0fb87b3d874a102ec2393fc071c718e6cda0f559fae3a9d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwIo.exe

Filesize
390KB

MD5
8a75f63575413b6c6daeb72bef35674f

SHA1
29f876e93f532a0544d721dfa94e65760898ebbd

SHA256
53e0bed5e96009d3da4e6c25790db1d985cb0aa1384a45dbef23e4786eef44fd

SHA512
5fa6e3d0de6761083a65c372d1f508b45fb0b29684fc11a9b5dc8504f132f7d6ae821d7088709d4d8c14e47af00f63d51467a580e82f37e3fd85b0b59d3fec5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEwy.exe

Filesize
117KB

MD5
92b20076c09ce49e6278a94d7fb18dfa

SHA1
21720c0530495fcd320a1093aec1866bd92c07f6

SHA256
ede38f9dff3e0d8a037532ca01bc95239833909194a37b23657e68b5e465202a

SHA512
41d87fd1fed0258477e0302c270064e6c4b769a6193e68f389ad92f5f396407c4a52915c831933411e003c3561ce630293fcfbe87d0a71d243aa927c4984d9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMIC.exe

Filesize
115KB

MD5
95eaac35db1d4d25928a9605c818e2a8

SHA1
83a35b1194912e47bbf7c8ed9c5eb9e3c834d51e

SHA256
72f1f7a4546cb56c1ba60a161b55f4b7bade670baad221e489da8ec028f28f05

SHA512
03d2d5587ece6c7ec96f0b750ef31c97a3a3b58c5f5beb83d879ae96efc591582ca411552a00152f4d91e00c927c79890e426f62d4c2a3addc6c2e3f99bf88e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYQK.exe

Filesize
112KB

MD5
fd8e68eb309f5b611fc667986db5a610

SHA1
a204ed20b94a8fe8ae88b6a95e90814f8ae4fdeb

SHA256
836e14bebd9984105c1ce45c6cd538d6e04381553b4071ecf7514a0e53bf7d40

SHA512
975f4414ddec23a6d3b71c884ebc81b0aec428022f9227f61224e2b5580f74b412a9d586b819bab95ddd97dfc02265d941e041b62a84f09c6ca062a5318e230e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mckC.exe

Filesize
427KB

MD5
da1db259bb3be7083637b9486fa94829

SHA1
c60b25a0c19bfe27f1e7979e02efaf7ad30f1aa7

SHA256
922a537a2e97c5ac08d57a07a936dcb7c6f97847093e8f372f2601566d5554c8

SHA512
cc20c3d76bb395830928275e42c3fed88cd98599bb57d18dc07225424e473dc91ea7b1576c956099882b017bdba975456b83007530a3a81589751b2ad9ef45c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcoK.exe

Filesize
114KB

MD5
aea13a64e5e1f0b0093cda081abfab80

SHA1
413b093a700012a1d5c497c2c6de369fcd072036

SHA256
50a3211180a727117db371f4ac154dc16816be0de83d12ae9e571403960ddd54

SHA512
395882d209031115a738ac77df4fcc692c1be11376048abc9cda34cdf8810a1dbbdb1950c2bc7839ba90a199c006d1124695ea1b3c2130cd4c32e9445044601d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAAU.exe

Filesize
137KB

MD5
d257884141df064d55eeb723db97b551

SHA1
291f611fda1e1e7da95f8ef54bff4915a929b8fd

SHA256
ebdd91d42a83c54ba549dd118985b4b64d81530a8ea494512d1f2cef61fcf501

SHA512
6a34c11e37b253663b499a779e4abb3bcf98052cb4058385caa519b555730f2242cd4934d5c617b86d264d707ed878c9788199db50991daf61bf5c9fb29d5d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYcm.exe

Filesize
113KB

MD5
8c26e508fafe1015902285992731bb56

SHA1
e186d91e54f8f68e2a587c06036588e8d4d4ebdd

SHA256
0a3eb8669e706dda97a173d5ce152d29786866f9c4b787af475281c4606c24de

SHA512
874748478e33954c39d7fcbb73116e417a278ec5d24e5ba0a984634c6a69a8699ac4d5922484bfed2d5945ed60fdf03c3b7a6d4af7d12a5fdf13b4bc54b414e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\owcw.exe

Filesize
111KB

MD5
543386ea1a22fb393eddaf8affd61696

SHA1
d8a86fe7da9270d192e39bfab08ef4af03b6d7db

SHA256
040e8e3514a00bfae0e816d52d6dd914f100c2c041118144d4db4194da819802

SHA512
2ea3006de898a5c5c72fefda804730527b6d3fb6bff0536efa909933e8a6527dbb5a7cd908d6b2f761f13a7fe968b819f60801912e376abf198670cbd92d6325

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAMk.exe

Filesize
119KB

MD5
1163b9bab45d1e7c8642073ff91464a3

SHA1
94403854bc865c0730bc86b2c93310399e571657

SHA256
3377c42840d2c8642b0ec4f9e4b3cfc54b5dabeaa6b88f83ffeb1b697f5875f7

SHA512
ecd64eac21c543a5ec294dfc381eec84618c68afc2177925a97aaaaa39a61ca01f9948ab69871623af5b661a0d5ec62c558fbdd36c6ef454c9e96941d478c927

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMAK.exe

Filesize
137KB

MD5
991e2a5a73281da2daff357addee35e6

SHA1
78d04c295d18b58280de796803e033c6621f8422

SHA256
e4f463dfa8eabced1c89d9430b4c6045ce7243cfb8e78b4d60e1408056e0cf01

SHA512
00394be76f2871c13851aa9c9d90c931d2750090ec4c6b0d58cb7890b8f25f41c7fb76aa34dbadfcf9e9c571d672aa1286ceeccc0dd3d41170b20b3c63ff1c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMcO.exe

Filesize
722KB

MD5
0f2f673d0ceb9aea9266075b0a399ef3

SHA1
7d829f69138a44fbafd4abb9c91b65ae4383b62f

SHA256
ab762ecde9c31f4bce8eeaa71797f2d55a27c459efc96fbf8930ffe0a32dcc2d

SHA512
edb57d1956b611a384e547857ff614721feebbe87a87db677a32df82af748880d1239defbc162e531d57a5a93e3d541597ec68c92895a2629de95ee93cc8b1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsII.exe

Filesize
118KB

MD5
ebf3a45eeb60f5401d52357f37062914

SHA1
27eb74fdd0b278040c276f058e0ee1a26117ae68

SHA256
5597e63cee10c558d56722d5420bf560bb42509070ec63945cb15ddd1f6e6ccc

SHA512
06eedde88ee9db148d1469804328a29c8edef20bb9c86827fbe998a4a1ad09178aee7ad9c5ec8120c1b2cc2f20f53358707d9bace45f90e9f5a8fa3ea9317167

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwIo.exe

Filesize
112KB

MD5
19eeb13b23df5498e1dd5268aab2d1d5

SHA1
2b07ca7c69f1149a0969f6155a572caeb17fa8f5

SHA256
26775da1e445e12387a83009a52b997d5640a0518541f79dcce213266f6d53c6

SHA512
4a3105ce5df22a6bd2c8bd9f3ae5b19514e9a265c7d2f659f81eff615b02b5ccfbbfbe68e167ae6be449d57b95881828c1f46e22c819808583537b5befb82714

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIwk.exe

Filesize
153KB

MD5
c6a9e9f971bd8c1b7631a42404bed3b1

SHA1
7dd9412f48eefb15351d6084bbea81d127ed5cc0

SHA256
da02f1b92106f2f1db620bd0ac9175c2149b7416878eb06638ebc3d1d0406e8f

SHA512
3453aceb72e4444dc5dca24533ffe5cf59297443deccd20d915383b9587a89ebdcc8a12ccc1df45c9b5441f54ad4c4e8df5fcd35f13d9ff94ae9e0bf6f990534

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQgk.exe

Filesize
237KB

MD5
31a3e72a576301473eb42a535cefc273

SHA1
6dba8dbfdd6c5ec4942d12afa9c37132329b5cab

SHA256
880bd7647130a6109f4b824363b88af140c3e67a5adb242ab6b2bdb675243971

SHA512
f26d6831a46d3811dae777ae56efe5661ab3cbdb2fc4a92c9f5d9fc430004875b5bb26ccd3eb34a0f5f64e494dc6d4a195b6aaf82f25b23680186e313eefa648

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYIi.exe

Filesize
112KB

MD5
40d10a315ab5209f4b9f1f1a471de967

SHA1
ce8bff9d90f0ff44635ee91d105f724cc6ea6ff2

SHA256
f4e87c147651a037e6b922a55285ca95e466572c7d868147adf923b7ea57d1e6

SHA512
e89a44149386872d1db1a70ca08f236dd7afbdd42a1dba4de5c73e4cfb436de31332cd43d5df666d6c7e4193e2d2ef68a39847aee1fdfca8d31c3165ddc210b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYwM.exe

Filesize
116KB

MD5
2b2f703b787e5293599318b52407cbd5

SHA1
0e5e3abbb8527abd673edc6fb7297331c918101c

SHA256
dba420aaf805f2f02c197ca0127b9810e4894e7ac357ed324b6293ccc0316e0a

SHA512
fb47ebfb12f3aa1e3659d81db2182a1bb48388f4dd54695392ab0cf40dc56535cfdecdb64ca7f961580e8bfe5ac502da34e29d705743e4415cc14602b5667580

Download Submit
C:\Users\Admin\AppData\Local\Temp\soIc.exe

Filesize
485KB

MD5
d89da66ddd5ff93de79643d7b4cdfac0

SHA1
eafc782f7b6edc311d69638e27ce433682eab303

SHA256
c2501ea22ae2918268fc02d07396e6ecb5411cfcb2ce25aedca7c9f234d488b9

SHA512
89a42371d837e2d85eaca6db3e294336402e32681c1753e6cca6b4c6c6e9fa43bca4e9b0fb51324740560416d98e8dda7719b68e09aba680129909b67cc5e1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukMk.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIce.exe

Filesize
116KB

MD5
85be23a0520a8b9182ef25d7ee411b52

SHA1
ebbf8297df02661aea52c3764f7769c1aec3865d

SHA256
bb1cce47dbb8e9034cd4b57158d14b08f301ccbed34f67e0a48d74fcbfdbad6d

SHA512
9baf3c5c8424dea14b96126ddef9ce21f6e4a41f0267059f8385d5531f761b0fb32a7e2da14f51095013814b159b1de02a05005bf5e0beff8d678d8ced45e41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQIW.exe

Filesize
110KB

MD5
6b4ee5efea77744152fce9cd0a3094c9

SHA1
84a6e0e1e5ede2bca21a9337ec2bf8ec915d4924

SHA256
d0588dcaab608925d0242a5a6c65fe6166f084fc4553fc4bf64716fd923767db

SHA512
ddb6c6f8371b535233e9f6a51eae5ce20f2d932b6e0ccd3864781fa41191184c2315633c7d6cea7be70762773aefa2b17df1cab3f28c33bb61a44203d206c87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcoS.exe

Filesize
117KB

MD5
1f9b1dad40dfc0497a2b100d634434d8

SHA1
eb83856a92fbec8c40a9e5b29ef5a447e60570a1

SHA256
efb0b1b9c3b8cbe7060ced5c794d4ed1150b1c3e9f1784c4dc864280bba6b0be

SHA512
c889ae0a1bd4efdf33ff355280c1ac07903b2402e0985693130008e76ac1242e72f0aa3eb5e5309d0018d71a6442b73aebb598fcae15f3323590c3865761df56

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgQY.exe

Filesize
126KB

MD5
84f4d4255bf01cf91fd71fcff00fc4b9

SHA1
a062a4abd27fe0f58f638565fe3a66d412520ffb

SHA256
4efa81f0be366df228ba976ab3f06a76200f52b0f1140f8a0f335e7f67ed97ba

SHA512
9942d4e91805adf6a7cbc8131833e74d16ac5b8d9c835ae6b184a054e254ecb6bdc7e2e54c5e047793fed456d992b576a6f75e1638861e95d528ed18f08e3566

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUEW.exe

Filesize
5.8MB

MD5
c9ff994687e94142633523d2951dfdb8

SHA1
66f5e11cfa0f20f351741bb7ec971602b5863e8e

SHA256
5ddc64d5a420567542bd9393d7e45e4a1b0736f950b30a3f83196b273ba3974e

SHA512
63de73ce2934dc8b040b24ed29eb19d5274e92835776cedbd95d83f06718dca6ebb61f56db0202fd129b2aec77bd3e3dcb85a48cfefe109d30b1c3c2cfdf4461

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycIc.exe

Filesize
112KB

MD5
a0578b4896087f7555a3f9d55da95c5c

SHA1
289407d42eb330b3102e149ad042b2ef3d8d3861

SHA256
9a93f076e1f7011c7cfe67860ae67bfd56b8db40837d644c5402a15a618c51a0

SHA512
5240b4dc1368c94c4705ee841a2cbe4fc99d539f1da4754d193c28f462341dfeedd7b46c42639848edd58cf49f81870a6d76464ccbf911119a1a406d6847c6a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yogI.exe

Filesize
566KB

MD5
0745898c486c6517f4bad2cb55ed5901

SHA1
4edcbe3f6fe76929741d2801128f897099f6727e

SHA256
d54b396031c68758aa97f5ef259e7321357e23bf42f91cf96eac5cbdc926623c

SHA512
1ff7848b6b9066a67f881c1962b61f34fc72b4daefcbe00e90d52467ea4a847c08883ed037d8a1334f7fd357ffd36224d9613ca3edb29afb66bef2a0e054167e

Download Submit
C:\Users\Admin\xeYUcMEs\mgEoQkMM.exe

Filesize
109KB

MD5
044c65559c29912d5e7adca8daefda49

SHA1
b1d61298ae64f5b210abef9b6e14d33af59864ff

SHA256
f7c07d3340e27780132b2454ceb63300ddd40b6b37cecee976b840f95c58d57e

SHA512
1b336f5695ea6ed4dc6c192881b59c243c65855c4845198e1d7fc055ca963dd90cf4003c18693fba096eecd283f0575bd389a246891cc576a65f1fdcdbc389fe

Download Submit
memory/220-328-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/220-341-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/364-542-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/392-170-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/448-40-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/448-55-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/544-292-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/544-305-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/588-402-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/588-394-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/636-420-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/636-319-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/636-332-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/636-407-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/804-137-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/860-279-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/860-266-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/952-508-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/952-495-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/976-310-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/976-323-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1132-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1272-125-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1272-110-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1488-439-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1488-446-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1652-366-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1712-538-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1816-226-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1816-241-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1828-504-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1828-517-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1924-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1924-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1944-455-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2040-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2040-56-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2260-350-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2260-337-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2348-481-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2756-460-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2756-472-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2824-178-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2824-194-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2852-275-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2852-287-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2932-533-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3364-428-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3364-419-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3472-91-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3472-75-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3536-375-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3536-368-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3580-477-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3580-490-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3604-393-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3604-385-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3628-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3628-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3756-346-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3756-358-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3816-302-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3816-314-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3976-182-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3984-79-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4100-159-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4164-296-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4164-202-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4164-218-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4172-114-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4260-486-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4260-499-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4356-252-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4360-429-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4360-437-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4396-136-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4396-148-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4408-411-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4444-384-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4444-464-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4444-377-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4444-451-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4468-261-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4488-27-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4488-44-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4700-525-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4700-513-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4776-87-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4776-102-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4884-258-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4884-270-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4912-206-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4912-190-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4976-230-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4976-214-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4988-12-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download