806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a

Analysis

max time kernel
150s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
Size

183KB
MD5

c6c73ec11db876aa3c2b826196bc9524
SHA1

c5b616f173d5d3ff793714a805ff7a8270f7e2eb
SHA256

806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
SHA512

1e8894bfb62be706252612fda888461d96eb44613a6a39240e8a6dd3f36bd0a651bb139842223406f34847f2d68206e4f2076e892bc8180127753cd9325866b5
SSDEEP

3072:agxh1ZbwOFXe6i++++m0QH6HpLLKxZTql+OTx+VRSf6+mzNzVullbGiE:aUu6KQHm4T9hVwhWhuHai

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EQoEQggg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	EQoEQggg.exe

Executes dropped EXE 2 IoCs

Processes:

EQoEQggg.exeRYkAsQQM.exe

pid process

3940 EQoEQggg.exe
720 RYkAsQQM.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exeEQoEQggg.exeRYkAsQQM.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EQoEQggg.exe = "C:\\Users\\Admin\\IgcQgMYI\\EQoEQggg.exe"	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RYkAsQQM.exe = "C:\\ProgramData\\bQMwkYAU\\RYkAsQQM.exe"	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EQoEQggg.exe = "C:\\Users\\Admin\\IgcQgMYI\\EQoEQggg.exe"	EQoEQggg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RYkAsQQM.exe = "C:\\ProgramData\\bQMwkYAU\\RYkAsQQM.exe"	RYkAsQQM.exe

Drops file in System32 directory 2 IoCs

Processes:

EQoEQggg.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	EQoEQggg.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	EQoEQggg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
2972	reg.exe
4276	reg.exe
4940	reg.exe
4988	reg.exe
2368
1012	reg.exe
644	reg.exe
4472	reg.exe
3576
4960
1352	reg.exe
3488	reg.exe
3220	reg.exe
3620	reg.exe
1192	reg.exe
4588	reg.exe
4940	reg.exe
2728	reg.exe
3840	reg.exe
2368	reg.exe
1808
1948
2144
4940	reg.exe
616	reg.exe
2936	reg.exe
2340	reg.exe
2216	reg.exe
832
4272	reg.exe
1940	reg.exe
2212	reg.exe
3264
4988
4592	reg.exe
2344	reg.exe
4340	reg.exe
1808	reg.exe
4704	reg.exe
3196	reg.exe
984	reg.exe
4836	reg.exe
1264	reg.exe
2280	reg.exe
5028	reg.exe
680	reg.exe
4976
1188
2932	reg.exe
4996	reg.exe
364
2520	reg.exe
1124	reg.exe
2812	reg.exe
4616	reg.exe
4980	reg.exe
5100	reg.exe
1872	reg.exe
3408	reg.exe
2260	reg.exe
3152	reg.exe
432	reg.exe
4508
3580	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe

pid	process
3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4624	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4624	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4624	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4624	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4880	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4880	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4880	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4880	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
1928	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
1928	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
1928	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
1928	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
3896	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
3896	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
3896	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
3896	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
1552	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
1552	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
1552	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
1552	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
2520	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
2520	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
2520	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
2520	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
5016	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
5016	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
5016	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
5016	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4344	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4344	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4344	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4344	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
1640	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
1640	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
1640	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
1640	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
2016	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
2016	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
2016	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
2016	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4424	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4424	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4424	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
4424	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
3988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
3988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
3988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
3988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
5068	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
5068	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
5068	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
5068	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
5100	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
5100	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
5100	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
5100	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

EQoEQggg.exe

pid process

3940 EQoEQggg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

EQoEQggg.exe

pid	process
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe
3940	EQoEQggg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.execmd.execmd.exe806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.execmd.execmd.exe806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.execmd.exe

description	pid	process	target process
PID 3112 wrote to memory of 3940	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	EQoEQggg.exe
PID 3112 wrote to memory of 3940	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	EQoEQggg.exe
PID 3112 wrote to memory of 3940	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	EQoEQggg.exe
PID 3112 wrote to memory of 720	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	RYkAsQQM.exe
PID 3112 wrote to memory of 720	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	RYkAsQQM.exe
PID 3112 wrote to memory of 720	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	RYkAsQQM.exe
PID 3112 wrote to memory of 2820	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	cmd.exe
PID 3112 wrote to memory of 2820	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	cmd.exe
PID 3112 wrote to memory of 2820	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	cmd.exe
PID 2820 wrote to memory of 4624	2820	cmd.exe	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
PID 2820 wrote to memory of 4624	2820	cmd.exe	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
PID 2820 wrote to memory of 4624	2820	cmd.exe	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
PID 3112 wrote to memory of 4340	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 3112 wrote to memory of 4340	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 3112 wrote to memory of 4340	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 3112 wrote to memory of 1124	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 3112 wrote to memory of 1124	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 3112 wrote to memory of 1124	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 3112 wrote to memory of 792	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 3112 wrote to memory of 792	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 3112 wrote to memory of 792	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 3112 wrote to memory of 3668	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	cmd.exe
PID 3112 wrote to memory of 3668	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	cmd.exe
PID 3112 wrote to memory of 3668	3112	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	cmd.exe
PID 3668 wrote to memory of 4356	3668	cmd.exe	cscript.exe
PID 3668 wrote to memory of 4356	3668	cmd.exe	cscript.exe
PID 3668 wrote to memory of 4356	3668	cmd.exe	cscript.exe
PID 4624 wrote to memory of 4984	4624	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	cmd.exe
PID 4624 wrote to memory of 4984	4624	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	cmd.exe
PID 4624 wrote to memory of 4984	4624	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	cmd.exe
PID 4984 wrote to memory of 4988	4984	cmd.exe	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
PID 4984 wrote to memory of 4988	4984	cmd.exe	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
PID 4984 wrote to memory of 4988	4984	cmd.exe	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
PID 4624 wrote to memory of 3268	4624	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 4624 wrote to memory of 3268	4624	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 4624 wrote to memory of 3268	4624	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 4624 wrote to memory of 1940	4624	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 4624 wrote to memory of 1940	4624	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 4624 wrote to memory of 1940	4624	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 4624 wrote to memory of 3028	4624	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 4624 wrote to memory of 3028	4624	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 4624 wrote to memory of 3028	4624	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 4624 wrote to memory of 2296	4624	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	cmd.exe
PID 4624 wrote to memory of 2296	4624	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	cmd.exe
PID 4624 wrote to memory of 2296	4624	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	cmd.exe
PID 2296 wrote to memory of 2148	2296	cmd.exe	cscript.exe
PID 2296 wrote to memory of 2148	2296	cmd.exe	cscript.exe
PID 2296 wrote to memory of 2148	2296	cmd.exe	cscript.exe
PID 4988 wrote to memory of 224	4988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	cmd.exe
PID 4988 wrote to memory of 224	4988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	cmd.exe
PID 4988 wrote to memory of 224	4988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	cmd.exe
PID 224 wrote to memory of 4880	224	cmd.exe	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
PID 224 wrote to memory of 4880	224	cmd.exe	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
PID 224 wrote to memory of 4880	224	cmd.exe	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
PID 4988 wrote to memory of 820	4988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 4988 wrote to memory of 820	4988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 4988 wrote to memory of 820	4988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 4988 wrote to memory of 1352	4988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 4988 wrote to memory of 1352	4988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 4988 wrote to memory of 1352	4988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 4988 wrote to memory of 932	4988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 4988 wrote to memory of 932	4988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 4988 wrote to memory of 932	4988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	reg.exe
PID 4988 wrote to memory of 4100	4988	806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
"C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3112

C:\Users\Admin\IgcQgMYI\EQoEQggg.exe
"C:\Users\Admin\IgcQgMYI\EQoEQggg.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3940

C:\ProgramData\bQMwkYAU\RYkAsQQM.exe
"C:\ProgramData\bQMwkYAU\RYkAsQQM.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
2⤵
- Suspicious use of WriteProcessMemory
PID:2820

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
4⤵
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
6⤵
- Suspicious use of WriteProcessMemory
PID:224

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
8⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
10⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
12⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
14⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
16⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
18⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
20⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
22⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
24⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
26⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
28⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
30⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
32⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
33⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
34⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
35⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
36⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
37⤵
PID:3288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
38⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
39⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
40⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
41⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
42⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
43⤵
PID:3840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
44⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
45⤵
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
46⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
47⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
48⤵
PID:3816

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
49⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
50⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
51⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
52⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
53⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
54⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
55⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
56⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
57⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
58⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
59⤵
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
60⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
61⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
62⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
63⤵
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
64⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
65⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
66⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
67⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
68⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
69⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
70⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
71⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
72⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
73⤵
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
74⤵
PID:2184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
75⤵
PID:3152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
76⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
77⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
78⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
79⤵
PID:4940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
80⤵
PID:3252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
81⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
82⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
83⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
84⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
85⤵
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
86⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
87⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
88⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
89⤵
PID:3068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
90⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
91⤵
PID:3836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
92⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
93⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
94⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
95⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
96⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
97⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
98⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
99⤵
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
100⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
101⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
102⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
103⤵
PID:2952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
104⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
105⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
106⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
107⤵
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
108⤵
PID:2696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
109⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
110⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
111⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
112⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
113⤵
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
114⤵
PID:4372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:3828

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
115⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
116⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
117⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
118⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
119⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
120⤵
PID:4720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
121⤵
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
122⤵
PID:1020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
123⤵
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
124⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
125⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
126⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
127⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
128⤵
PID:4236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:3080

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
129⤵
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
130⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
131⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
132⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
133⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
134⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
135⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
136⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
137⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
138⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
139⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
140⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
141⤵
PID:668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
142⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
143⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
144⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
145⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
146⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
147⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
148⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
149⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
150⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
151⤵
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
152⤵
PID:616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
153⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
154⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
155⤵
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
156⤵
PID:2340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
157⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
158⤵
PID:3840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
159⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
160⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
161⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
162⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
163⤵
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
164⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
165⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
166⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
167⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
168⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
169⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
170⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
171⤵
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
172⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
173⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
174⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
175⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
176⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
177⤵
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
178⤵
PID:3828

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
179⤵
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
180⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
181⤵
PID:2976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
182⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
183⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
184⤵
PID:4340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
185⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
186⤵
PID:4520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
187⤵
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
188⤵
PID:3196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
189⤵
PID:820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
190⤵
PID:1540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
191⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
192⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
193⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
194⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
195⤵
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
196⤵
PID:2388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
197⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
198⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
199⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
200⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
201⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
202⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
203⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
204⤵
PID:3396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
205⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
206⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
207⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
208⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
209⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
210⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
211⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
212⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
213⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
214⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
215⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
216⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
217⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
218⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
219⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
220⤵
PID:548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
221⤵
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
222⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
223⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
224⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
225⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
226⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
227⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
228⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
229⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
230⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
231⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
232⤵
PID:2768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
233⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
234⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
235⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
236⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
237⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
238⤵
PID:1020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
239⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
240⤵
PID:3504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
241⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
242⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
243⤵
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
244⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
245⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
246⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
247⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
248⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
249⤵
PID:3080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
250⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
251⤵
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
252⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
253⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
254⤵
PID:1220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
255⤵
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
256⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
257⤵
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
258⤵
PID:2176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
259⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
259⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a"
260⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
261⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
260⤵
- Modifies registry key
PID:432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
261⤵
PID:4804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
260⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
260⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGgIYkEo.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
260⤵
PID:4464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
261⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
258⤵
PID:3892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
259⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
258⤵
- Modifies registry key
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
258⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkoggMcw.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
258⤵
PID:1188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
259⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
PID:4956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
PID:2384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
257⤵
PID:3288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgAYkUMo.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
256⤵
PID:4236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
257⤵
PID:616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
257⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
- Modifies visibility of file extensions in Explorer
PID:4704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
- Modifies registry key
PID:680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
- UAC bypass
PID:4372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seAwEIIU.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
254⤵
PID:2368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:3160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:1192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:3556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuwMIEQo.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
252⤵
PID:1552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
- Modifies registry key
PID:1192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
- UAC bypass
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSUkwwkI.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
250⤵
PID:3952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
- Modifies visibility of file extensions in Explorer
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:4872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- Modifies registry key
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEAUwAUw.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
248⤵
PID:2472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:4368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:3740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- UAC bypass
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEIckMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
246⤵
PID:2972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwIAUgEQ.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
244⤵
PID:2208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:3896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
- Modifies visibility of file extensions in Explorer
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
PID:824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POwEYAQg.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
242⤵
PID:2192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:1584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
- Modifies registry key
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqYQQAsk.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
240⤵
PID:4156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- UAC bypass
PID:2352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwgQUYEI.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
238⤵
PID:3264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
- Modifies registry key
PID:3196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:1128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
- UAC bypass
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUgAMMMY.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
236⤵
PID:4400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:1744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:4220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmswEsMk.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
234⤵
PID:868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:4980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:3320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies registry key
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:4364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGsMokso.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
232⤵
PID:3324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
- Modifies visibility of file extensions in Explorer
PID:2180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:2952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
- Modifies registry key
PID:3580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:3448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsUIwUYM.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
230⤵
PID:1188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:4324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies visibility of file extensions in Explorer
PID:2988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIYYMcUo.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
228⤵
PID:1948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
- Modifies registry key
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAocAcMA.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
226⤵
PID:3408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
PID:1264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEgcoIwg.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
224⤵
PID:2788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
- Modifies visibility of file extensions in Explorer
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:3112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- UAC bypass
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tscUkAgY.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
222⤵
PID:2848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
- Modifies visibility of file extensions in Explorer
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
- Modifies registry key
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmIwQEQY.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
220⤵
PID:2876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:2524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIwIUgAY.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
218⤵
PID:1264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOgIUsYA.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
216⤵
PID:3324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:1124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:1580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:3900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmgkkYkc.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
214⤵
PID:2960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:4140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nugUAkwU.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
212⤵
PID:4388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- UAC bypass
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKooIAAI.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
210⤵
PID:2308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIEwAccY.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
208⤵
PID:4364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcoIooEI.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
206⤵
PID:1536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwgEMYUw.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
204⤵
PID:3448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:4368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies visibility of file extensions in Explorer
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rysYQEQE.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
202⤵
PID:3628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:4244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMMcYYYQ.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
200⤵
PID:4880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies visibility of file extensions in Explorer
PID:4720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:4388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:3160

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bakQMEgM.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
198⤵
PID:904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:1644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWMAgkQw.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
196⤵
PID:832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:2028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuckcsUw.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
194⤵
PID:2524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies registry key
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWIAsQYc.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
192⤵
PID:868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:2848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:3952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:4572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYYUYokk.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
190⤵
PID:4824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:3320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
- Modifies registry key
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAwwQwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
188⤵
PID:960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:3160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raYsgEcU.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
186⤵
PID:2308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
- Modifies registry key
PID:2932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
PID:3892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQMgAMsE.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
184⤵
PID:2500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:4400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies registry key
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:4572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:1116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcAsEgsw.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
182⤵
PID:4552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:3324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies visibility of file extensions in Explorer
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:3260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:3772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEoAMEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
180⤵
PID:2864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
PID:4244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYIckMgY.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
178⤵
PID:2288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:1104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsMUAIEc.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
176⤵
PID:1220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIwkUEwg.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
174⤵
PID:3152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- Modifies registry key
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyQAYMME.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
172⤵
PID:1192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:1228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAwQQkIk.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
170⤵
PID:464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
- Modifies registry key
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:4488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOoQkoQw.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
168⤵
PID:4820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
- Modifies registry key
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuoIMUoY.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
166⤵
PID:3028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYcssUkE.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
164⤵
PID:376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:4312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUYwsYEk.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
162⤵
PID:2604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:3576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:2280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMIgAwYM.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
160⤵
PID:1020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XygkoIgA.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
158⤵
PID:2500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:3816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmwcEcoY.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
156⤵
PID:4488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:4400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:1328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaQwUEIU.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
154⤵
PID:4332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:4312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amsQwQME.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
152⤵
PID:4872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:4976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuEYYsws.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
150⤵
PID:3628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSccIAww.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
148⤵
PID:3900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:1192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:3124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKQkUMwY.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
146⤵
PID:2864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:3816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- Modifies registry key
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYUwIsIU.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
144⤵
PID:2192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- Modifies registry key
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zwYQwYws.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
142⤵
PID:1640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:4156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:3620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:4572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGUcIAsc.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
140⤵
PID:4640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- Modifies registry key
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUYUwsUQ.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
138⤵
PID:2764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:1128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIokIQgM.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
136⤵
PID:3436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:5048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYcYcgwQ.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
134⤵
PID:2880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAAAccgo.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
132⤵
PID:2212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:4400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiMMIUAg.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
130⤵
PID:2436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWoAUMEI.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
128⤵
PID:3436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmQUEQwk.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
126⤵
PID:1064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:4276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUEIsIoU.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
124⤵
PID:5008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- Modifies registry key
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYwUkMkg.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
122⤵
PID:1948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- Modifies registry key
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asYsowAQ.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
120⤵
PID:644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:3900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:3608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUsgEQwo.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
118⤵
PID:752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:2208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUwoIkEs.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
116⤵
PID:4364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:3896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:4956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- Modifies registry key
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmQcIIcM.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
114⤵
PID:2184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:2976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:2384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMgQYccI.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
112⤵
PID:1020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
- Modifies registry key
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:4488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSEskIUQ.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
110⤵
PID:3608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:4572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:4808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oawoIEEk.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
108⤵
PID:4340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:4820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies registry key
PID:1012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:4760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYsMskgo.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
106⤵
PID:4768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:3284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:3080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\doQosMEI.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
104⤵
PID:3192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:3772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAswAUwU.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
102⤵
PID:1540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:1080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- Modifies registry key
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEwokgIc.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
100⤵
PID:4984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
- Modifies registry key
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcQsowIA.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
98⤵
PID:4448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:2344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:5040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:1640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYEIcMck.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
96⤵
PID:2936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAgQMYgQ.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
94⤵
PID:1276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:4508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgUQAwok.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
92⤵
PID:2116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:5012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:4364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:3284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkMAYIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
90⤵
PID:4372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmIooUEs.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
88⤵
PID:1220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
- Modifies registry key
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cyYcUckg.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
86⤵
PID:444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiEIUcEs.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
84⤵
PID:4244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:2288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:1192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
- Modifies registry key
PID:4276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- Modifies registry key
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymAMowQY.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
82⤵
PID:232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:3288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:4804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWgkcYEE.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
80⤵
PID:4808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:2952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:4624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
- Modifies registry key
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGcMYMEs.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
78⤵
PID:4016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:2528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWQoUUsE.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
76⤵
PID:2192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies registry key
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:1180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYUMocsU.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
74⤵
PID:1464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:1128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:1188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
- Modifies registry key
PID:1940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOgEwQsM.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
72⤵
PID:2712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:4704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
- Modifies registry key
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEQAoYgk.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
70⤵
PID:4880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:2072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- Modifies registry key
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSEowcAY.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
68⤵
PID:2368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:4364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaowUkcM.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
66⤵
PID:4100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
- Modifies registry key
PID:2972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
- Modifies registry key
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKwkAUAI.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
64⤵
PID:4708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:3876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwIEUgog.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
62⤵
PID:3016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:3080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEwwYEsI.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
60⤵
PID:1276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAwYEYAo.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
58⤵
PID:2712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:4140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqUckcIw.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
56⤵
PID:1800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NikUIoYg.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
54⤵
PID:2604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:1192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiUwIYos.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
52⤵
PID:4984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:3576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAUcIIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
50⤵
PID:2712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:3112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuQkkAUc.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
48⤵
PID:3192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:4140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies registry key
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoQUcUsk.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
46⤵
PID:3956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:4588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGsQwcok.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
44⤵
PID:2936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:3608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMIkIUwk.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
42⤵
PID:832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:4760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies registry key
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wioAIgUE.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
40⤵
PID:2992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMksAwws.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
38⤵
PID:1616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
- Modifies registry key
PID:616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwMYYcko.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
36⤵
PID:3052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
- Modifies registry key
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAkMwsUM.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
34⤵
PID:4352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies registry key
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- Modifies registry key
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUAssgMo.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
32⤵
PID:3152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:3640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:1116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqkoAEAk.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
30⤵
PID:4508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:4364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:2816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiMQwkgw.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
28⤵
PID:2976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:3900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:3628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMsgoMAY.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
26⤵
PID:616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\soMYgMsI.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
24⤵
PID:4760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:3260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:5080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:4264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqYIQkMY.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
22⤵
PID:2296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogckkksk.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
20⤵
PID:1420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okwIQEYA.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
18⤵
PID:4048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:3080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMIsYsgQ.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
16⤵
PID:880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkEYsYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
14⤵
PID:1948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymYssYgg.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
12⤵
PID:1232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:3952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:1428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\siYMYcgM.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
10⤵
PID:3252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWAgUssQ.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
8⤵
PID:5072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMwUgEAo.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
6⤵
PID:4100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:3988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:3268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEEAkwcg.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyMUAoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4356

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 7f042104afef1d503a25cd004f9c6874 yiEwTCqFDE+fFfw/U+k7Gw.0.1.0.0.0
1⤵
PID:4388

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4708

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3956

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
318KB

MD5
6f234663d520f800cd5480ebea29f84b

SHA1
dd6ca5c9ced97408d53cbdcc64f3493109cfd1d9

SHA256
97de7f778b0958c30c7570219b5d0590ef0734d82c8c36ee1e395d0d6310e501

SHA512
f8350fc79874ed1b8c459834299cf20855a385ee40571b87f3c8e6566c859173c01782da504e2eb75cc65fe803c5594ca1da8102cad2feedf2456d13e9bc595c

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
322KB

MD5
3b82f9e10f82094cfe7e695687f31e1e

SHA1
050a5d30425eee1a960e323902692d4f02ca604d

SHA256
caba8677484e59d1d96b483de5a090bdcffa06da849f234e9635cb504d08b106

SHA512
8dc94a2404fd996060e3e17f58f2483d5b8322a90193b97936ed77ae11f3ff42cef9b2f18cb22b3822dc6b6ed4fdaa96184f30fda60c1d786b3053b3e35612a2

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
222KB

MD5
cf10bb4ae91e808898ca2c3461b77f4e

SHA1
69c6ff4bef48086bf11f9580cfffc274517e6026

SHA256
d8507865e47c9e5fdd309dedd57f04c001e8c044b9796af4129a0c398bcbea42

SHA512
06f7de140829b3aa88c75a0d0326e005a866b2db6dcc775a6e37f42190d6976a5ce842975cdbcdf7d4236c79b77b42c6c2434531991df02ecb0173ebaed57727

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe
Filesize
189KB

MD5
4e41026e4171fcc98144af242390c34d

SHA1
187aead594967d9b36825645d42c067b07e83321

SHA256
7c0c9b70e57a7945065d285464ff2cc2404b55e8f63434275566ae4cec18d39a

SHA512
dfcf920c4b395cd5db4cb3810e920599bdbbc2debb34a7a63e052e2afac03b54d1146edb1ef283bd5880b1fb8daaecb4098db7f65a17f232e15dc1fec914d8cf

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe
Filesize
777KB

MD5
eaac3323c5fb7ebafcbb59c9646ccebf

SHA1
08650d5ae5951a4699da2c7bfcbe6cf1811b323a

SHA256
09de8518801118f440bd2ef194ad2d00c458ca1627f543c045e268a927624187

SHA512
dcd7b6484e3642d16b3c3debd055e5672fc955244509e0e7257234a460d6f8a5f84f1de0092ea982de47e3266e7cd5282a48e864663164302ecb67d1bcb08801

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
Filesize
814KB

MD5
8a35b708598c838f653bec5a3a644030

SHA1
4b16808f77fea3b5f5d518a151a78f04c48a95a1

SHA256
6c16238b02b73d4cf6ce9c43fd4a59c488e1bd0c6f0bbb917ecd205b4eced304

SHA512
550a654996232037a683ced6ba57f753b33cce380d091ed75dc39e5effa591c2a0f8b56b94c4812cfd621a90819b7066cc1d1ff1698141fbcc442a6eaa89b78d

Download Submit
C:\ProgramData\bQMwkYAU\RYkAsQQM.exe
Filesize
197KB

MD5
d635e4148fa0b5cb3003b5c442f74d8e

SHA1
0326ad34aefc51195d69d01ad27cc3bc49382f2a

SHA256
913c3c41ee7194732f235466f0f5ff0f06e2f224cb3045c557fb53990f6e9bb3

SHA512
790d888ec3e26b6e26e808fae51232930a9d1ac664947e4fa74816a0c28a442445dff52046c06b61b091f94701d923b722e388e12b0ba1c5bf324b3be463c7c6

Download Submit
C:\ProgramData\bQMwkYAU\RYkAsQQM.inf
Filesize
4B

MD5
6bce8aa709746194dd59a8c1c38557e5

SHA1
612b91f72ccb4574dd303b79c25f824a9823c178

SHA256
4718a3b0455bba20cc6ef4dd07d2691d914adc36a31efbdc85cfd1be89ff30ae

SHA512
207310904f2d1797e92c7568b2c343e1e21d7d1be689f80a87c410f43052544a6fd8a64423e58d52d6310d83704341388a86395eb8e03d41d3b950aa38af3cc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe
Filesize
201KB

MD5
1bbb1021ea6d78e7bae59828eedd0841

SHA1
a28dd103a477df160013c03c0ee2cc0841d6de8f

SHA256
68069510a4368ce3622fd73062696e7580dfd59a5c8722000dabd79ad107bc0e

SHA512
a0eb02e6b10bc42f30150138b3fca8bd4aacbaf011edd33fd097af9d9e32aa9f2244da1be2aa8938ffc29b5afeb00eb7e75f1990d82979cc06d2e0c903b51531

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe
Filesize
182KB

MD5
d2eadd8fb682c6208428b5fe687e4c7a

SHA1
a4daf8d1c272d73103f946901a0df86e8117641b

SHA256
35ae84ce6509f12fff2d532bdb47d9c43c1c06752999895d8382cc283efc2eda

SHA512
95e30fabb4767a8deacefc2cd2f1613e5400ad105fb239a655a6256a6eb0fdc04a460eb682a28baceb1f3d1c6602cf9ccea840d7f583d7f8fea149af6f97f39e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe
Filesize
198KB

MD5
dbf1061f3b43f3dd1c48b64fc12929c1

SHA1
e9ebe77a358a7c90c594ec134d21758c3f3fc32c

SHA256
41683006a32d00f737d4c6356030c414e84a8b50e41d31dc8a3ce7f2d5ab8807

SHA512
664e360bf6e37948fd6799ce1f23caf2add6edbfa2faabe88637ebabfd2c2ab8f2049486fdbfb5c2829e1f6773d56d76fb1d647fc122cf39dc571607c2a21c70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe
Filesize
191KB

MD5
295e5e6814a681a6674069330eec5eda

SHA1
cc14c6b87828ef37cab1176b996776f6f11347d2

SHA256
c5c5880080022b1e37dc7d2342a598ffee1b0c3dde60dcd87aa6e5f34fd68198

SHA512
7d1c95c876ef8e552f1d764f3bcf5c71fffd8eba17dc58355ca6365c9e06f1838328804c664712b5c39c2e43488ec53fff00b588942f8fe6108b1ba3a70bdf0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe
Filesize
207KB

MD5
81a2c84d07514b2bd42433c5cbb9a340

SHA1
70d56867bb826c3a0275dbb9525feb245ba60726

SHA256
13d5aca6162f01f3af1903a8da48db17cc3cbeab22b753e6a4e8e2be0de35fab

SHA512
8d68b3cab6d1f6e9477ac3d6551138db6cff008cae9f84fdd6eec14a9852853a6e03a8c0e21cf56ef7c572af6f6dc55512affe831a4b8709a9dfb3ef0a606086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe
Filesize
188KB

MD5
b197c97499e4bad80bcffd2b960bffc7

SHA1
652dcb1b10c1365077afbfb01a01f6a7a65d5b76

SHA256
eddf82f732a3417fb11f28bc04ca4d313dd8e606b1bffd7fa5a1c8c2281da246

SHA512
173df65b0c8fab9a5a10bdaa3de443dd6a86c46a0a98881852e7f026247305ad0599c32cbaf0d89c2d08ad29ffd602c1b6a646fa57d8ae3e7f643720865defcf

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe
Filesize
199KB

MD5
bc4967861db0dcf83a46b5ed8e6c7551

SHA1
9678caaa5b6415e6d20cb1fb45366fa3e0b2517c

SHA256
0ad9f266e08e7e965004e94334b6f344aab560057a0fe6a837b53338b623719f

SHA512
fddb8d5ef64b96199a94e571969727970d9f9e6bae92e3e7740916b10cfc6a7b095d48b2e7c1d65a41cc65ec9c481fdf07c40a28b19d0cb706bd1e23cceaac29

Download Submit
C:\Users\Admin\AppData\Local\Temp\806d9dd57f18d94706bb21dfcabf3c168994696b4853da2955b73b4f00cd406a
Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEwm.exe
Filesize
202KB

MD5
2b40948180a7dd34693c36a60a72f3da

SHA1
45fa4930106eb1320116e1ceae5c2c5f807807d9

SHA256
9bea26b6f97e30384875352a61f9ba4c939c2a5a82e11629aa2139d63c3fd390

SHA512
592a035d1fbba51a9cf2998ab50df05bdf011dc50499e184569e675c7f49b68164614387886509f8010db87f13390f5f749c25e7f2d3f2f407f1fc50d5334e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQws.exe
Filesize
457KB

MD5
b47faeb9a2d01aa7dd120c3bf294b5df

SHA1
af392ff3f2cfff022d9203f36b6b683e047bc026

SHA256
b348c6e83c8dce7d83fb2a96276a1f1f0ec8707621d91728fef5a1c8fb9cd10c

SHA512
61724f6ce294d030e4ed81ebde20e6cb00617e39e3e83c8733ab97006922a8235b7812cf4096e1ea5cbb62da8336f1ea582aa5a7b1be4326aaf02b86de0b978e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AokG.exe
Filesize
228KB

MD5
f16c8407aeb3b38c42b2f5753e619ca9

SHA1
35db75e36aa3295815c5c62eb202845f16cb08a2

SHA256
26ba4ba5e0da79a97a87b26f6c9df8f17436ebd6967fc7abed1ebd747a04555f

SHA512
e9c1d206c58fae0fbcb70b63f75a93622efc9af704b8164514fbe1949cc072e3e184b04517efdd7c7b3563cb786b421dc74292c79aaad3e392de55c930880a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\BsAO.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEUi.exe
Filesize
1.3MB

MD5
4442f9e307f42ac375d3e6db6d8d8861

SHA1
8620280deed6efd207e771f35b933d7796faf55c

SHA256
c169c066708bcf610a3c101f95c9226fe52ee23513b62de1c1677a96d227b03f

SHA512
c1a5b6f5233b58c8f9714efb9ca7eedb769e124768f23ec62bd0d223f36dcaf240be50efc608c7078b46e568aa937366dfca63d14da814df4176791054548fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkYM.exe
Filesize
801KB

MD5
a0080975ec261ae6d0032e4fd0c7b74e

SHA1
143584d88c0c22825cf32b7e101dca9405df90e0

SHA256
589a928afb62ef577586a31cc596208aa06ed3836aca20ce467f6c2e4a3a2227

SHA512
d2493e7132aa3fdecfa9fa516b6a9dd2dbcfc640fe1b01a060d8457aad4c4bfc79656bcec5b1c26c9df98b913af397f0c5112870c2972088ad8949c23d33af5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwMK.exe
Filesize
804KB

MD5
5430294b3945682596f73e41f598b487

SHA1
4562e4d50a8306476293378f4e2a323ef035e7f8

SHA256
6bd075f6a4a3fcca120d2b55be60be6fc0ecb001acc732b1d0bee9921008e54a

SHA512
eff4b9fbb99a245a9156ed506d7dd8073bb6fdc633332bd0d066fccb5b62edde24077b98c221cbff01ef3a2927cc0162eb6910c9437e1ae8c4224e4b4f203c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQQC.exe
Filesize
191KB

MD5
09cc8d277da36032de568857dc82b812

SHA1
5c128d5865f8cd985808a7d5a09f169b2c9b94ea

SHA256
8d2d5329f56a44ddeb31c03e1c6845a1a82f16fa452a7e25e247e07f2292587d

SHA512
7da85512b6d4f1e8f4e114831a3b69bbf9a0b394ea6f7a1f64db5595e62c67239f9ed002fd74f593607617768b5871c55315c19401d126636ab2611bd4eb81d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcIq.exe
Filesize
191KB

MD5
7d462d6d4d71335c0ddeb2bd9c7e714e

SHA1
917be6760f060658fbd536222e5c582e9092d60f

SHA256
2cb8e8c6c4257d731464510816211114eaeae3e44fa3ab0b56e9090fb73e7d8a

SHA512
5f25b2650dd92a4507af88444760acc0b4897811a7bb5cd01f43f9972a3f87951d08f16de7366e561660c5bf9f7a5e2e78a21da623bb149a2fad1c5f96316ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAYk.exe
Filesize
559KB

MD5
a7e5334b4fedb2f266c1f4a63ad2d06c

SHA1
a0205f98fe381bad9ad8ae5bea1af33fcf78b4e7

SHA256
460a993dedcc2a0d56c52157eef4cc8da68bd1b8a7aa5e5872ae3336ef1bc082

SHA512
1c9b8104a979e73bc64e97749d0871214307429d995766f1dd8c372dbcd8bd0d6d9e6e4f217307c0aa64f06ed1b8e7a62269e8aa1dda763be27da65f36496194

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAcI.exe
Filesize
207KB

MD5
58d2074546215fd813601029811a9c3b

SHA1
49bdca513c3500a82b257258b619f5de60d42a55

SHA256
86504b607b687827053717026682dfc6a5daf1adfdb53ae916ff26e7106f282f

SHA512
33d15ddc938561f4d7c84e1c0ac1bd390ef2310b6668c7b67f3a17f2dbb2757463edad6915a68cd40a0e4103ad27854573d36a12e4b3ce681c2c8c01310c37e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEYw.exe
Filesize
197KB

MD5
daf2eaa8849566c6fee623a3e0a77b29

SHA1
011718b86d89a863c2e2cc92add2bd3e4ba68477

SHA256
3ecadcd8655ec81e3ff17fad271ea0a38c73fd5e8088f82c2590348f54712c25

SHA512
a67d87a0aed1293dec95dea828afbdf10aaf9d735f6171aec5979a7688c4b2b71cced285d5d5a6f2844d4be3da566232ae9623091f67c0ed6249a6e61c4f09ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\HoAS.exe
Filesize
201KB

MD5
00013d51f6e47b39ad73ee33757f0f30

SHA1
f7f5e8cef49eb4f7a4b7e18ef9caea8c89bd31bd

SHA256
b272243b3c59462c5dc394db4929319667de6d85cb44ee010b56029c59db07b9

SHA512
79bbde719144d594aa92988df42a23a72ece5abe7aab0e57bd8b49c5588a5cdd95dabbf120b9d5312e5b22a864424f005d4464a830a71390e0badc1885f19f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgAI.exe
Filesize
180KB

MD5
2ed8b2005c3a1f5ddab8f849d71a867b

SHA1
e04685fa0735bad41768de3e89533cb49eb61b3a

SHA256
0d39ebb2c7400874adb2a6855230674f19ba23d34a9ca2edd56d043b40b77e7f

SHA512
ed722f173bd24d710e1b8b1429a777779cb52712aaf7e5bf78be6ca312386f5a20fa1a1ae1a9635ce457431c97c95ed81642f208e6bbb44c58d3768a5cc0c724

Download Submit
C:\Users\Admin\AppData\Local\Temp\LoIS.exe
Filesize
200KB

MD5
56003bf61e52c95bb110aaf215b229ed

SHA1
cff7226b6e38d778782286762509cd312db904b9

SHA256
9efac1042b9f85cac6186aad61d8938e7965619dc6e412ac2bcd0dff571c15ee

SHA512
a327c234fd91d4a3eee23de4563ba7cb2ba31329380aa5b513dab30cc193e0666006fb082443f1001527a8b0a529e7b0adaa0537c6b6749cb93e87d2c8ab9669

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQse.exe
Filesize
185KB

MD5
35f98c16e144dff7ece6e2483b82c09e

SHA1
4b3103fd63a40f9e57f46a7f278bf09ca4cac1cb

SHA256
e7f62a07f4888960e6fd4d64ac0f825b10f8f2a300b0dee45976b2d0419edf67

SHA512
216501b36b51391b65ea2dfe91d7cbc88da020e289536623557ec487b79d06ae925d6bc79f324e06deb050a419be821e8c3dd260c58adee77f1de09ab4c3894a

Download Submit
C:\Users\Admin\AppData\Local\Temp\McYc.exe
Filesize
193KB

MD5
b09e9cf171532db016e7e1148f7a42bb

SHA1
c54e020e99523a85fcf592606aa8766010b74c53

SHA256
f88646d4260524d8aeec0c995ffd6ada1601ab9f94b66b56c0fb9a93b01d027f

SHA512
e397b0cf2d761dcc03481d8865281e4daf00a286141845035cd02141496d0247384efbc50ebc592f00223ab68ad6ae850e6aba31e8fa37debd06df87c2cc9554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkYo.exe
Filesize
1.4MB

MD5
030a9323d063cd6c5ab74fa790607fda

SHA1
492f0154bb19c14d0092bfba33808429b8181dbd

SHA256
c0520329b7129751bce9d9fcabce61e192a5f15d0bbd6fed4f5d3211142cdde2

SHA512
0b6c7327e05468981aaaf9e015b18257e64ee93b20af1f8ead7c315711f95f7abd44971586c7d15a9fda497216d57d2c7d9757da874013dd18d89c9ea7a03dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsQi.exe
Filesize
1002KB

MD5
fe2940e7625da5e971978427d5f14030

SHA1
03602caa2548c0df6c09c5f9ac509737ded31368

SHA256
16b3889a2224ba3212e465397769437778bafe77b8526bd6913d246d0431c713

SHA512
71285e13097894a2300ea18b41219283d59ce89629e1d4cac9fd5b1b3032e409ed3f33826cd9516d9c806e6c0cbd2ef48a3f73ef58e3d8dfb5363ddf9e6d7d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAom.exe
Filesize
435KB

MD5
91b25626f3cb8a79ada5fb8510adccc3

SHA1
1d90a6cca8424794509147347cf6bc5690d2d4f2

SHA256
e3da24b5ba0a425ea66ac8c4e88887338da760215ec51c6128b7cddff5da0989

SHA512
37779185cae0c9573b0f5cdf352767726bb12e05610d8de0a47cf3a00a8a4db06c65036923d5d5c15f31df0e1f6e4202e81872be3f4a3beefe5e2f40de53528c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NcwY.exe
Filesize
209KB

MD5
906ab2a0bcea7ad0652ead223ad2a2d8

SHA1
9b6159ca8e55c4f52b041a09fadab07522ceb432

SHA256
7a4cd7252af36f49e8537b4262aaf91586d120b7b9519407bb984192300c760e

SHA512
00fc6d9b34d25cb5398f9a237a9b85adc0501361025ca08e2ae048355a5e1cf2cad608467672946ba640b140f9cc5b0d0915e438fd308207f6b7f8384adbaa28

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgQW.exe
Filesize
204KB

MD5
094c7c881a971b68cfffae40c7f92ae0

SHA1
b6b6c7a676c3328389a12c991dfb069a87148706

SHA256
743fd4a7b9a335b91765ec2c79e3c5c1925040b4a1fd04969898712d9a451550

SHA512
9e922bc600072152cd4a79293ffbe62641a77bce72e18fc8f07b57f7bb132d1bdbba3d6f781af5b2e74f0c46f5d9ca287757914e267d1003896c8d951b7c589e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NooG.exe
Filesize
635KB

MD5
d2d1b5a5fe42bec236e9ddeab53bcfda

SHA1
db0068c8d09b4db81a5ddadc967ea1ef95318478

SHA256
d22cb2a65c57e0d94f1d899f121e34bc41f0a1c9d0532ca87bdf626a1f70ffce

SHA512
6f5d3ef641f76e81056a851c6c5bd6410298ffd335ea344ae688b1df16aa04e860d7a5bb75440b016f24de71d6ea59826d44edbf37c6fe6fa4801b159d697c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\NwQO.exe
Filesize
183KB

MD5
5d0eed85099e4ed8894f0cccd8c85438

SHA1
2d3d041f041500aff6c798d01b525ccff8d26a1a

SHA256
35d105497b9496ddf4ecb57b070efb12bdef2351b1c6dd9fa10688790e7151b6

SHA512
55d6d753a99c89d56ed2e7c54f7555185313303260123fe3011c4bf96dcc44d20390fe1bd4a53f9b332a7cb1ae7d816a53e4a55978173c0b309a01a25c11e994

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcUW.exe
Filesize
194KB

MD5
622c24e483ff5ec3c7e65851f5f0d52f

SHA1
c21a1b9c30b6cf0f2f0f42fd06114aa8bfde0556

SHA256
fb6f341f1165d6bbf8ee1a21571c7d33f322fb30d6d0c5f8aed693d6f0532cef

SHA512
87a08cd8206076de0a6e0bfedc4700e4922398c92e5f91b2650dac1e6a9ada90fbc8b0ba3330d01071f2910a57aad5ad5a818ee2c5751076fba10dfdb7688e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUcQ.exe
Filesize
1.8MB

MD5
ed5adb7622dd7088ad19aca56d3909f7

SHA1
fc1fcac0a0ac2f6a4602c7924ee8023d50872a16

SHA256
8164081226b6b02bfcdd0d77e1d4e725ae767ca1c525122e37065b85654d787e

SHA512
aebeffa6de4ed8b1dde932901139b108a1ccae9c3a5a17497f1680fad4de8582340e2f0fe54306230c18a688753831c60e9c9160868c7846b2424e8573ddf2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYES.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgcK.exe
Filesize
644KB

MD5
bda8786786e9bf377be0c4710fef694d

SHA1
f22da4ac7832483ec5655e633286b75975c67d57

SHA256
c41cb113ce5ca008d7c7ac8277a4d2dd2f38ca1ffede09c5dcf558f06d4baecb

SHA512
8339e3886c9439e38b6e5112e88b1e79bd594b57e58ec0e1738318e3046c6dfd3354b5fba2c92da73f3b668dc28813f6935a71e027106ea528ed36cb41fdf225

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ssga.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMsI.exe
Filesize
222KB

MD5
8be764b73a56b172a4e4a9f62275085f

SHA1
669bc346a149daea9f3cff060802ab63516d7c9b

SHA256
0b19949a7920995f09c755d0b4849c0cf6dffc255a1cd27dd29ce18b7e2fccc6

SHA512
c0b2a453814956b139d51ffff5eb7895cfec2e892920e8081b4b5f85fa27695d99be3b0fcc7501060d94521bb39c5a3abcda59ba12d45cc65b537bfe8cc4aac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQYg.exe
Filesize
207KB

MD5
103ce07d010a0367d50ef4495bba7edc

SHA1
c7b49adff5352d7aeacfe92860f76e7c5b03370a

SHA256
6fe495f0b9d6c953b3789c000c29845ef04833f1509943a869244066539bfbcd

SHA512
deffab3d94ff39a8ae7bfb65229e019a439119bb3094289fc8a6fa00dce58d0069332cdfd27e77c8dfb778db2ef049990a399c8818bb808eff7d9ab065f2bd23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uckk.exe
Filesize
1.0MB

MD5
4fdfda56e5927744309e56b8c6bc43b5

SHA1
70d76818a78707e5ebe6563ae4e4a60562847f54

SHA256
2507dc43dce24d7d196d9951edf40c2491124b1fb2356b78f4692783b1238e36

SHA512
1134249ca437232565a22177109c956ed9c299ccbb29fc9a4b9a8ef4fc336d2a91d98bb53645f1c8c428eff20c87e3514c2e1f76eccb88b4224d08fcfe415cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoQU.exe
Filesize
209KB

MD5
711ddf48f8af136412644b31e98f30aa

SHA1
a76cc68ea1fad240487b4bd8248ecbd52c5545ab

SHA256
74358f2dd8d2720bc6a4b7a97d8394374f7b4e77c6990056745ae9daa156a8c0

SHA512
e8df325276a314b4416cca55806285f4a1b113090dc6479bb090b6b8e31d0aad3c33462baffdb271c15009dc681002a7e5fe205625190b934362a27d2fb1fcdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIsC.exe
Filesize
208KB

MD5
9b9cb41dabc40060de07cfda850cfc6c

SHA1
4023f42af75fa959f359c2c21ab361c786bedeac

SHA256
71b6e67cbf18790db6e049cf6b9931fa9125bfc575af07cc92b9c3bcd3957206

SHA512
59c6988a8857af1050ca708e3ea0bd2181b69fbdea6b81aa19981366925607effd21539fe26544c035092f06b37fc22973f82df3c32ba25105ebb2de0025e752

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMke.exe
Filesize
886KB

MD5
94e9e5d116f2c3463a9fbdcac1ebf660

SHA1
f68cd81040b65c2845365e8c82dbd161152cf10a

SHA256
3c6e20db099603ebc82bec2931c04b18dc793390cd591ed1fd5baea5fa3e00da

SHA512
ae43cd09e899b1704a0d086ed6af7bfd3cbd292ec43e9e9d44fa32d235f10744c452f0e3efb3eb992c05a11a330acb40954d3f9f378a480741381d33c957e5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xowq.exe
Filesize
224KB

MD5
1db4fef180120db3bcb3bf6fd17ea989

SHA1
05c3fc94cdffc9a5684789a760b68acb26fe85cf

SHA256
15b7ef2b6ef47ef2650788fd646ce8be31b452c8df02570e233f15f7f1263e43

SHA512
e9456564c5b150d7b7ddbf4b5ee864a30a61444110e2d69039ed7df0764f8446770dbe8d8e380fa3ed29392f78c778c1b2fe08ab47dad75a173ffd9e2584dcc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEAa.exe
Filesize
189KB

MD5
0f1468a855e573523cf4bf87f64a82a8

SHA1
a6673293388228f37c8aed37ee5ea6b1607eb55d

SHA256
db49ce4331b67bd23f1e0b0ecbad79f18b072aba77cb5f3de41f627926308426

SHA512
de9c92483efc25f281c1b12ccaf0bc1a07846afcd9eac8ff1aa54d0ab23e3c03ec98d1e9a7adb866fcd07eac44c9bac6a655392fbcc0b99badd05c0e88f37fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMsw.exe
Filesize
215KB

MD5
371fa76e734fe9774e29c13024ac94c0

SHA1
3f8451a0a777bd79ddd790a31412f2f1f389815e

SHA256
89a3bff47089921176148867be8044a9c357cd7f20033049b9ed3f26c6a85b45

SHA512
4297e7fe4a1ef8ed4010882e9c52acff52e4c21eac7ef305a604c33601c17783282c87d44b5a33c9cb2c477f5559369554d294fdf6c25ad3a9b27c676a8d9619

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIME.exe
Filesize
184KB

MD5
d88a214c86ac6c08e295377e3390fd88

SHA1
82f875945ca06dfbfe0e1b03f621b1a809db2381

SHA256
17d952fe6a226ecaab298c20de28fb04bb8e63d870b7942b887f127340a080b0

SHA512
b953e6cf57501e028de585985b7dfa325d89b0f0ee3e4b4cd23dd1a2c0f214cc7da36f24304d5716dd80e9c93af79de5d46a0a702d57ecde69bf73bc9cbf6ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMoO.exe
Filesize
202KB

MD5
34f2738720ccde0605b06e8ae63b7606

SHA1
3f5e5ac81e9a83ac7f53dfe110ab6d2a2f74bebd

SHA256
50af5eb73d9ce565139b4e5896970ee54bcfd7e4965df4752c04d776b22148ed

SHA512
9894b6228a968774a8617b45eddf18bd40fb54ee2d1c8bd52094940455278bcbe388bcb5c0ab1f6d5789bd0cd28884b80bc79405dd389eb94a23a30a88dbba4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bosS.exe
Filesize
228KB

MD5
d0f8f7cec3eb0d70d04bf73705a8ff5c

SHA1
bb3c772c942156031ae44a7bdaa7d7279d29330e

SHA256
261f8399cf384fc570434b2796efb71cb57d4a1738e69402bba6c7eb76af9abc

SHA512
9bc534ba47d99c313bee2658e9cb21df3ebf1374eee862d88dcd9a924d9f4c970fec1d9c60549f699a6607b103adbb8d98f168b46ebc8b6b8bd739571e7cf76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIwE.exe
Filesize
184KB

MD5
6c77a349334be6332ccaba7922133116

SHA1
f5c005615baea4d41a450eb8230bdd01da6929c6

SHA256
b5d8a41fbafeb12de1661ecbeeb9c38115fb1b2b8c98a003143425f656437fca

SHA512
75de9fa324433b4a2f7497a8d4dc5fcbc15ce2aa9ee4d2cd4907c2ab6069bd81850f67ee8d33116750d7af42e4727e7b7fc1d961b7440cb609b4c1e7541d24af

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwQC.exe
Filesize
1.5MB

MD5
708ec27984e2d4ce41bc0140370d867f

SHA1
ab2f6a140cad85a9ce910e8348ac6beee4efa8bc

SHA256
65263eed88ba4b03b8f486a945fcbc19585ff396281d7e8b9b6018d72f7235e8

SHA512
687eba159edf50b30971d87e6d09ea73fe6fc234fb205789aefdb012dbe496eecb14e29a8b8440a2da7cb66b473360c24a1f200fde9e4a1ff82cb22090956e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUUO.exe
Filesize
808KB

MD5
f305a837fd158d1b68609e7d5b8e8d6e

SHA1
082e949227a213a6b530a456aa69ca909c23db56

SHA256
6a80f3cbdaf1786368c53425c4f5bbf2cb3415e9addcea59a6cdba1493c71268

SHA512
43761f7116f8df65b9f676f3cfe53d477fb78149c7ab54d5afefaa93bcaeb4b1440ba10c713f4ab83e5b994c12d1237fe763729149caa2cefaf18140fcfb44e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecsc.exe
Filesize
1.5MB

MD5
e29b5ec824141eec6e7a732a3ceda6fb

SHA1
eaa1f855e0bcae907f8bbce04cea84beed481c5b

SHA256
7e5d4118f1204f90b7ebf7bf3b3d4fc119e40d59c4cccc0fc74c97aae1762b01

SHA512
c62f754db3953dd999c22a99e167e70282d0eafc7e91356349617385bb2f306cd5b8fff3722834e58442fa3ed36575f3723e6057d1570fcaa247dedce8a88288

Download Submit
C:\Users\Admin\AppData\Local\Temp\esAe.exe
Filesize
192KB

MD5
5ddcf85b831171c271b5e72aadbc56fe

SHA1
02b63efc0a8a858dfb58e3c058facaf33a29d463

SHA256
f041bd94942b9ad293008b6c5f169181561fd4bc12db327685ef09de5b823f7e

SHA512
97c1bd7b6fa3d32cf23c60a055782fa7ce9a32f946b87b6674ac039f6f73a684330555f50c242e40169367cadc04cc37cd365d2ae99aad26fe973ecd838c4194

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQIQ.exe
Filesize
325KB

MD5
81426743a0391f6a889c1048a044ef40

SHA1
f8076cce1edeb6f6c0e3aae65c3550bd6eb04f63

SHA256
b8b929920e0e37adab564c9af1619a438963e9519a00be24d628000e46b47ed5

SHA512
877075525921e724c8418f51d2f851701895e3d358755f2c815c263b8da69a534a5bb5f443327366749ae5d6d3c0ac6c5c02ccf448eb50f70c25fa51dbb084c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fscw.exe
Filesize
183KB

MD5
95501dec28baf0ef2d532bdce59fa56d

SHA1
c88a6e6af6b0f668ccb9525db7e34295c4b281f4

SHA256
3e6f7b976d4815768312d643a6196d5b181fd84940541b3d415348d6e9a44b27

SHA512
e4f79b269ba8ec5e8b733d7e30ec4f11e1d44f566f9d0c5f2fe735aa1eb4d33030db33447e04b3dd684c8bffbdf42b820a1467283ff031f9f08412d35138b4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\fyMUAoUQ.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQYk.exe
Filesize
652KB

MD5
e7350eadbcad85f608cb0696b3487dd4

SHA1
c0e5c9fbd59014efb106396b6fe7cf963dac1bbd

SHA256
9ad850170945d7ca41c518e32c152d97982b2ec55a3e920ff46d812ceeb5de69

SHA512
06d1347d565f836a573309e6a15157e95c5f8d153b7842dcd3210cdd383177facbfd84757168a54101311a70b6aa8cefb08c52eb2778c6ebc60fb89acbf205da

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUYy.exe
Filesize
226KB

MD5
4a91523254b1b950c00591315a308445

SHA1
11c9e381b6badd3e137626adb058c52c4d870327

SHA256
99169932732efbe85b7aea3313c78d6033ee2c0de608e63c6357416124ac0acd

SHA512
3200d885e48dd6915120deb99cbcbd8a089325fe0a15dfbbc64deaeca8bd8b9adf5b2ddde83316367affb5e78566e8731ff420fd47ebe99881a6ec40d6bfc41f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUEI.exe
Filesize
194KB

MD5
78da60305d343127362a95de1986387c

SHA1
d168e9dff91da6f82c46311b2a7b5caa2fdd60f8

SHA256
b09af6517e8f0ef81cf92b0541b4352622cfd725110f28532adbe04a4e026b19

SHA512
89fc54562f57cde1e14bf599241dfba87cf589696d56b49210fcc9140dfb1c759e29e39074baae060e064a69af935daba709e82ab7efffb8efba8b13f75caaf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwAE.exe
Filesize
203KB

MD5
fb270b3491c8ec7974453da189954cfb

SHA1
7e6ee233ba4587550d7585882a5edca6bdda721f

SHA256
334cbd31ac65f3e6d1d3e095e449ed3aac611d1fb18be11110e94100c3828069

SHA512
888243966074e4aadd4792976d0d0b47fd720848d72b846e265552a6bed091f3bb3ad379ab153474fbc236568e0f70c214897250d55e869a1a8c90a72a92eee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIkW.exe
Filesize
204KB

MD5
719e07424ef4a535a768875d6dcac9a6

SHA1
cc47956444b43504132a9be15f2e4682803bcf23

SHA256
38067a656219b08fc975c67777d77f738d9411b878a9fec8f9cb8c8184b96115

SHA512
6057a18dc79ddd71950a9ba9ba60e52ec90bc75b6910a611d8e99b486f5fe4d87fd9a759188bc5aca9864937434195ae7c1e0803f08fc0308cdd5d14b1f04f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQwC.exe
Filesize
724KB

MD5
a18680124341013e374256709a035da0

SHA1
e6313bc2307099ee53f273427287cb8cdab5e996

SHA256
e9339952ca81a9574fa057848c5da16d561a624c79ccc91499e45aa556ea4cc5

SHA512
28e410df2b4b117db7c4f252e8089f46e98b19e380777b8b780799a15b4ed53eddbc8000e0816dad72959257b3312eca99ae77f3e61dc6289169d0d5aef9e369

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikcY.exe
Filesize
185KB

MD5
6892dfcde0f9de821105274fb279b5c3

SHA1
e2f7915ad18b354fe9b67feecdbf38b6a14a0c81

SHA256
482b58bda608183c41f814d5b6e5b425b312bda5a9cc297a55a99acf551cbf98

SHA512
62516603cb8528a956c9ddd4394efd5403aeb92673c60e44007c383144c9ba21bc8d4e5cedf76f7ddcb920df00b6fa8164ee2ebc1e2dba71ed4d76d6cc23744a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioIm.exe
Filesize
5.9MB

MD5
674cb4eef9fa90ea3c1ce84e78068382

SHA1
e23fbe740c8efffd94dce4b51fdb2246e04f9cd3

SHA256
c8d1457da0b8a9fbeb447db37831eb9fc3720efa02a35a66c9d68b24005a3b0a

SHA512
6b854a8ad79910c4365e854e30e35c9bd3a26b3aa5722d20225c89c99bfcf5d92a8c5ac7651a2871c361c19f5571f3640c5814b00fc7b9b5617018a48dd42f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioss.exe
Filesize
203KB

MD5
2ef78fc802e5ae9b1f79e405afd82dc4

SHA1
fcce76b2a69863c86574995e5dfd23c35bad3617

SHA256
71afcbc6dec96e1664af3217174459a66f4a656edb78bf46a357ef4731388a5c

SHA512
7d8b8bb38e364ce402a8c2f35f475ab26b114d433bc1374ab31530aeaf959a5b5b846090e7df9875c95e4879834dbd6616e4338aa6a690bacb35d21c0bbb3fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYIk.exe
Filesize
205KB

MD5
32ca0090c164eca10d90fe74f9283e38

SHA1
c74ee23e8d9576961ba67cf2b5b5763948dfbd36

SHA256
189e2de514a2a5c9ed66b47596e69b232bf3797f5239e97dbbaadf83994bc09c

SHA512
c1fbf722ea052be53826cccf27e97ebedcdfb337ede85ed937f5839516cfe780bf9cfd4b77e44be55316bc5ba0ec6330d6738a766bd3201ce75318c9fc660804

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYcA.exe
Filesize
783KB

MD5
b74b4a2d085ec45ff308a4c0d59c76c1

SHA1
cbc456c4ad1b0101498526a1fd7d1d9bf9908450

SHA256
52f33007abb1fba252a9fb230a403cdc8ff33cfe133f4589d30fb3452af7cbe4

SHA512
1b34f4d7c9499db28d891ee0f788bd3041a7675f06f7eb5f02c064fb4f5d47f89ed09827212571b1827dce26bf38d948777204beed21ea696b795ad823d12c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEUk.exe
Filesize
692KB

MD5
32a466be1eae19d5a192230d518510c8

SHA1
5c1794bd92050e6a1381fb834f124b2047ae0ca6

SHA256
959bf8fad69ce28fe9f21dffca306732204782be2bd30a84607b2b0953c6c931

SHA512
9b1459f749c37e7a6939c18e70e44562ff6f8b281fc29dfd399b48706cff7d92974b73e7813124a55752e30eb07d67a10736303de4df40701934140debbe0296

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIQe.exe
Filesize
659KB

MD5
f8435d4c1c9ca96fbcd99c2e78d2eea0

SHA1
236caaf92092d81b2ec720decff51b5e94a39591

SHA256
b60ebe33b7747a59058b95d6cf231d6c3309f52306a7c6ea0800613c7e6d1ada

SHA512
352fcd3ab54e3f9f39a6a6bdfa0d891e849f42fd809495542019ddc9ae374770647e6f4e6fcd8ebc50a8c1910c11240cf5638209b8e230aa4485e4b88d339dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYca.exe
Filesize
199KB

MD5
a7479902acbec9adaf093fa44056f7cb

SHA1
8ca3fe8a66a5502384ffc386ac57f16f98d8c825

SHA256
1a734e0e85ce95f07a4e3620cfca1bb16754af6276046197b02ac32844be3365

SHA512
ef6c294d415ede96681f9a4f8e800aabb6b64bfc1475b34574db5f0e9c7b9238acaead5f6572488fbb23c8811984181c6026686b63978b8c6e2404204c939ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQgI.exe
Filesize
571KB

MD5
b402452c144a81d1e57d3d9ab29cf51b

SHA1
9f84a8679fc26822e3e51d09c435b72a55d85cd2

SHA256
6adeb2024c1c81813ec14abc306f845e491876b4decdf8d58da03ef24e3abb05

SHA512
f1cc7d18eaba9451c0b2973269ec15425e32bbad35bdcc662faf23318b7d184efab063eec19b10421af6a415b54d594287693daafda779372922b1a431a8ab79

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkIs.exe
Filesize
237KB

MD5
e2e8198751f362f7b12f66bb2c69681f

SHA1
d98f2daea10bf92578a9247931e50efb2ed9e4f2

SHA256
addbe9f8ffca1c4c803210873b09671bd58b5e015b9a7dea6f2e46c72314922f

SHA512
415211e0ad8f821b5319e87287cb3eab465943bd5e6a6567e97fb40cdef075573eff6ac13a25cea81634823947dc2b2e240e34772fdeafa4f9cfa227ea5fa232

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIII.exe
Filesize
193KB

MD5
26fd7bdfd11d501b1842388e225d54c5

SHA1
94988e75c9392b116d978a290ddb773be23ef9c3

SHA256
3b2e9de7c9ebad4881264347839d904e33caaf5d24f816c2f3c849c0fa8975d2

SHA512
a6ec1372d0ada471f71d07c142a8b35778a447a6503be211f0a96df73fee498f174fa3dc306fd215ff677f92018e3a11acca0939e9eb264b84cb172f1ef341b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcEu.exe
Filesize
209KB

MD5
25fe6a5e2f26c4e208a2eb392efa7d5f

SHA1
85800d82d54c9907054d13c3eadced96d79f3125

SHA256
2cc702fcfe940cc37a72ae0e3ac28b01f561f9482d5e86897a8371ca5612c42f

SHA512
e556ba0a4510672fbcd70d6271aa7f4a237b64345edf061980dffd8b8eaa879f7f20f030267d31938f249b561756df5bf7b5505dfe4c759629164bf43adb6cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMMM.exe
Filesize
180KB

MD5
3c703a555ad5eed80297253933292fdf

SHA1
5e6fae4383cbb61ad58a27bcaccd6a23f8a52b68

SHA256
c9fe3f57d9083939915554f1eefa460e221a9fe1a9f1e24dd45779e59a8811b1

SHA512
49215b81f60a79979c4dd2a8705585440e9ad0ed3c3ebdf3001865f825e21d50fc2690948d927e24713faa32754d4ba98af98aa36d11ae95a782e336c5fdd726

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncMI.exe
Filesize
202KB

MD5
155396f44d00de805125284f4c3acafd

SHA1
27ca926a6014f922d78f3a2af885defba043c738

SHA256
e78ce743d797c1138b29c7b709a56eba0f350f215c29222b77db301416261810

SHA512
5b4125a6661458915434e69cf43e4a586d7e7b94ea609f53781898a19a3999785d2d22d78b7db57886c458655f9621ad476f9dd419ad8c96b98a478f2e5187d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMgO.exe
Filesize
5.9MB

MD5
3b6cfb1a21975bfdb24b64ad31f1a58a

SHA1
46f880f959f6c10e372655da4ae57b734b5987f8

SHA256
2e22eea87fccd31a69373edd918acc83c710610e70f78b7e25a713f6745e3f30

SHA512
9af6268e3c4c8a242a27781a9ba76a08587d03b97f2522dd03f1b1a3c04a41d84d6b34d58d888c5237f6c706eee3f210c58ada4b1989914491192eb90b37077a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQoE.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUAY.exe
Filesize
189KB

MD5
b7ff4fbc7ddeaffd00d732fe4189a60a

SHA1
91cbc0613d3bd0a6a40f55b082b6e150efadbb22

SHA256
942c5894980825d052dbdea99e06539c17be9b8933de4804b93cb77441af3475

SHA512
7b2f991f46e317eb4137bcacc7aee0553fa662a2c1882746b4336d551ee9304c525dce56a2b5ce7c2fbed93002afb7a9f4b1a1c7815f54450b7acf1873f40ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUwm.exe
Filesize
628KB

MD5
28d4b666a1e0b88fc63bde1b40e909c3

SHA1
e84e22cee889fb736ab69149ff038aa34623cb08

SHA256
7e31b9a4f91b9c391de8ebb04237562e2de9318bac4bbba893cc7eca96aeeba0

SHA512
4e87f9536eeeeb287e813e91e496d10e79282576e7127a84e934a5482f0aa41673373c8efe1ce0853ed53ed8bdd45e2862c074d9897092689118277015e1510c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYQu.exe
Filesize
481KB

MD5
2ed98a0e7b4d0619f0fe8c5ad6c7b5ba

SHA1
535805147d666ec9429fa75fc5bd6360584a81bb

SHA256
bc7d018620c10018a2588fd470b32427daafeb532628d862b8427cdc13532d01

SHA512
5d4cb48a27acb42fa06c38b365ee252981ac4f6f4aeeb454330956acbf5f52cac1a264f3d614954462015a53adcf55e13190e6f9eb25289af0b5287593c9557c

Download Submit
C:\Users\Admin\AppData\Local\Temp\owAQ.exe
Filesize
194KB

MD5
2e822aadd600524baf15231c9dd14159

SHA1
a0bb78e76d84f95b318862011cf7732d44c20f66

SHA256
5ec5cebb2b58b671170745bfc67c7f1ac6be3b21989669386e39f106ca1284d6

SHA512
c3148768c5a31e1dcd84f8cd4aa5a1da51325f3b7e8bb14a200e513420a458a6544922e80d355a2878ec721e8966bfc3153ea1f4604ce23fd6ca75daaec56f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcUW.exe
Filesize
193KB

MD5
3307a205f446394e4fee61a7c45482dd

SHA1
5a3d94a45d5cc498313a3fde56d7d0d275d70482

SHA256
7db3b96ae645f52a1a054476fd674a4444e9544fd5f28daa9b5d1be3ac4067a0

SHA512
02d5d36ca69c9e803fb801464d3737ca5e9f5a630581f4931b816653264e242c472257ed8fc67b86c2ccf4a7153f8b0c5d5569df40e4474420a4396f124256ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkcE.exe
Filesize
201KB

MD5
ec95ebae66b8a074c0245a0caba0a9ca

SHA1
35997fb0bbae433cb43b7450e55323cffeda8996

SHA256
ce699b7a2f0deaf27e9a7325d217808b6558cc6c13928db8cae8bf042cbc72ab

SHA512
fa93b1c9bdd5465fdf9ab37d3bb7e4b7241bf8f1c5777df51e009145e6981c2c8a942af5b544bc2535b65eefb17229714aa31777bb429cae5d86a65e6355936c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcgw.exe
Filesize
986KB

MD5
4901d66d3ef29844b0f8083ff7fd3e70

SHA1
2451cf5a2f99a59360363fede0ffb103849b5b9e

SHA256
5b8aad8a9ce9d940c475a5a3f6f92712d44221f947e4591e90fc973683303a8b

SHA512
c8ebee86e202533168a6925ae973815a3d60d3d770cf42b901c5b933c79f03b0c73b8e2ae114a21dc91e8bb70a13e35dde8f1f102316cb5e940c2358a1c66050

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgUy.exe
Filesize
252KB

MD5
c39316519fd54d0c08962acc4d76dd22

SHA1
9367ef3581216eeb50e18387f94504b34abfad1f

SHA256
352f20d21e472e5bf67f388cc8d471efd0b8a45169bae6edf146a2ebc99b2d4c

SHA512
34ff0fb32f80972add7ba1ee8196bb5f8dbe5a87029f290e35fb3a41af5fbd23cb5e3b2306ec0db3cd8dd5ba655960c50261cdb7046dd9bbb99f40b4484d954f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rMgq.exe
Filesize
834KB

MD5
6d5ed3178d7cb7f6cc0cf3f68cbbe64f

SHA1
dcb7d800a7f9cb506146acbc3f62ddaf4995e92c

SHA256
9c27ca264cb26b6a21a61e9b358a009e200fc4c374d28635b35acacfaf6069ea

SHA512
2e6e439c8752b588651bb3fc801908bccff96e794abb0cfd4e97c7d8f0601e9a77baa18f933b9ca1e4acaa144de162f8553d8eff27efcd5e3b6d055d32e8b328

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgYS.exe
Filesize
912KB

MD5
1a14a0191cb36f55f9c8faf13d626842

SHA1
a10b9c1b9848a48f3c7e71bc19ea864ddf708bd6

SHA256
4fe736779e1d4e2cc38ed54adeb81496104ac8fda3912042251765abf2350af2

SHA512
f4c7b0c45b7e5c1ea3665036c203430ed2f80f60aa37c8042f96aa442e78bb906f44e21e3d98ae1c12339abf51bb1007f944edd5610e3f90c902ca1d5e7f15e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsAE.exe
Filesize
641KB

MD5
c93b4c1f6aace6674b1d93773c7535c5

SHA1
87c92c3a710da7642767d3beeaa586875dae2307

SHA256
629ea60961f79dba53a101eb825cfa2565875874f82e4256121a59484827c3a7

SHA512
71a74f1105e27a5b69d30c6cd237f6b67c0af91e93a0490d89d1f24acfe544b219933939e7af654bbeab0e9194f8eafcecf511ad70f0307b2574bcc7a830a10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEYg.exe
Filesize
322KB

MD5
c576a0e1a5714fef92ea359453bd147c

SHA1
ba837abb877bbb1cda1e1e408d3763353211064d

SHA256
b1ea9ed5a8ff94516d7c88064efcc2c17a459456b990f75daeab73d6616f6657

SHA512
9bf300cecef67027d7939896bb59b6f09581e43c636e20d38e6942a2039fa9f4d426667e1702e08966875193ebfeaf6c4684cc0b2ce2177f618036a7a8bc54a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tIMq.exe
Filesize
199KB

MD5
7ecd0e66641fa893cab501b3ea9207fc

SHA1
321bf4a259adc11a6d384e3db54a66d3b7b9c659

SHA256
9048fd6d84e7fecc71da3fc21ef8530bb2e313a5bf4c2cba47b06fe50f523fca

SHA512
68ec37be83efc0ce0d1e5f097831d015b22c20cf2b04495415630ebdbbada6f88dba2fbdbd8fdfecef353db8ae3281155cd22ef2d3a0caca24816d188dc04dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUwO.exe
Filesize
198KB

MD5
a724f6e0b79f5f7f584e0002daea1c45

SHA1
ea17fe9e039b543c594f2573fb8b18c219da94d9

SHA256
76d4846c4df0612d0bf8b50932c5721d52fd359176dba6bd02cfb9a1c30ca68c

SHA512
7987917055987b4a24c51c7240afc5916709d231bee7d7afabe756e6d5f3afe2a488c07ac9c3fdd6716eb2270e493eb1df06f43f8be699857127b3244ff41fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tswc.exe
Filesize
189KB

MD5
7111f27c341bc3095a44d34e47509145

SHA1
471ecd937afa41390fd058a145fa9d4329ab84ed

SHA256
5cd9611956e7fd21f2e163159cd6f66262a7ab128784c5fd5eff6b105f565182

SHA512
26e0ed8eae19a8e7fc6be7b02ef5e0a4373c096ed3ec089625f104831702a10198c24923783d4382164cfbbab6a16f1191fb7bc9f2863aa49f6af97b355f8f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\twkw.exe
Filesize
196KB

MD5
ca862078ac744d705cbd3b8a7f786f3d

SHA1
c74973be3187805dafd12097d952ca01c3ec24ba

SHA256
e5ba690846bd1129d89f4c060db30d46dc62785495e1be83444a6afcc3ec10ac

SHA512
5fbbc9eee1c4bee4338290862bb2063cbf70ec7f6415887a305fed21cd4b7298f29fcfc5e5afc846b10ade6cf4c91502007d1bc6cd51e3014c8eac947782f994

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUwK.exe
Filesize
195KB

MD5
e115d405266adae453802e226f58aa88

SHA1
dc8a41b0e3d94e61d00290e610435b1b98c49f24

SHA256
cbf55944ef86bec0faf8d3c5dd81fffdd2425cd39891f3f0abe2cc09d97d82a4

SHA512
f89fc14fe955e4f2e2648b798fa4c665ff94d09fa1869b38455c023707d843ad3f36bc0d7bce44c3dde933f4212bd4deb291ac36aa43a4edf654332e8274051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugsy.exe
Filesize
5.9MB

MD5
1c86036434c06750be96ccfbb0106720

SHA1
4b91655c5bdbb1572554e3c83fa2ee27a91b3ee6

SHA256
cf0170b222b0a224548676d5a1f7a010684a4722dbb354cc5ef8e29dbb700243

SHA512
98bda0fc4bb49749ed06a1cafb0b1e34e617607eca4d2cfa71456891a47e88589952bedb4e928acd9f803c18af2da3a5062d579fc0db4084483912a3c1bc900c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uksO.ico
Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uocy.exe
Filesize
193KB

MD5
4b53d5b0cbb29cf96c3f023c9bd2b1fe

SHA1
da8e286fe14a02b2bd121ef722eb71edca934b54

SHA256
13ff3d59f50318787f626e2d74978e5195226325387c598812371bbd70d1f647

SHA512
6b732f19fa1c72f6182b0d6428137fd0e0fa3379c7cdef130faba32a757ea9e0395150513d6392a4a7aab60facb48de09074c0d81eec605f22c008b5f9e1bf5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vMoW.exe
Filesize
181KB

MD5
36d26bce269ee06c5481d8cc5b98740d

SHA1
bad39aefda0acab3cd30550e70d007ce97180edc

SHA256
1ec231ecba73431d04a8a2e171d5dc34be5829287fd6e55676157117e134d7a5

SHA512
c0bf3c5f940d0a611684d7d84323a4001696de5384cba4965127e8796305624a2b5269f3d3fac79e16aaa41e0583c1368a2e95d0a3129c4677f9f18ecebe9b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYYS.exe
Filesize
203KB

MD5
ba9070c0ed8994539ce25ac71e617644

SHA1
3b6b77becfa6304da0983d6bd874b20e1d599979

SHA256
075276d24044063d23705270e1203f111921793eafbb1ef45659b6cbd5c9a774

SHA512
444de13b1d7a1cf28316066d5c20701b35c10aa9ff365d69e706932859c03da52b481ef9486412cbda3448eae38ae4a90cd9c36bff785a33fdbcffe58873ad10

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIAE.exe
Filesize
196KB

MD5
3e647843cebefe49b3d07773f00dac64

SHA1
b773ce6c954460a69336e8d5cedd7a3aac5d07e6

SHA256
86dcd6f9300f6a6460be0df4d7eef31e88fbe2ca8f7ed0709a8594b418098c74

SHA512
2f9d8330a8435ad93c486b3f2ef7f5bed803517945e72fe6e693eee705f4192c7ebb271a1e67a7a3e4809cf96de746717dec4da838c5eefa403a1b0cf7d6b4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIEM.exe
Filesize
186KB

MD5
988338d05751be0e8cedd544ccdd9401

SHA1
624074d79e10fc1eebb4f9c49302362cb54ca2c1

SHA256
43fbf659417af9d24a0d8c77f54efdf2fcd9b9f933313d923bc47bf955efc8eb

SHA512
58c02772738f7381d28a52913aeacbfe1b979a94c5291d778da310b053f9f33f39e29b58a34c9b8c3253d13037f4277c98ec90bf3590fb196ec2ba63c95c902d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYks.exe
Filesize
223KB

MD5
93068d8754ab8b1a1834d44e21b37f00

SHA1
362ee970ccb164c4bdfe74d2e0f384a2ad285d99

SHA256
fe657544ff02420b4f449214f12f0382f5f563f49dd447c41f5b4c5b5aed2c43

SHA512
5517bcc7698a274d207276b7217c7e7d7353b527075b6af4f8a720e5c4cbfda8720bde9a4576f6250515302c77f2bf53b54d9d940efe53e2c941043b048b1502

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkAM.exe
Filesize
594KB

MD5
a5de6f338cfc370831c29a05c0c7d777

SHA1
e0ccd01da7790780b29bdc9d38fcc2f47c3f2faa

SHA256
b47e00bd2eeaec69b29ee7865a187092fe41636059e4fa317ef27d809038cbbe

SHA512
22fad2ceb221bf3af80ccbcb26f4dc9e9a80b4ee48f0101a3726fabaa8d52b326fbcfca4ad82968d34b6b8011459f8a1144ed3d040e83cee8601846f2939f3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsAW.exe
Filesize
211KB

MD5
625e67e8334035706206ee1a2869d1b1

SHA1
a576f14fdbb3a318dbf870694f286ea899934ca7

SHA256
ac4803a188e6eacb6c187513ae85cbebe9a9f91a77102a7827409aa3190bd2bb

SHA512
cc86eacbc825bed34c59b568b1e1e89a968041b6d9650522b13c6100065131ff20a96ef0202e2b93b1e733ff3cc1e2b8190f94157d9cac2c8f35bd30d3da4119

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsgG.exe
Filesize
209KB

MD5
bc5cf0a059e8004fb8ec66b9c777caef

SHA1
a7b8ea9e19b07171cc882406d408e13ad2daac1c

SHA256
910eeab3badb36d829715b53b72d731b5584f28e082b7ff503582d9e32bf60e3

SHA512
fd3d70b9e848461f1e0d15267496694e463aef1ba5161e696a538ea9e49e141d7e1f9960139418ce777d8d8b612285d81187d1e8d310e0e44c106c6dcd0f529d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwEI.exe
Filesize
800KB

MD5
f304529b3b9297c6784ddb0c3ab7d399

SHA1
c7a7bf2bbe9f5150c93ca21181c8160a0cae280c

SHA256
26a55d06e1e8b2ca552e509631cc6652b41288b1747683651643e934b65cef33

SHA512
3c0c4a1b864954023787c78189587c15d1108dd6b614191dcba719a52e4b586d3463ae0271c8469e0a5234114c1cfe7f9024525da3c07a049c0de870a2d71c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwcE.exe
Filesize
5.9MB

MD5
02fa4bbefc0ed031be28591b521ee361

SHA1
94de8746b34b5ee5c3fd6f154b832843ca7f69b3

SHA256
bf4f994da3dd2b6c8f6c30f0472f1bff58781289492f7b9a787ef311c3874ff1

SHA512
a037d308900ca1b2bcd2a0576e6a7470ae1c9a6db9fccc5b28c42b420aaaccbde3c5f845d79a8601bbf6bdd4fb7502f57d053a992f0a19c1c0600b7b8b3ae53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUUY.exe
Filesize
193KB

MD5
9bc8470dbca1949ccc7306d68823bedc

SHA1
a8e75b2ce94ea4df9b0e29ea7b582b722484fc96

SHA256
e01d1a0b849722d642b10def28fda61728a714fa689eda014d04a977ed68b64b

SHA512
3c89d685217a2324f608fa0600354ec2b28921d3ba241da53c00e0165772d32ac30dfa8e1236b027d85222d37b1360f65a06b301e95fedb9bb25d4dfc026239c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEog.ico
Filesize
4KB

MD5
7c132d99dba688b1140f4fc32383b6f4

SHA1
10e032edd1fdaf75133584bd874ab94f9e3708f4

SHA256
991cf545088a00dd8a9710a6825444a4b045f3c1bf75822aeff058f2f37d9191

SHA512
4d00fa636f0e8218a3b590180d33d71587b4683b0b26cd98600dcb39261e87946e2d7bdcfbcd5d2a5f4c50a4c05cd8cf8ac90071ecd80e5e0f3230674320d71c

Download Submit
C:\Users\Admin\IgcQgMYI\EQoEQggg.exe
Filesize
181KB

MD5
6079aa1a278580214158dbbb0fab76dd

SHA1
b7b61e28ba3ccce11a4a22a8c029e94a30ed36d6

SHA256
71372018bdfe7bf94c7e90a61193a001da3bf7b0d873ca1ac73123526b21a396

SHA512
05780aeb318501bdf56fbaa5220ca62ab31609115413c0f38bed08b47458671aacb8b1ce0fa329db3fc3dcb4a18658754d2efb901a733832cd577272b4d8b861

Download Submit
memory/224-296-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/224-283-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/720-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-372-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/868-359-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1128-547-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1128-540-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1132-399-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1132-387-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1228-519-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1536-350-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1536-363-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1552-80-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1552-96-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1640-144-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1928-54-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1928-69-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2016-157-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2016-145-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2072-450-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2072-464-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2408-325-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2408-312-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2520-92-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2520-108-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2528-408-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2576-528-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2700-441-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2700-454-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2768-316-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2768-302-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2880-220-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2932-436-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3068-482-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3068-491-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3112-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3112-20-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3152-426-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3152-413-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3288-243-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3288-228-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3436-354-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3436-339-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3488-255-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3600-483-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3600-470-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3620-417-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3620-404-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3836-492-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3836-501-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3840-265-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3840-278-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3896-84-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3896-70-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3940-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3988-183-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3988-167-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4048-391-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4156-274-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4156-287-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4316-524-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4316-538-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4332-306-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4332-292-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4344-123-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4344-133-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4360-368-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4360-380-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4368-460-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4368-474-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4424-154-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4424-232-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4424-217-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4424-171-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4540-330-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4540-343-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4624-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4624-33-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4792-334-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4792-321-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4880-42-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4880-58-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4940-432-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4940-445-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4988-46-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4988-34-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5016-121-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5016-105-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5036-511-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5036-502-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5068-195-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5068-179-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5080-251-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5080-269-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5100-206-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5100-191-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download