363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
Size

203KB
MD5

534561d3d3a5b8ec6feb851d5b24a0d1
SHA1

95289845bdd011e69973548d05186c2312ee1f5a
SHA256

363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
SHA512

4ae3d1fad309e1414506bc2b72b632742941c7470b80f7c65b30b4ee1846c71c7ac917cc739b382276ab587d16ff8932bd226c6004eb46086e36f60f536e2821
SSDEEP

3072:oQQXfc3edu86ewhiv32ggLXgk0DbLHmE2qv06xTsUnEFiJEGa773:oV2edRGgg7dqvlJEGG

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (78) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 1 IoCs

Processes:

flow pid process

32 4236

flow	pid	process
32	4236

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LGQAcQkA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	LGQAcQkA.exe

Executes dropped EXE 2 IoCs

Processes:

LGQAcQkA.exeZiMgokUQ.exe

pid process

2744 LGQAcQkA.exe
2152 ZiMgokUQ.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exeLGQAcQkA.exeZiMgokUQ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LGQAcQkA.exe = "C:\\Users\\Admin\\mkQgEMgw\\LGQAcQkA.exe"	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZiMgokUQ.exe = "C:\\ProgramData\\OqMssAMA\\ZiMgokUQ.exe"	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LGQAcQkA.exe = "C:\\Users\\Admin\\mkQgEMgw\\LGQAcQkA.exe"	LGQAcQkA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZiMgokUQ.exe = "C:\\ProgramData\\OqMssAMA\\ZiMgokUQ.exe"	ZiMgokUQ.exe

Drops file in System32 directory 2 IoCs

Processes:

LGQAcQkA.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	LGQAcQkA.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	LGQAcQkA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
2480	reg.exe
580	reg.exe
2104	reg.exe
4572	reg.exe
1208	reg.exe
1044	reg.exe
4212	reg.exe
2748	reg.exe
804	reg.exe
3080
4588
1680	reg.exe
2324	reg.exe
1444	reg.exe
2320	reg.exe
1844	reg.exe
4924	reg.exe
3776	reg.exe
4344	reg.exe
3948	reg.exe
3164	reg.exe
4320	reg.exe
1604	reg.exe
4244	reg.exe
4736	reg.exe
2772
1532
1976
3996	reg.exe
3440	reg.exe
1228	reg.exe
1692	reg.exe
2352	reg.exe
5064
4116	reg.exe
4064	reg.exe
4144	reg.exe
1500	reg.exe
4416
1636	reg.exe
436	reg.exe
1608	reg.exe
2488	reg.exe
2920	reg.exe
4948	reg.exe
224	reg.exe
3312	reg.exe
4736	reg.exe
3312	reg.exe
2948	reg.exe
996
660	reg.exe
1396	reg.exe
5064
4136	reg.exe
220	reg.exe
504	reg.exe
4360	reg.exe
1864	reg.exe
1680	reg.exe
1276	reg.exe
3240	reg.exe
2276	reg.exe
4876	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe

pid	process
5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
4048	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
4048	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
4048	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
4048	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
3088	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
3088	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
3088	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
3088	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
676	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
676	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
676	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
676	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
4176	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
4176	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
4176	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
4176	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
1524	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
1524	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
1524	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
1524	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
3512	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
3512	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
3512	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
3512	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
504	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
504	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
504	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
504	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
1860	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
1860	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
1860	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
1860	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
1124	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
1124	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
1124	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
1124	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
1284	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
1284	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
1284	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
1284	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
3248	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
3248	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
3248	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
3248	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
5064	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
5064	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
5064	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
5064	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
2488	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
2488	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
2488	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
2488	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

LGQAcQkA.exe

pid process

2744 LGQAcQkA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

LGQAcQkA.exe

pid	process
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe
2744	LGQAcQkA.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.execmd.execmd.exe363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.execmd.execmd.exe363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.execmd.exe

description	pid	process	target process
PID 5112 wrote to memory of 2744	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	LGQAcQkA.exe
PID 5112 wrote to memory of 2744	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	LGQAcQkA.exe
PID 5112 wrote to memory of 2744	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	LGQAcQkA.exe
PID 5112 wrote to memory of 2152	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	ZiMgokUQ.exe
PID 5112 wrote to memory of 2152	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	ZiMgokUQ.exe
PID 5112 wrote to memory of 2152	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	ZiMgokUQ.exe
PID 5112 wrote to memory of 4680	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	cmd.exe
PID 5112 wrote to memory of 4680	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	cmd.exe
PID 5112 wrote to memory of 4680	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	cmd.exe
PID 4680 wrote to memory of 4608	4680	cmd.exe	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
PID 4680 wrote to memory of 4608	4680	cmd.exe	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
PID 4680 wrote to memory of 4608	4680	cmd.exe	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
PID 5112 wrote to memory of 5036	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 5112 wrote to memory of 5036	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 5112 wrote to memory of 5036	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 5112 wrote to memory of 1636	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 5112 wrote to memory of 1636	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 5112 wrote to memory of 1636	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 5112 wrote to memory of 1512	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 5112 wrote to memory of 1512	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 5112 wrote to memory of 1512	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 5112 wrote to memory of 804	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	cmd.exe
PID 5112 wrote to memory of 804	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	cmd.exe
PID 5112 wrote to memory of 804	5112	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	cmd.exe
PID 804 wrote to memory of 224	804	cmd.exe	cscript.exe
PID 804 wrote to memory of 224	804	cmd.exe	cscript.exe
PID 804 wrote to memory of 224	804	cmd.exe	cscript.exe
PID 4608 wrote to memory of 2652	4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	cmd.exe
PID 4608 wrote to memory of 2652	4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	cmd.exe
PID 4608 wrote to memory of 2652	4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	cmd.exe
PID 2652 wrote to memory of 4048	2652	cmd.exe	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
PID 2652 wrote to memory of 4048	2652	cmd.exe	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
PID 2652 wrote to memory of 4048	2652	cmd.exe	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
PID 4608 wrote to memory of 2292	4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 4608 wrote to memory of 2292	4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 4608 wrote to memory of 2292	4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 4608 wrote to memory of 3948	4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 4608 wrote to memory of 3948	4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 4608 wrote to memory of 3948	4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 4608 wrote to memory of 1604	4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 4608 wrote to memory of 1604	4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 4608 wrote to memory of 1604	4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 4608 wrote to memory of 1544	4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	cmd.exe
PID 4608 wrote to memory of 1544	4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	cmd.exe
PID 4608 wrote to memory of 1544	4608	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	cmd.exe
PID 1544 wrote to memory of 5016	1544	cmd.exe	cscript.exe
PID 1544 wrote to memory of 5016	1544	cmd.exe	cscript.exe
PID 1544 wrote to memory of 5016	1544	cmd.exe	cscript.exe
PID 4048 wrote to memory of 3900	4048	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	cmd.exe
PID 4048 wrote to memory of 3900	4048	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	cmd.exe
PID 4048 wrote to memory of 3900	4048	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	cmd.exe
PID 3900 wrote to memory of 3088	3900	cmd.exe	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
PID 3900 wrote to memory of 3088	3900	cmd.exe	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
PID 3900 wrote to memory of 3088	3900	cmd.exe	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
PID 4048 wrote to memory of 4644	4048	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 4048 wrote to memory of 4644	4048	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 4048 wrote to memory of 4644	4048	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 4048 wrote to memory of 4252	4048	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 4048 wrote to memory of 4252	4048	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 4048 wrote to memory of 4252	4048	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 4048 wrote to memory of 3684	4048	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 4048 wrote to memory of 3684	4048	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 4048 wrote to memory of 3684	4048	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	reg.exe
PID 4048 wrote to memory of 3404	4048	363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
"C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5112

C:\Users\Admin\mkQgEMgw\LGQAcQkA.exe
"C:\Users\Admin\mkQgEMgw\LGQAcQkA.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2744

C:\ProgramData\OqMssAMA\ZiMgokUQ.exe
"C:\ProgramData\OqMssAMA\ZiMgokUQ.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
2⤵
- Suspicious use of WriteProcessMemory
PID:4680

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
4⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
6⤵
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
8⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
10⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
12⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
14⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
16⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:3512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
18⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
20⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
22⤵
PID:2296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
24⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
26⤵
PID:5096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:3248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
28⤵
PID:3348

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
30⤵
PID:4144

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
32⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
33⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
34⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
35⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
36⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
37⤵
PID:3544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
38⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
39⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
40⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
41⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
42⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
43⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
44⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
45⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
46⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
47⤵
PID:3200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
48⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
49⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
50⤵
PID:5032

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
51⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
52⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
53⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
54⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
55⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
56⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
57⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
58⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
59⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
60⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
61⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
62⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
63⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
64⤵
PID:4236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:2412

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
65⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
66⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
67⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
68⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
69⤵
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
70⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
71⤵
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
72⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
73⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
74⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
75⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
76⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
77⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
78⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
79⤵
PID:624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
80⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
81⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
82⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
83⤵
PID:580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
84⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
85⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
86⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
87⤵
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
88⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
89⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
90⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
91⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
92⤵
PID:3860

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
93⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
94⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
95⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
96⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
97⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
98⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
99⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
100⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
101⤵
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
102⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
103⤵
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
104⤵
PID:4476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
105⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
106⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
107⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
108⤵
PID:3996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
109⤵
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
110⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
111⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
112⤵
PID:4236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
113⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
114⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
115⤵
PID:528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
116⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
117⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
118⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
119⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
120⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
121⤵
PID:3484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
122⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
123⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
124⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
125⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
126⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
127⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
128⤵
PID:4076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
129⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
130⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
131⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
132⤵
PID:2316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
133⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
134⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
135⤵
PID:504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
136⤵
PID:760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
137⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
138⤵
PID:2336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:3860

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
139⤵
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
140⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
141⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
142⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
143⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
144⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
145⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
146⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
147⤵
PID:3512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
148⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
149⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
150⤵
PID:2876

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
151⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
152⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
153⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
154⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
155⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
156⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
157⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
158⤵
PID:5092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
159⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
160⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
161⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
162⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
163⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
164⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
165⤵
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
166⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
167⤵
PID:3440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
168⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
169⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
170⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
171⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
172⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
173⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
174⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
175⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
176⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
177⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
178⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
179⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
180⤵
PID:1820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:4176

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
181⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
182⤵
PID:1500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
183⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
184⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
185⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
186⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
187⤵
PID:4000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
188⤵
PID:3296

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
189⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
190⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
191⤵
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
192⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
193⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
194⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
195⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
196⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
197⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
198⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
199⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
200⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
201⤵
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
202⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
203⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
204⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
205⤵
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
206⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
207⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
208⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
209⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
210⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
211⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
212⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
213⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
214⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
215⤵
PID:4104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
216⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
217⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
218⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
219⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
220⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
221⤵
PID:4000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
222⤵
PID:2448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
223⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
224⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
225⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
226⤵
PID:4904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:3200

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
227⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
228⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
229⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
230⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
231⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
232⤵
PID:3088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
233⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
234⤵
PID:5060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
235⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
236⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
237⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
238⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
239⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
240⤵
PID:400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
241⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
242⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
243⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
244⤵
PID:1228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
245⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
246⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
247⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
248⤵
PID:3328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
249⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
250⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
251⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
252⤵
PID:1544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
253⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
254⤵
PID:2500

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
255⤵
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
256⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
257⤵
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
258⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
259⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
260⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
261⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
262⤵
PID:4892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
263⤵
PID:3328

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
263⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
264⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
265⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
266⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
267⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
268⤵
PID:64

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
269⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
269⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd"
270⤵
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
268⤵
- Modifies visibility of file extensions in Explorer
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
268⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
268⤵
- UAC bypass
PID:4144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
269⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAkccUcA.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
268⤵
PID:3752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
269⤵
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
266⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
266⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
266⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAgIAMUI.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
266⤵
PID:216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
267⤵
PID:3912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
264⤵
- Modifies visibility of file extensions in Explorer
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
264⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
264⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSoMQUsU.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
264⤵
PID:3080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
265⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
262⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
262⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
262⤵
- UAC bypass
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qswQoAMA.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
262⤵
PID:972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
263⤵
PID:4184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
260⤵
- Modifies registry key
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
260⤵
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
260⤵
- Modifies registry key
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyMYYocg.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
260⤵
PID:1692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
261⤵
PID:3956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
261⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
258⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
258⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
258⤵
- UAC bypass
PID:676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOQAYoMY.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
258⤵
PID:436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
259⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
- Modifies visibility of file extensions in Explorer
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIggssIo.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
256⤵
PID:4236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
257⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
- Modifies registry key
PID:2948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAUEoIcA.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
254⤵
PID:760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
- Modifies visibility of file extensions in Explorer
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwMUocEo.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
252⤵
PID:5108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
- Modifies registry key
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
- UAC bypass
PID:1760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkcAcscA.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
250⤵
PID:2968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:3584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcAIkMgE.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
248⤵
PID:4892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:3752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- Modifies registry key
PID:1044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmwoMQsM.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
246⤵
PID:4948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:3248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies registry key
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:3312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DokkEMgs.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
244⤵
PID:4924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:4280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:4696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQAUEYEw.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
242⤵
PID:3512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies visibility of file extensions in Explorer
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:4184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
- UAC bypass
PID:3312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaQwosIw.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
240⤵
PID:2500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:4064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
PID:1948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
- Modifies registry key
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- UAC bypass
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkMwkYkY.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
238⤵
PID:4360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:1188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:3272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOwEAsIA.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
236⤵
PID:2352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
- Modifies visibility of file extensions in Explorer
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKYgsMcw.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
234⤵
PID:2948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
PID:4564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:4904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zwosAAgY.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
232⤵
PID:1876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:3900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
- Modifies visibility of file extensions in Explorer
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkAIcoEI.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
230⤵
PID:4360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies visibility of file extensions in Explorer
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:4564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- UAC bypass
PID:1960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkkoMQYo.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
228⤵
PID:5008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:4572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAYYsMIM.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
226⤵
PID:2828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeogkEUM.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
224⤵
PID:3348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
- Modifies visibility of file extensions in Explorer
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kssQgIoY.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
222⤵
PID:4872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
- Modifies visibility of file extensions in Explorer
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
- Modifies registry key
PID:3312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:2632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkcsYQcw.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
220⤵
PID:2352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMMAwcIg.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
218⤵
PID:3968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
- Modifies registry key
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- UAC bypass
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUQskgQk.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
216⤵
PID:4144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
PID:4904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PowMIQoA.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
214⤵
PID:2644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEYEwoMk.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
212⤵
PID:3248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
- Modifies registry key
PID:1604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqwEMIIw.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
210⤵
PID:1228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies registry key
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:1680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUoYIkkk.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
208⤵
PID:4728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EesUMccs.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
206⤵
PID:4984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies registry key
PID:4572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUEAwkYc.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
204⤵
PID:2260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- Modifies registry key
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEQoAUIw.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
202⤵
PID:2104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:4280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vSkgkoMU.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
200⤵
PID:4400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
PID:3484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmIoUYgU.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
198⤵
PID:5096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:4176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:2500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUMcMYQE.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
196⤵
PID:4000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:3860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGAMIAoE.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
194⤵
PID:2708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies visibility of file extensions in Explorer
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- Modifies registry key
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\myMUEIQQ.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
192⤵
PID:3196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAUwwwks.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
190⤵
PID:2868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkgkckcY.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
188⤵
PID:2032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:3900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:3512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGwYQQwc.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
186⤵
PID:4564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:3368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIkswEMg.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
184⤵
PID:400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmkAQYcc.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
182⤵
PID:2496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies visibility of file extensions in Explorer
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
- Modifies registry key
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkIEsQcw.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
180⤵
PID:4588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:4000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
- Modifies registry key
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOskokAI.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
178⤵
PID:676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:3080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKAUYokg.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
176⤵
PID:5096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
- Modifies registry key
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoMQQIEU.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
174⤵
PID:3592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
- Modifies registry key
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:1392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOckEccA.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
172⤵
PID:1044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:4176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies registry key
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkoUcYkE.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
170⤵
PID:2788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:4504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUkscAoE.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
168⤵
PID:2448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:4560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\accoMQYg.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
166⤵
PID:1648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:3544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSAYcEwU.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
164⤵
PID:3368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:5112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- Modifies registry key
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EycUwAQI.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
162⤵
PID:4600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:3900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- Modifies registry key
PID:3164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIsUYYAA.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
160⤵
PID:1572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:2184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAMsQoAA.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
158⤵
PID:2848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LWkQswMI.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
156⤵
PID:4484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:3372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIwsAwgs.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
154⤵
PID:1636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:1976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqokcQsw.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
152⤵
PID:2072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqcQowYk.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
150⤵
PID:1740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsQgocYk.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
148⤵
PID:3572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:4184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWYoAoYQ.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
146⤵
PID:4540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LyAkYcMg.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
144⤵
PID:976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
- Modifies registry key
PID:4212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:3372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoMIsksM.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
142⤵
PID:3092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKYMIwcw.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
140⤵
PID:4436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:3080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:1528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGQYEccc.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
138⤵
PID:2920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GqgEsIEg.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
136⤵
PID:1960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
PID:4104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SookcMMg.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
134⤵
PID:3372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:3092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwUgwggU.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
132⤵
PID:4132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies registry key
PID:1444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkEwsIUs.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
130⤵
PID:4144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwskAMgo.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
128⤵
PID:2500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:3296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqgMgYUo.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
126⤵
PID:4476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies registry key
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aucoYIwg.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
124⤵
PID:4176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- Modifies registry key
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaAQcIQo.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
122⤵
PID:872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
PID:4416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
- Modifies registry key
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyMQMIUA.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
120⤵
PID:4448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:3968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOMcUosw.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
118⤵
PID:2832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- Modifies registry key
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGEUkQYY.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
116⤵
PID:4112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGEIIswI.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
114⤵
PID:3100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:1056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:3200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMEUsIgA.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
112⤵
PID:4068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:4416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:3256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYoYkosA.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
110⤵
PID:3968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:4564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
- Modifies registry key
PID:1228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwssYUMU.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
108⤵
PID:1400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:1648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
- Modifies registry key
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmskcAYo.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
106⤵
PID:3260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:3584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:2324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCwoogQA.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
104⤵
PID:3200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCEIMMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
102⤵
PID:3968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:3772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:3100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuoQQUcw.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
100⤵
PID:1648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
PID:3248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmMYIUIE.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
98⤵
PID:4216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies registry key
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqsIIsUc.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
96⤵
PID:4356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:3900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies registry key
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uygoEAoE.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
94⤵
PID:1712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:3996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:4908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWIcoYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
92⤵
PID:4444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:3372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:2772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TacgIoIM.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
90⤵
PID:4332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:3620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:4828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fScQggAA.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
88⤵
PID:3016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
- Modifies registry key
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TacssAsU.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
86⤵
PID:5080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:3860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owgEYEgA.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
84⤵
PID:2292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:2072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIsgIoMU.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
82⤵
PID:3372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:2412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMMwcMUk.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
80⤵
PID:4356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:4844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:4560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- Modifies registry key
PID:4876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gekUooEs.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
78⤵
PID:4400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYoMYgYI.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
76⤵
PID:2032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:1048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:3584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:2412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwUAEkAA.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
74⤵
PID:3424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:3164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:2320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:3280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsQsoMEw.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
72⤵
PID:1284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:3620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:1092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:4112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEAcwYUI.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
70⤵
PID:1876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:3208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:3544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:4152

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- Modifies registry key
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeMkYkAs.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
68⤵
PID:1692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:3388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:3784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQEIwYIs.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
66⤵
PID:2968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:3900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- Modifies registry key
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSwUoQgI.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
64⤵
PID:2400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiMsQgQc.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
62⤵
PID:4132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zwEYYgQs.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
60⤵
PID:3100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
- Modifies registry key
PID:660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jaYEssUU.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
58⤵
PID:1700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:3404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSAQYAIM.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
56⤵
PID:4600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIEAYswk.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
54⤵
PID:972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
- Modifies registry key
PID:580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eksossAM.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
52⤵
PID:1692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:3280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiIYYIUY.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
50⤵
PID:3016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsAYMcoc.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
48⤵
PID:4480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
- Modifies registry key
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQoosgkw.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
46⤵
PID:3544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies registry key
PID:4244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkskAUkc.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
44⤵
PID:1592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:3860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsUEsUww.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
42⤵
PID:872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:4560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
- Modifies registry key
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deEcMEAo.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
40⤵
PID:2104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
- Modifies registry key
PID:2920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGEokQcI.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
38⤵
PID:3036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:3260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:3088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\soMgYgcg.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
36⤵
PID:3696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies registry key
PID:3312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:3620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:3640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqsYIcoM.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
34⤵
PID:1712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
- Modifies registry key
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMMUwMUk.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
32⤵
PID:2708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:2296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies registry key
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIcIMYwk.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
30⤵
PID:4844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEwEkwws.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
28⤵
PID:3408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:4200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:3512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:3624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoQoYkIY.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
26⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:4544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmYcEUIs.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
24⤵
PID:3208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcYEUYoE.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
22⤵
PID:4660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:5108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:4116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYogwwIM.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
20⤵
PID:4484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
- Modifies registry key
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAwgAIsg.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
18⤵
PID:4704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- Modifies registry key
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEgwYIgA.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
16⤵
PID:2456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MaIIgkAw.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
14⤵
PID:1192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEwsEsQs.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
12⤵
PID:1304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:3508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUAkUUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
10⤵
PID:1228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkkcYsEo.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
8⤵
PID:2864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:4644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:4252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkYwIswQ.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
6⤵
PID:3404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEkYUAAM.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIMoAIIg.bat" "C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1276

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
315KB

MD5
02a15ca1cd71007f691fa29fb790b364

SHA1
6dff84133b7af2cc9020c7a67f629244ae7867b0

SHA256
479bc1f1cee14f871a34a1e5f9394e81437c7b7d806bb2d1321ac443e99439a4

SHA512
9cbac0e8733e5aa6812991157df13739ca98277ac73264e9b1edd32ec67d9207c8f2dc6c70b8ac82e5397164b07a41413fbe99949bfaa750619467c153f73d77

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
215KB

MD5
b67bda1410ea7de0abb1b9b885c52ee4

SHA1
34bffc49c52783baa4fa6e19ed3f391035cb4c8d

SHA256
8c74709b28cc4295faa39932e217211be03b42314fb3eb6fa92a212325c37ff7

SHA512
799a2b897a8b046bc1635d34277db72ab0db69eb52e6eea65bd7cd499aa59a39bcbf84aef3173988368849f61f696572a86b15ef7576e7881bb86550ef4540d7

Download Submit
C:\ProgramData\OqMssAMA\ZiMgokUQ.exe
Filesize
194KB

MD5
e50c786b4b7f23b058246608534fff1f

SHA1
ae04048693a4031003328da8c3316c530247b69e

SHA256
dff8dbde3e6fb1e30e383f3fa461ef3eb62902ac57749b28be94a5e716c4052e

SHA512
1fa9a8fc277fe410ce36dd9314b9211cb8e6996d04d7460a113c40cf2d44f69ec38ea73365a22ac10ef69b5b8b6bb5c44b2bdc64eaa9cce77ea01850de966f80

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
Filesize
623KB

MD5
0ae44a01c46748a5166bec2356727190

SHA1
eefb1ceccc77560e2b5abe29b0ce4639dd9238ac

SHA256
8c4cd83fc65f1d9e45bd1b09da2b824f55621808a95c4ae6fdbb7bddeb965d48

SHA512
5bfd0fbe0146e586be328b31c0d13f8c66ce174c0a6b8401218f1dd1245156f080a5dc9ab84e9e6cbd4fe75a81da622644d4cceb6e64f48c978f224004492778

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize
793KB

MD5
96431e43e2667e2a92bdece418d13c82

SHA1
238e4f659ad6024814e22ad848d4eda589d3501c

SHA256
ad37a8a2bef76f4050166cf86cf526dfc2d5e8e8507311ef754bb68095c2e624

SHA512
ef5db040963ca517fcbbb166650d09ce81fc52482cd40fd299f014410852f5fbe81a9596958745d27e66f45f0fe22237fae71923109cc6ac3d4a0d0b001c6f2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe
Filesize
196KB

MD5
113bff083e900c8b5501426085d5037d

SHA1
336bc78517987eabe0ecc9124c11811891b4c0f2

SHA256
3a24e0658d1df5fb0ecb1eec0a06844ecbf29ca6e5002de941b2e2a9425c6b87

SHA512
db76ab7ed7416fed06d4b5218be4cf5a098b68367cb8e29333859170d1f40abad31977a858e0f649b105dacd8361414b1cd971bac3954bbd36343d49e5268cfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe
Filesize
201KB

MD5
61427efe6a9d6096d5e9495ed555cb05

SHA1
fbf6d267c7d4f9d6a6b2442ed0c2d89cfe43560e

SHA256
47614d5e76e86630e05608e29e21d3eda97fa7bd39a8e14650f984d19aaaa9f7

SHA512
e591075481e22d39f788fb59a6b6153b51c66db0d14b901ce2ba0116e687597cc5ce6bdd56bd0b93315d4729f65569b8c4b3402a3d7939467fd1d3685cbac1a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe
Filesize
195KB

MD5
e54d0c4a266ea5d46317dde90e7eac92

SHA1
b79cbe6be050f8309c3cdc73a3c88fd7a03dbcbf

SHA256
5d66331957acb643cebc30d26e4262d249f7ebaf759ad2cb8231d56af63e7c48

SHA512
65a4cf6fa12b4e2347de0d0ea0bc4ecb77b4916ea7a884d440a633bf176dec05eac6f0d337431979bec906112a11f9b108459b2f8ef3139805214e8aeb4ad4ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe
Filesize
191KB

MD5
ee429af7b3119c6966f464655cb7fde3

SHA1
faa88a7cd66fd1e923a3dc6d4b8f448b796c5a20

SHA256
557a9e6e55113ef97374eac95a6111082c3bba2bf3fecdc67bd755da369bbf25

SHA512
b681077e2f5e41e2ad29a9b76f0c69a45b2d3779b20111e5ec0831a2c3dd4f8857690c10a07d18b9cfcb0422ccad20e283774f76867b8ceeedf116a0bdcbf468

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe
Filesize
188KB

MD5
0c5b716d8d88e3db4d86b2f6bb4356e2

SHA1
d7d9fed7bc03cdbbee3791016f8d82f11d338ecd

SHA256
7d758feeb2612ea3ee266ab7858d07b4bb58fd1d3e0489d1638fb5445b90bc9e

SHA512
c37b572d62bc7dd589fddad9411796b1957d1f675a08535c5579560af14c3f680554e68d042fb249bf91ea89aeb81c2d379ab3682bc7b9532a36cf144b22725b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe
Filesize
209KB

MD5
0395fb6c8d15097eb9597f08208ef96b

SHA1
33c92420fcc1de66bec95e3f660c37ae12275916

SHA256
0807d8d7e7bb2d2732d7fe8bf02f5701766d09633d4b5cf365056c135427016e

SHA512
2f0e9904d6ce734c853e93b999787565cc4156d8b680e5e5cf435a00985ef63568d00fac0c1cb56e9278f4b50e06361ad4cbd86ab0a859792db97859ec5c6e86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe
Filesize
572KB

MD5
51ecb31d9742c8f0ac0a2532a0994e8e

SHA1
8493576e0a1a62c42395a9689d2131ea7b855f14

SHA256
07dcf5793f1216e7d58be1651e7a59aa879401827d1f3fc6d9314b331b422d3e

SHA512
1fb5355f5377c8641f37966269b2a8a39652d287e6084e60d649d796d6425653da2f0277cd66e9bbdc3c12135bc3304f28f7c1a3b8ca73dba71442da63d673d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe
Filesize
205KB

MD5
d7a821b01e767f3ce99d4dbce77babbf

SHA1
fe3b1c9c757e61841e3bb028d97233ea3b207f65

SHA256
527834245925d497a302aba1e8d448a5265ad43eb3b6ee085ac526a1b47201e7

SHA512
bea872762679c465ae012136061aef0ddf937d5f5da0f97c93bffa7f87e3cd0391c313132c1ce10bc74e486a5330d499a89bb458c4b96b8dcca5a71cf0e21850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe
Filesize
184KB

MD5
f5b30b64a6a6cbe0cb11d1452048231b

SHA1
9f5b3d2c67bad85ffdf1231c932041e644421720

SHA256
c16a21d999174a91096f90601daa87c406be1ea9d144a23da510d75e053b6e7f

SHA512
eb23dbafa55fbf2d048eae8e50c1bbb14faaddc0abc9ecc15e707d142554e5ee86fd6326fdbe94551920b3a18b54bad3ebed62347606a95a4dbf6d2c4bf99a3a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe
Filesize
203KB

MD5
450d49a3b3723f03846211aeff47592b

SHA1
d75bd0b0a44af57d8a1add020cfab55560d6e005

SHA256
306ea8890c3bfba511ebe3c9cb92c22e56436cb7054b0e3e058eaeaa59031140

SHA512
bd153f578de3a31e6b283cb0bc91f1caa68bd334ea74aa85a86f91d351249c8fa510f76961b4cd4c2b5b7da0d6bdd9f91b90816b65addab51cb459a1f4aa2dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\363c7d80912d56db2f9fa37adace43beae80707cb31536a5d8437b0d6c711efd
Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIME.exe
Filesize
206KB

MD5
b3e4a95f2d18411ffdab61f6f70f0756

SHA1
fa07c5a0a49e6697502176c839336c2f772f5cf7

SHA256
5c3b0e40c0153fbc0d483becbd4b6285e6a74e72e4c17816489354d10b96666f

SHA512
f1906d050e69a6d41518780cb85a9c82f6605530c072a014060d46d59ab0215497cfb91c7686f6a98860b5a09d5eba95c1b213991d9cecd57eeb046c2e402272

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUQQ.exe
Filesize
200KB

MD5
fb9f4ad0869601e00d0f174f26827fe6

SHA1
8a456ceb1a50fd2ce3b94447f2364f04f9e52c39

SHA256
4e4fe37045dc5535be3f530d97495cc032223200b9361ba96a53e8575244845a

SHA512
0729dfc062867b2b654062175a9503d9e6b626551d13d2fad048829940e45c1a8d2a88a77623eb68f72ae8e431850c56d8e39350542e0203697252483068c9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcMs.exe
Filesize
851KB

MD5
636070e766a70954660483cab74516ab

SHA1
6f9d678548bda0fd1e37542ade8c9558164af7b5

SHA256
2c563ce943b056383ea68d61d3a79e722425d7ac442aa514e8c5fd658f0e33e8

SHA512
7e8b553f4afcf2c978c651be89493ac8cbf2ea7bad8804953c175b7c527a1b72f2926d94a6dadcb3f6b10b1dfa6f2ba33a185a7edfd19b6ed0d5be16410abda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgIY.exe
Filesize
182KB

MD5
95680c5c7ffc5c25d93806d7a9cda569

SHA1
7fdffb92a7697c293abf74f547db1706861d61b0

SHA256
639c2f97bb3fdc3dbd8cd60cf4be8d8f9cea30ee8c5b6c4ef65111995b51a6d4

SHA512
4704f5d711e7f3db4019ff5856ee767b0ac583f7e936f6ab859eaf8f303fa666ddbaa0ee9ce3222f7fe8186a1d9ddd657800c960ce2ce0e2b9ae0ba98e748b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkQE.exe
Filesize
495KB

MD5
3ea5ac8f5a5648e8cfaa14a282dd0e7c

SHA1
7a6f5edd76902ce97cda034d2c61b5de63479cab

SHA256
4ba713c4debcc44b0b172ddbee7b399f14789e469b7e56a1a7e3d8ef88eba05f

SHA512
858e14ce4ed83f39385c2ad5085b959090753eec08bb7ed3e5444696ae011a4d4057ccfd0beebd1b04cc1d2d6f8aec631520075a5afa70eea206786dd3ba028e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAsa.exe
Filesize
214KB

MD5
6250b83100568f3ed20deb2f26df7956

SHA1
60f046e4159cb1934710fc0facf713a0a7196381

SHA256
a20568b113e10fe571f3fcdb61693c6f3dbd3d05cd5b3bfaf02c5bedcfd8c77d

SHA512
382105fa316285a4ce16f27172aa527df7f797feaba1af880625f7543a797e936cc40e2ef56f76b7d05a987c43a049df92693a25320e68fe2f7a2ae8e40249e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIAy.exe
Filesize
272KB

MD5
b013833c0fa9b18d53799c7f811b653d

SHA1
0f0d2e101b0443b1200f2bd247854e6eff89ae0a

SHA256
9c4983085a846926afe5a98aa1b7139aea2f91558bd779294589d262c0bed8bd

SHA512
805a9ca2a2a069e01327eb4ffa81892d0fbdf9c1a07b695f6c74522507e594c04a7d379aebf7ee824701033b17ec8f068f3fad6e399911297c8ec44be570b8d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMIc.exe
Filesize
200KB

MD5
89bd461995322bd96ab58dc845c058a0

SHA1
be016ea8f541eda8c2e0b69ec6d4d03689b50999

SHA256
f81beb760345d72a056da375b1cf0a6abe2b0ff12a4f1753c312988c966dda7e

SHA512
df20da29f2a4f980f85b1d815c1655b8edc8cf508a7c6538863adfd65168c2bb472085091ef7ad97736250e10a297aa0ecc4614523e76dda33b6191269ef0646

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUAM.exe
Filesize
185KB

MD5
1f8f1abf26046e4f04e700da756699a1

SHA1
19cedd2295407b9f578d749d28510e4d12f2c4fe

SHA256
4e9b44a073672fb7fd87926b4a83d729cd09c4c4959b5a1d6f5d5e8af315b739

SHA512
9c0732a4c610865a836f6c87ebcdd014494d70c3f4d756576cc328cc96f5989981ae5743ebe759487cc8d4eb4ed6688e92a0e425521046e80234b827dda728a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYAy.exe
Filesize
203KB

MD5
7b0a3411da669f8a8894231c37a3db27

SHA1
df3034e76c0a655ea94fe0523da6b94a8ac4cdbc

SHA256
7b3d6b1c760ebf6cb6b5f0f69feb8cd1091601a3ec66bad5c4f9e1392efd325d

SHA512
8ed5ba8ddf964fb59820fef959dbd5d4da0b8201fc098acdbd50b240af2230593f99230bdaab67f72075971065f5f8fdaac85470bafc65a699ff7863028839e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwEO.exe
Filesize
226KB

MD5
221ab682ac6c4ddf212e14538710e3ae

SHA1
2d340e7f3b3126b77a5848085014e594573e58b0

SHA256
a75dbd9351e1ddc6097d770bad045074f0b79e3d8f8caadb7b3ae37672d6f2cc

SHA512
6a3faec17f4a9c9bfd747dc577b7462abc8306dac2ea27a16e9a55eb8b08a407767d838ba77266a2d279b5833207f26c8585ec6f1d382a149c74ad5be8caffd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEEM.exe
Filesize
199KB

MD5
452fc20f0a3d4107f370a2f032c14320

SHA1
3ef0a33594ca5c5697cac99596a2c6d46de63736

SHA256
5f89f85be2c38689a97e2c378faa6833f6cc0b44e214f7ec3230b15361eed624

SHA512
829da53945191f2d22c448121180c875d2b2fc720335d68f8e1075f44e56efe01e8a0b36fd990041eb23bf5ae6313fa2b212b7453065585e1869f2543adf96b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEsw.exe
Filesize
205KB

MD5
2760b63b674a22ff7870e77d80fe13d6

SHA1
0fb8ca9661a4d96d6b1083718bcf40f236bb4ecb

SHA256
80f622b0b243e5eb0d9ec750e02871d99f0fdd0bea84563b0853d0aaa98a7952

SHA512
7320d10a77135568b3c27621493c150627f1a1725b562fa84c5885263ae0317b4be61f4e0f0e639115434d68cfe029296b3d681e084069d0fa8c4d7a42cd0cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYMC.exe
Filesize
189KB

MD5
afee9c375750fda60d425ed6e0666652

SHA1
61a8ad59cb519317418eb5362fb830b670d1a50b

SHA256
c22ad88020c36807e8daec9b6d105331f677545021440842e183809f5be86a8f

SHA512
c535cee73c304f828aba6fd0ad5ecdb82f20402f11a301d434800b7d328e226ce05b391a053cbb6274152ba1356977b83254763203fab8e810d38e4a8a1c8d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkEW.exe
Filesize
193KB

MD5
0056df0e1e6ff5a2a2d3c016ef39696d

SHA1
7111ffbeb2191ee1a7345dc47fee4681ad817064

SHA256
ceb85f2deacc3052217e8e52d09c2df1e80c778a7fbb7a1926680ba4c020bace

SHA512
4a2c29dde90b4de520c9a2a0d33fc53a1cb6ddbf9ee80cbba449f2fc5652f91b02a6de628d15c7b321d915a801422e3661f336cab8d3c8f3d62d003f01e1a523

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eogg.exe
Filesize
203KB

MD5
1f485774cbefb48092aed394774ba4ca

SHA1
22572acf634944b8fcb80e50bd1ea9346f3e0fb9

SHA256
fade2e70e3479d6267103641fb21437babe18a57deeb88e95c840de03beccb9f

SHA512
a7323a5b0d7c51c35ae0ffd203bcf958292aede5349f3ce8c4b0ae285149e8d61d6c4b5908fad67ac34e0a50def432691726dc435b9f1d7eebc4a53f27a12c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYgs.exe
Filesize
205KB

MD5
ae088bdfb8c4abcef8f6544a8557cb53

SHA1
0125c19edee7b3470be102822c08e312c94d6f0e

SHA256
f49ceec103069910b1886aaee137354b5fbb40ae0721f60b9618d5994b85f325

SHA512
765b91ffa5483d096329ba2132d75ec44799318d394081eb146bdf0d83683b7906534374d3c314e84220471dcd1900ea951efc7db88222e473f9ddbf44ad59b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgQO.ico
Filesize
4KB

MD5
915b89b32206268168c5789d7c55f7f0

SHA1
37aa8ac4a21bfd3756457063f300caf5150d9cbe

SHA256
1aa540b0acfa68f313963ae32ca68a5b3cefb49217cbf3b9e0b9eb98b9b94b6a

SHA512
35ed5562ec9fcefca9bc1644dd8fd7c28ead223eea2100eee38c51224332cc071cb7a122f750144d1d2b38b3580dfd8025cc59e0942a97f729ac39bf3fbfb9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\GocA.exe
Filesize
198KB

MD5
94cd8b207b62179fe2fd87be6000ee61

SHA1
da673ea4dd367fd2ae037db6973b1df9c449432f

SHA256
633ba4d1303ea4c5390182d154a52f0ab3d50afbff66a1102989379261d9dbb0

SHA512
c248be608cb900cab6dc278c2fea190a88d45b03271fccf29e802e3d9eff9937d5a295e1f0e99608c3a8ccd7cb79fc85d19ec7eb2c7adb60ebc9a96e14e59825

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gwgy.exe
Filesize
188KB

MD5
1302ff723a2ccd281e5c8cd579fbc412

SHA1
d7413f3e977d7f0178f91c6182b699317f0d5c15

SHA256
2e2caca88bd2f6ece5e55d6df3de0c94255d677de8b2e6441ea9d3aa600e5e2e

SHA512
127a2a858e414d46b1127cc786f6a3d33fff19dc118091e807e40ac4f769c20a0593c5bda076ba072b4511163451bff5bef89748b3672e11d267c1b7afda14ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Icsg.exe
Filesize
814KB

MD5
340a7f73890a4cbc29aed5bf729131a0

SHA1
609dd28aabc87ace40ca0539d60c6dc87c21ec5b

SHA256
1d36626492eb4e04e221746c32850ee014b89baf2a9af60145bec42acaccb709

SHA512
05952342893e831249bf3946368fb1cebe6fd5b1be3970934b0c2895525f31fcb0b774a69e6c6212968d1ee82c043ae1bfd922b2abf55503233b57f91e599fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkcA.exe
Filesize
1.0MB

MD5
d9e64e340acb3057a681904d32e11070

SHA1
3694c0e0400aae1e8f32fc7745fd648514a1c4ea

SHA256
82274894170f9412d4df226c57122d962a1ed9b01a8b68e187b16c5b4569b65c

SHA512
55d407f56e04b0965082df39e03362a01a55e29de08ec8a266bd86aff3243b81e99d7f4ac9a645dcd35b9414da2797e39ddfadec099455ce4de4d6ce6388bb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsMY.exe
Filesize
190KB

MD5
536909b6bf87487eb385f09a51d4dfbc

SHA1
aeaead933069ebd5e108a47915575205c5489a29

SHA256
010208e92e76b78bd11faa579ccc19869709235c4bf74d3dbe4d7794397277ef

SHA512
9498caeed9c30f140e7043a1109f712ae483050a435a9488d00cd02fef9ec05105fa208b87e829555ea9ff372e64d4f5c721b1d44ba5decf6e6582e7a5aaeffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwEI.exe
Filesize
214KB

MD5
df8f69d08e520fc21b550dc0c9fe0a2e

SHA1
7d95fd2ff152401edd8c5da90a13a53edf8d797d

SHA256
1e1e7fb80272753521574f66bf174e067945fd2cccf0aa5c8e570a03ff7d02f6

SHA512
6003015a26b012a5d7d9a901d3cb02f29cbe67c35d214f6b495699e3de94071b3aea43b4a02395dc681c93a9540ad5737344277a39bf784d3dac9f970fbf3691

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIQA.exe
Filesize
185KB

MD5
1b555ec6d781dd73622247fdb1001ae0

SHA1
79c796bdc3cbb5a2fb2aa9d1910d63a4bf87334d

SHA256
5babdf96756d7f8d53552f67a573a70ba19ec63c9c0093c471b99c359cf5cf84

SHA512
640b490753078050824a9b5316c787c45c044070ac3d4bc39f88e9e605d560fd7a84aea5e56cdc8e9f8e45128070f6094461207cd6ba2d3f60662fd36aa775b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYMc.exe
Filesize
224KB

MD5
d250492351fd4ad9d2a6fb9328c2901e

SHA1
71ac91f063cc2ff4d69ca17be4b27ac32242eb93

SHA256
22b9a91b3fdfb40dc5d03cebee76e2e6eae5a00e7bdf22d2bc251a11ebc87385

SHA512
e622db22f86f7857fd4b2e5a4027282e80e98d9fa64db00fcbff04d3b965ec2e2bc7e0b2b8210ed114b6b8a94b27c82500a76b1a3286151000dce6b0de8c856e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsMi.exe
Filesize
648KB

MD5
766ae7e7e1611fe9e8159faf52fdbf47

SHA1
4f7d22c4ab785e3e55bb749b41fbda4370eb3268

SHA256
fd4b9acde4e26f7818bb29d5f1186721a88896dd74d9c260018d9647405f831f

SHA512
5c5e6cbb074be4b2c3b2a1d75032a6e0da8c3f9dd1b53c11473161bec8d82b4ecbcc0b63ff615697ed316fb66f38424c1945b00659e72de82478296a57a3a19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsQA.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwQM.exe
Filesize
184KB

MD5
f295e8f4bd40a9df639bc17ab329d470

SHA1
104b6db0c1671e6151ca280fa5604eb42c4fff9a

SHA256
98c0aa6ddb1d1d5c468ee19bb300b1fbcabaaced185b5f2f3c75ffbc89f4f671

SHA512
420960fe5e522094648b4f85c34a38aad89794bb528127d50b3d7a2c389bf68e5404ed7a9f6e8332c1413217e0430e3835805b133cf79d8fbfa03b573f26e1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMsw.exe
Filesize
194KB

MD5
cdb2e625c625ec72e29827c9bcd187d5

SHA1
4e58d4933fc7c898b746bb5b3f1c2224222c504f

SHA256
a8e95f3cc63c043e875c5ded8523e7dcdb8d54cef53fc6afbcb1695ab32fb6ad

SHA512
0a6f62a1dc90edbdd1112c4d1fc9e2db579da6cf41361f7d23afdfa3ee89a218d1c9d6fbc99b6b92891cddee16678628c5df45c9f5b6c1eb55fe5e3448fb1857

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcca.exe
Filesize
207KB

MD5
4c233fefbc702f9f0956c317a3346cbe

SHA1
ffc9e4dbdf78c934e9c23fdbac06f6ce1d2e6a29

SHA256
d65681c8251d7d5acbf575ed945820a7462d53a6efde3731f506875f2c92a2ae

SHA512
93c847007b7c12cc6491aa24f7aa1a9e9e4596e9e932413b920a3261b6abe5923c0ade2fe78620ea751103cf6634e42d6c836aee3624bb4c7c122ecb126d027a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MckC.exe
Filesize
647KB

MD5
d3868c1373c4fd04b7cbfd8e9e713027

SHA1
89e42168cfb09321f7b26e8e739506951445a573

SHA256
8013087ec07e671e05d3ba753717add9c55e43173772037218547c8bae77de6c

SHA512
ef8a241f0bd9a66fe51d6f324977697eac0662689b9c21b521df3535e244424ca9ea5d8423d3938024cd3934fe3d44e12b850422dbf4acf6c6bf157656ad268c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIks.exe
Filesize
797KB

MD5
86501c8a6024883e8dbac6c952816ac7

SHA1
42b40aef8e17c3707a30f8955dd211dd4ea10915

SHA256
dd6e1c29d08f25aac0cc10125499f387f2d54ef4bb2e6ea70ce923471d19895d

SHA512
22e2221ac30efc04ed8d63b15d9d558238ae0221cd5de25fce983a0c2d501270a742a0c97e9a4e3afe916b6576743c0b8032864dab252fefb1a474752fcd09e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQwq.exe
Filesize
5.9MB

MD5
03f118c31253fcb3ea08d881e9db0e0f

SHA1
db8588d88bfdc17a49936eed10a2c41ef70b97b9

SHA256
7edf03ad8cf89417c034410f0a0afb4fe3342959afd596532d86bd0075f0e43b

SHA512
c6d74742b1984abe99a872e142524e65ce43961928846a826c163be72a9ce828cba54a6d06b586c8b758248485117f4de33856be1dd7b51b3150e6e021235447

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUEk.exe
Filesize
223KB

MD5
59c0a461a545b88f4740a9e8b0914e09

SHA1
0c358d8194d1c064fd914644b84ba400580b2697

SHA256
7a59061bca17a34cdfe68a264fc6acf2ec0076a4fc23062f864c1a7135002ae4

SHA512
dd43f4424a5d599d81e088799cc0a1290e843ad480945cfda0544ae4868b9efd6e6b0f109e284fde67f401ff174daa51d9343e707ac3d587f7f8adf431b99f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYgs.exe
Filesize
195KB

MD5
5b99ce24e0128740d4de6eca783cbba6

SHA1
633e660326ea622485fb71ce780b3cf242a9eadf

SHA256
595af9ba01923352ef448f65e2b35961094fa89dd2e20162565b9863a800460a

SHA512
246e02d134ebd0e36b367915b3120f6ae66c29f01db964ab11fbc0eb776701ae8b3c79485facf9a6ff7616f5e983adc17a452d9c77624ef7d120ff696fc6752e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsEc.exe
Filesize
193KB

MD5
4c450e9be1b3c89cbdbb60725c629191

SHA1
992e118f85b6f461b9c201f03b121a7e3bc1e68c

SHA256
7865c17cef2aae616b7105085f8d2e6c906477ec172350f6a64c136d2db5f5cf

SHA512
02d43a7a95cd1373f81ebf7aafe24307ad609f2e68167963ed1804c0b12d9f03ec816c28d1c2e91afd6ac9b104d7cbf8cbf65818a65ba81fd93e51c1ff0c8142

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsoE.exe
Filesize
196KB

MD5
8a09b21572e3a60f3557757ee6ff36e6

SHA1
c3dadc0af52a67e366e07adbe422860351d97111

SHA256
e3bc6958016a3182def574dedde469e4cae1f142554136d180de63638ead7e7d

SHA512
37f5854bd7f0b617444ca5e730109025aa65948677ea7abad3f8a46f845ba698af610de39b0aeb22d3325dc0ad8cc8c0579886ad2186aefdcce56802d68faafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYgM.exe
Filesize
200KB

MD5
7e440dc17fac497276bb063790f1e315

SHA1
2776b79bd609d84a6dbd0481df0ba9c2fb002ff0

SHA256
e4b179783bce72e13f1fd1145cebcc6ad60aba3b8b28ebdd2b887fb789807e18

SHA512
b22d9df68dce3c313e589bdab055b1086cb1c429d1037bb9e96b633f61f1e376138bbe4bf14ea36ddef0eacabc762b1ad0633ad454235e62bd1caa6342ec61fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qgka.exe
Filesize
231KB

MD5
e1786f6859dfb055fa5672d7ecd5f666

SHA1
30c1365e54acf038a669e9062ff9e617b7d98fc7

SHA256
a029d3faa1f5b5540fd7e6bbc4290d99543b6a9a96542c24b3e3ac344bfdc83c

SHA512
60ad1fbbaa3c8f86e083a1528a95e3a470a9ea8907231a2ecb45c0ab61e6c31a423b2e7437fe547ab375af1b4bbd4c7d7f35bb2bb3523b2728006e56a140f21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkAM.exe
Filesize
199KB

MD5
15f23dbe0fcfb39d477dd411be28c0ce

SHA1
560f32d6325ee826725108a2ba1c35508deac1f6

SHA256
83eb2bd5ca4dec8f801c8132e11a918bd4042d479991b066577bc03e334dd9de

SHA512
1629bea453cc8d29b691118cc234aa6cb0190d41054c5f85a7d14396e29677511f777e8a622d4c326549229d8b2a41c9710d30085e67b2260e0017f167adc026

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkYS.exe
Filesize
985KB

MD5
56d48b9d52173529a59f9070d8d1bbc1

SHA1
554f19fb7180b0f293ef5246eb66632c372262fe

SHA256
119a91465f391ea785bca84cf0a58bdbe3773cd0fa7d8d2b8610a1d36574fe42

SHA512
cb406d3fff406e14adae92bb2fcc7bd70a2cc5b54ec27165537b6d91ab12f58c6031bd054b7c4510d695bbef185dd374005f7b9761ce28f8248af5db8a75367a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwMK.exe
Filesize
511KB

MD5
956d39a0b4b0cb8452487109d10121fd

SHA1
89bea71253a41609cc25ff3805dd92900e2ecd04

SHA256
bf6f80b46be5e3a8373b94f2a3befeca3fd596218f9d78984a1ebc8563993435

SHA512
75186b5e7546a2ddd60381290bd258bd9b71cd1c056af6f39a9b3b3b4264d331c9274e26152f370f88b9832802b16936c3af17e57daef55ad7ad1ab7ecdf655a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwgO.exe
Filesize
307KB

MD5
c6707a576f41edb483d8bdac623df19e

SHA1
82dfc3fb97deaaa40608500abadcf30f155c9bbf

SHA256
86a9b50feea45a581419b43d705335282b6ad114cb613fd16509c71bf1a09d4e

SHA512
2d8b489ee954be110b79c030ed4c16a8ef27d2f1389babbbf851fc394ef65d8a260cbfbd9cfc5fbce65cd56854a96c29ea41a4cac39e8475a538baddef6228ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQcg.exe
Filesize
191KB

MD5
4a212c733901659559df725c9e81dc01

SHA1
39e01cbb2ea21670ac8f15fc0547edee25ea41e8

SHA256
797bbd09405b4147e8558e9f8bd2856a0cb374ea9a2c8cbd2b767b9ddef19041

SHA512
f9574f46091186cb1a1d8be61cde18af3a73c8498359849b3338c99765ee194c4c2452a7a1027b86541d80da8d338a0b9d15a887084b447f58472886e46832e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkoG.exe
Filesize
202KB

MD5
bb9556aab7c34d041fac477397fea5ec

SHA1
cad373d77afef06baa39be552253ca3d734759c8

SHA256
69d61fee03fee7dae897e2081ae09366c7e2c3f1b2bed01211b7bc7005f521e6

SHA512
4964c7d999cf8256c91583d23c47758637dcec002272fe52b8c0b9c69dafe43295f3dca124e7c88950deb45e1c14c4a091af7cbb3852910766b11dd3ca403e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Swoo.exe
Filesize
212KB

MD5
a3b69267b2b1dc8c3d6c224cded2f734

SHA1
20c45a76c2cf57344265a0b5bbd5d3b61b39dc49

SHA256
7f0cc4bddb7696368b75bc84cfeada81e91d404fe5127366aae5afeb4c091fa9

SHA512
1293abda92bc24fa474e87b28270a4424652e06ffe89251bae9f1b68594c6b7a7d3d015eb4ca603fbbcdcb7499f8d6825741e295593b02aa313de2945c06c2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEQE.exe
Filesize
218KB

MD5
5c146bad7013bc93f5a531bb32ea446d

SHA1
358f5f160aa0bbb917fd5c32a06febf68254d83c

SHA256
7220c6937ba6e8d868f462524b886d713fdb8ee027fe6f5c357ce3e8be51c8cb

SHA512
5d2889c9ec368282f757268659baa70f1dc9dedee423d422f6bf49a7915fc9327c339768a1a81e35a82a46145bd29688316ccd68d66b8f65b67ba3f323c1c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMcq.exe
Filesize
447KB

MD5
eb2aa76890e83eda9773ee05b76cae97

SHA1
8e67204d830cc6beb0ab06bb19491e0c1eeab3d9

SHA256
381c4c9158bfef68a7239f67f1ee912910d9c80cb607e1604d2332dfcb6fbf7f

SHA512
05f9eb233b942927a7e57f08a19f070b60a24f6b5e17badd9860589e55d0284a9c1b8684077bc033b7bab068bed53b33b1c5b7911e1076bac5680cacf3d7ec28

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYYq.exe
Filesize
805KB

MD5
90b2adbdcba5d3bdec388d4865eab619

SHA1
6b1a4afe410777d8706050a59cc51cb798cac64d

SHA256
dc3b242eaf770f1c30bcf5f44f921a07831d27fd6dc5e410b1140cf7c2a0cdd5

SHA512
184e2263675c1524ec646904cc967a00c515ccaa6431e4f68fd2c9ec8f6b2cb3e968c87f1dfcd205ee3acd652496ddcfafdb24eda98fb73e52f5a51a124a761b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uggo.exe
Filesize
187KB

MD5
3127d15dc6cad02564cb97f5f84a3d9f

SHA1
634c5b655d303c1a993062695b8aa507105f82a8

SHA256
44a94734c2658d222b7591b9870754476d978a1743c664463e7da1fa7c1737cf

SHA512
32041081c331237037d09d6ceb47c23a243505942d68bbb407d586e3f61b8a27d0356093c732cfc95c56d29c7947d5aa1638226b41cea9bb934853533a9937d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIIw.exe
Filesize
5.9MB

MD5
7089e55133d4f821d3e2927af3d558dd

SHA1
d833f96d49da730f64645c63cacca2693a2749cc

SHA256
bce2d794814dc5c0633bf14f0666169769275d7978b08357637aed9dd649d4e8

SHA512
46f81285c480ab5c61f07f1ff39cdcf0579cdd427780c7bd8d0780d420ca9172697e916d59120fb39b6c9637ca914da25c0d61f7f0fc81fa18d98fba1fcf743c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkIW.exe
Filesize
193KB

MD5
42dc00d7f004fec71588ffa76d3028f2

SHA1
09e281184bde9e6f756c88fca184379263888969

SHA256
3fb8c39214743626e80191885af57e801785e350cca62cd1ad76c4c3e3eec78e

SHA512
af662126d810673d1635f381f2c514896a054bf8a4f5f0bad06a66f3eca02f9a894acf3cad0a9abc99bf37969561054347861080577128106ed32f7c64643333

Download Submit
C:\Users\Admin\AppData\Local\Temp\YscI.exe
Filesize
1.7MB

MD5
8014b03108daccd7427913aaca41e137

SHA1
a563bd909bf096f3fb462bd243e8e5f5f83e9710

SHA256
2e435801bccbc9e75e919b9ebbb87d29abd0bcce218a662d03ed520fc98a471b

SHA512
2f05c9c19ea9d39110cb31fc4fe44e51cbf5dc459648c55f48d2a75ff4962fb22d174f2dcbf2d65be195dd1b1ef577312308d9ec688218148db28a468c48b12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIgS.exe
Filesize
777KB

MD5
4f352bcadb70ccbdb3315ef26d5f5313

SHA1
453d5a4c2f021939e7d7c1187f0c85623766cef6

SHA256
12ab083bcd310b1eeef1e91c7820bfa1d65a88ff8c50bc7d85af80aaa6f5c5ab

SHA512
03fbfc300e2234302065511121da28b4a8177340a84ab482f775bcffefac44db85c2007787ed8a42b4d3111a50b9b2a5a9ec84d467df5453df1d6fd7938795df

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMQi.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQYK.exe
Filesize
184KB

MD5
47e0486c35e24e80c993d2e46685b903

SHA1
67f330ed6c07a7466c30cec01ef0b8bf325b6878

SHA256
64162815de916a2ea7e7b618712fe6a907418822dc2736d06d434947915f0dd1

SHA512
b91eebf7e670e6d65504daebe0be95602fdf2ee9754482a9fcb16dcb4d001daca58a6cbeeac45a9421dce6d59f943625237cf9ddf66bacefd35ab3899480fb0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\acYe.exe
Filesize
768KB

MD5
64f08414ff78979b7a3554c5b1661999

SHA1
a8f2f6c958c8227552105c583dd08c1a7572186c

SHA256
14af17e4156b41de683abc81bdbfb5e8fe657a06187387bbb2bdd214ae888b07

SHA512
f0577f69467ece586d4a2d65a32e2d47f0394c350e10e82f044516dc04823606a52f3f0b3d159209dd8d74c58a40863b89f5bf82680b037990016306bfda8869

Download Submit
C:\Users\Admin\AppData\Local\Temp\akoY.exe
Filesize
192KB

MD5
8941048d67deed0ec46186eebd9aac19

SHA1
20a64bfda98ce80dcb2772324051aab1253bfc78

SHA256
f27ac7982a8dee398293eb3a29edf8b06440a03e87b89b9625a5787a71d8a2ab

SHA512
6b33c38a27e538225d2066b816d466d094cd34d953b84daaeb472c96b394aabaf9db0965a05225a3cfe2fce84d26faf48f724ced3ea5a8a7db7dbf64cd3e84f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\awco.exe
Filesize
200KB

MD5
ccd0ac019872d734632897ac0e36f56b

SHA1
0fdb1a5a9594e0470294baf2d2f55414e930ab95

SHA256
a53acccdd5e6660bb515e9a0aa39d414e024fab4ddd0b1e17966b810cde8f6ea

SHA512
472c5332c526acdbfbbdab154dad295e357a4431adc2ad56a14ac914c325fecfb5f9f43a07e2f813d39e31217158225eb2f6a3b9dc6b5ac6f9c55f2c3c4a8058

Download Submit
C:\Users\Admin\AppData\Local\Temp\awga.exe
Filesize
182KB

MD5
6a8f79a143fcd8f677ebe5b0edf8af3c

SHA1
d611817047680cbf646446598c8c57ff6b1334bd

SHA256
f8ee51f5f478b43e66c184450dbce6405770df6651bf2c0c9d62e1f96451f557

SHA512
02f5d4ae7557481b9e8caec070f0a468f1284dd2590ded6a8520b6da719bd57932cdee544f2fb2ebd379cdd53d3ec011b8103b2495d4d38001e49aa3cf6506c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAcI.exe
Filesize
838KB

MD5
33ee5d674a6101d333d2222fc4cd271b

SHA1
20589087eb6dd52dc84a8000afb474902a9a5bd3

SHA256
060a9449001523ffacfc4a6e2cf1feccbf3d8afd073904b5dccd46c057a490f3

SHA512
f06033d346f377a27e7e9e01bf6f92cd355e553b3ed4ba6dc3cfd3c48632293309dc1902f8919c42dad8893a8046167c4dd3aff71e9cd810a09860c9f367ac5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAcQ.exe
Filesize
5.9MB

MD5
b6810ea3b3c60baef877fbcd0217ac42

SHA1
53b789551b1deff37a454e1311cab0063851e319

SHA256
5a72d6abe9e2dc14233a89eef8b18d763ca9e74869f3aed8f78db2c2e527efe5

SHA512
692711245e5dd0b63daeffe30d002e803116cad6193d1df0a58332a07cdfc51ad3262b068870979926aa500d3b31a28aff02dc2c663f033d51b8e5c9e6693f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEUC.exe
Filesize
806KB

MD5
0241b2dd461d5b8c124110c04a26a078

SHA1
7dd67161c6617cfad9ece0a77402e0cae1d26e70

SHA256
8ea7bd1a9bea1e601ca317f595cd77ae812a60b4fa4326c928b9f59d94bec468

SHA512
3a90819f3599a7c6d405a88f51200a4a1324d9638bd856130dfa1ae121bfc0d536fb30786af5616ae9462f26ae8854e5ca617c9114f9af3beb60b2e0f7f4858e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccEm.exe
Filesize
911KB

MD5
464f4ea0ba045fbd5e604e4ba0dce9df

SHA1
81c66d14667a2aa2cae249d5624cff874cafbfd0

SHA256
1e4868b8e481b4a20a31872b06833f9c974dfaf96afe8a804dc2a19f6961bf40

SHA512
48f8da7c4dd9adcaba99c61902699b5fee0ee5d388c711bbd504ab89cf5df237e1651db9fb3600a57c3f13d3086310a5affe8e6c0f95ae15291c08feeb42bbb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eskm.exe
Filesize
231KB

MD5
9e639ce31f6cf6d91d01ea8d00292ab7

SHA1
eba27853b36a7550b469fecf66cc5bbf4581f2b5

SHA256
723a9c16eff89ac20252fa9b076759b892377bcd2869e196164d95e38bada17f

SHA512
f610da4e53b91989f389e24ae404d6ba901c082f5d029f1c19f9c2dabb45ab73ac87cd828593296fc4d2bfffc4e97869c3ac67a5cdd128ae845fae8bf9016a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewgg.exe
Filesize
203KB

MD5
f9b21f8283afd8c98dcfebdf47269238

SHA1
b78721161c17000d4c567d72649a40a3e5deb28c

SHA256
08c59de28e3a5da14f41909021a9a6f208bfbe6c903150e91e5a7fe7d352359e

SHA512
2d5cf917ad8a6a8794c38b2a836787e3fb60a9b68dfcdcded0321ea2fcd1a929db9a246533a0fcb08a1b87d5b5b75e3dce377596aa9efe5a6cd31834aa0bc4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcIw.exe
Filesize
224KB

MD5
c645df0526a2cd91e110fa92732fc028

SHA1
70941b89408c1863a1a5586aea31b5aa10adafd9

SHA256
d32b2a093fb62b0a43d0523f27c7fa4b5ed92f115f703c95a70e4be21a41928e

SHA512
8e6cc22f6b24246c7ee5704a43b13774c83bfbae5eaa6e9d16014c66d301a563dfafe74aac96d5a2faab977111dcfb252381edd0dcbb7985f21e42276c4d5161

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMss.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUkC.exe
Filesize
209KB

MD5
3211fd35c5b5c3b1b2aac08cebfd6821

SHA1
c3b3ed3059905b92b2aad27c7fe413ab407f8556

SHA256
c6e7a75ae3e3dd117cd8901d2c616dfda12e062ec6e61bc9038a0f37bd63b926

SHA512
42e6ef2648af3f805882fcdbdf1670d88fda886d0e0e77fdbf600af512d631cdc7484f51bd363927b78d587bdacc745083dbda0cf4efc8cd5f3057d9cb4e2976

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUUa.exe
Filesize
418KB

MD5
7cdcc62525f74ca819ce854a7e6d02d3

SHA1
359983cbc5c836aa1dec7e6b9ec4c58d47d65324

SHA256
0fff59159b13b7c387282983c66cd434ed254855eab4186f87d6bff63c9ed6e8

SHA512
113743e5e523814416c87562ffd1647b8d7a8b1f8f8b4389a0b6ffaf87819e2e3ba28327a6dde16790c2e16604142c3d47c9153b8ef34e5da00d2dc337818399

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcsE.exe
Filesize
651KB

MD5
6aae1378d4e1180df63c1b11380fda8f

SHA1
23401d458720c2317e7d92bf1030b8df5aee9b94

SHA256
5c750f3e5ec6cbf382cc18de792c28afb40161a129225d93f6cf28defacec771

SHA512
89e279bd651bc2b3d6d5f243294f80193f6f2d1003d2bcab326de65ced3eff3548cbd5bc9d4d75b3a7c5c98baedf94d3139356d52cc428f023637b17304349cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcsO.exe
Filesize
216KB

MD5
135274004250712056d5863e25722359

SHA1
be1801908a4a1e376c1ccb0371e42001b203bc68

SHA256
0ef60408be9ef382d09887b20e9e8c793dfd8440fd3704fdb52993adce94b67f

SHA512
458bc0286c885fed17c049fcc637b420ac82ae19c1ae2ed13feab0fe316cae6e866054d8b6e915c59b49d8839f2524fa42986100118a813a082ec19598cb80c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksEU.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwMY.exe
Filesize
319KB

MD5
fbf278c9fad7f82be4a12442c12e29ca

SHA1
0ff7b98fb1a51713ec5649952ceda0a06a860373

SHA256
44f8b2cc3a6619ed20d749d7e2553f5f08f5d3a89a7e9be8388e6d75372f0515

SHA512
27b0086feae5fecdefc85edc052aff5f847acb87364d8d098bed983accf8a2de04ce192055532dbb8ba86b0898ab55c322328705a76cc623d16bac1e43ce268c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIMA.exe
Filesize
658KB

MD5
8b54fe1a3451d2b084c7e3c3b1173e1a

SHA1
005c42df77b850aa12561e86dc14b641981fd4e2

SHA256
3c11f87fa98b640b3ba4227dd943f8f81122460b0368ec958c6a18b3e564180d

SHA512
31daeca23965ace605dbaa7813d17e6410c41dbe19302a5847d3ef3436fea82ef6d549288fa1ac4fa7688f8dd61d4eb9dac6a7b78639e13fe29c736ff714c7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogsA.exe
Filesize
228KB

MD5
9930b1de4e06c0ee114d42648aea5c31

SHA1
ed6f2cd026af0cc28deeb52d06016cd795ca516f

SHA256
74cc34db66bed48e21b4fe8c2ca6d4479e770278ef576a4c0e18bc00e362ef2c

SHA512
0fc572f55b3954065952942f850b9c16184948ee05ffcb83a7104ca14b80df248b6f7c776263a0708722e410c39d04351c4a48c101369920ea7a5415599fd29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oswK.exe
Filesize
212KB

MD5
32a6ce81f2f07352c874817b79380d4d

SHA1
3de18d21db51091a2f103df57f36560aeff77bd5

SHA256
cf7b145fd1fa02f7b7ea0083574fc6a2630c2ddbce68a260540cc5e8fb6163f9

SHA512
d2b87fea7940cc842b4c100241735909850034aa2215b0bfd64f3ee897f852070d9ea3b1366ba061b41aeaacc8b79f1ff264073f9b9473061ae4d1528485e3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAUC.exe
Filesize
188KB

MD5
12beccf438cccdc00b7b0137677ef1a7

SHA1
81e21f252315c92c8cf02dee4c754a21933bbdf3

SHA256
c1066f7f800d3aa2d6c2ce61291f9aeb025df8db44185b49316da98f685ee7a9

SHA512
4c254e56c7ee43356b3c59fb2c4e079716fcb4e242a50a4df284af0a6bfbcec0762cdb1d77f2c0648375e47b25d5f4fac606b3690b7e8f79a9b57357311ac4c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsEE.exe
Filesize
642KB

MD5
1f5f725aa6b4c3ded3433389bcfa6d88

SHA1
78c8b990614bbc031025d400a93051f87f6d779c

SHA256
8a9f626bfa38a310662b5f54a0b6e8472764abd4f1b42a6b1ac5fbe92ae604a3

SHA512
08fd908c9463172f223cbc365feaadac50e4964997d04b2cebba894fdecd8613b647f68b7d51bde76d44b028003eb4b20a1154e4c040b7e4cb88986316f75a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsMc.exe
Filesize
337KB

MD5
6dd76495ff85ef4b6109b8de25ac62eb

SHA1
2d3fbcba777f8524b84ae79e44eab292adc44495

SHA256
427ead9820633e3ec1878f99911e4673531fe33773a1ceba7307a03ce32b4a76

SHA512
51ca6bf034ddf98aadec11f839c141ed47a100e2d50441291d7ac0b0377adca8bf7c73bf99b1bbe15396cd6b38f72e5cc6ea8387338c61dc1b6e52fe782b76d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\swMi.exe
Filesize
209KB

MD5
539750d00d457cc1507b08c9c6602193

SHA1
28fbe8942e5aaf743a6f70404166d68839011b53

SHA256
0d59bdea7dfa4fbf1c434afc0df4c5a3c4e5ba5c6be4756d5d71a457ccdbb06e

SHA512
1a9554e4fbda1132a5b0b7849aa327023982c69a76d6445bd76f8d5f0cd353e7df940b392b0e0bffcb2e6b4a7643b7ab0a86e98146e01606ed1a5dc6e9becd31

Download Submit
C:\Users\Admin\AppData\Local\Temp\swoc.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAEA.exe
Filesize
1023KB

MD5
9691c6233a9453b250bb88e6579abc82

SHA1
6d2d817aa68769e604d173e0bf80edb520b23111

SHA256
2d5fad894e7a9d7456c680f1e4ee29683e9267f8eb944b121f109240ff4bd311

SHA512
f805156fd315c1b1752bcf66b9fb2985ca7e6a18e7b09a4b5a1a4bea368fc95046fb91dfbf395fe200aef1869711909922fde092559d5116756497744578f7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEwW.exe
Filesize
324KB

MD5
ecc0a06275f6a939e9f67ff3c10f634b

SHA1
786bbbbde80356939ae8ec89d5baea2a34fe92bd

SHA256
d02debf884339485a5c6fe18d776155fd6b79d79fe508dd9c5f5289518dc83ff

SHA512
511d10c4c0d33540375cc6910add4acd6b3dfbaf6eb4a446e040f557cfe6081f7adb0c52afca7affcc01820f01b7a22b13d41c632ec87306dfd3660152a02e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIMoAIIg.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIYc.exe
Filesize
424KB

MD5
4a76bfbc960b236dbfa3bc606c3e99b4

SHA1
aa71cdbd7a0c9268b9924e438366247f40d5a63b

SHA256
d7bdccf3cda2dfc8a9a56209d354177e4fa3ad187c8b9ebba80870825aa3251d

SHA512
edaf3b276c89edabc14a37f487c8756143770217e661c46587880218bd84ad75ebfd2893315874cb95844cd412248bcb148acdcae3ebc3c5edc13d319a00ac0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMcI.exe
Filesize
206KB

MD5
215ce02cd22e090200c6631d808844a1

SHA1
20971f2fdf39b3b9000844f6eba69a63d7dcf922

SHA256
af4bc5152e4bd5f9632f2a27834a4d658d766fbc1031c59188539c053c1fb606

SHA512
c29f444330b79e2e8b4ab15758e879a8e76dc6907feaf637886c0d75a1d88beb24c3f03b0924e937a2dbb69d4efc72e5dd425a973224f845d4ec58ed9e9bcb9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgMy.exe
Filesize
192KB

MD5
bae177041af295cb9768047cdde861c1

SHA1
08176af28bdf5a183ed0f56f1e9cbc146a970db7

SHA256
29727c13ba0312abb2dbc6f9607a77238a03658640c20fc674889a38b4cad74b

SHA512
ac5914f1139b5cef7e3f53cac0efaa7a8e712ad3ca3e4c565157d17b1fc25ab47e3ce14fe89868e107615dd3b1a245889032aed636344a44aca101b5600d9352

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsoy.exe
Filesize
187KB

MD5
7e2dc55b9903cfc4c97f5d669df18fc7

SHA1
fef967cef7506f20b1e5e9b65a9d9be0c4915cae

SHA256
268a98b6c6b0f81feb27cc6d073608e95a41aeb047a4df285e336d535b8dc5fc

SHA512
f5d0c0e96b1b33efd578223c2fd550f5d2ccc5165ec2a74b4e2f0880bb719e0ed00f85cc40b753ab7bc264f1147b5d12ebca7eea72b414e8e464a871b2737803

Download Submit
C:\Users\Admin\AppData\Local\Temp\wswc.exe
Filesize
184KB

MD5
a1d313bb3cc523551b26b90a6bb3fca1

SHA1
4b566fd938fe3c7cbbf6811e2b2aa9a5a90f1e88

SHA256
9fb9ea52d3157e1ffcc85406a05af0cc1365656b1e8ae3a39fb027081a020b1e

SHA512
ea17de0cd16a7b28aec7c45d4eae3eb6d4a21920897658c12b9cc01b5fdcf257d0a10394a635541bedfa70130f931bbb08648da92ad8a72e1bfefa3394b4a242

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwIm.exe
Filesize
202KB

MD5
eb117737af9617bdc3cafafe7383bddb

SHA1
8680f1e3a7aa3d62358737dd297d31dbba59f494

SHA256
78de8a235ef1d7da835423535b36f8040395799f06f67d76cd5205b514c33a7c

SHA512
ec0bf1d7a2a06481769abe69ea2d2252680f80f44f6ac81c9ae51d8f0125ff2c642ec9bfd626579189b0ca96cfb818603ace041a8be77c3fd712a29d017759e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwIq.exe
Filesize
187KB

MD5
301064850fc78b8fc7dfad01f6ebd10a

SHA1
eb78f81226fcd36b080bf49255c0609d3b36acc4

SHA256
49d41a976d93aebaac8d2cb5a66cc353f5ff9608ed9e07888ec8fe32348138b9

SHA512
7ae97b2c76ae72d4c90cd34000c30d77288cffe235eaa7dc5b96930a27fffd25e10605c2e1b22c00428d8d2c7bf78ef3e86ae0a7fded9a794076d49c45dd6ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIIC.exe
Filesize
194KB

MD5
dd568c4d10fed9ce112ad1c12d96f703

SHA1
8dd9cf9625f10a93ec34f66d3341fa79a6600167

SHA256
0332e99431d81e3eb3472fad0f52e8615cb824230eca6a82ca956187699799bb

SHA512
cf089b055e129189e04e3802a03a2555f82eed1e004c56155892374a331e116c56725b65c18dd529f368895d1532f4b4ac2b8e629afd0477db4a2982c6e3c998

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQAA.exe
Filesize
196KB

MD5
3fd762cad18270d9ea60ba827ee4f497

SHA1
b6bdd24db8d9598a873125ff40b86627de026c9d

SHA256
80e70af0369732e0439555e89b27429062023bb7f8c79b4050b1e43a96749e11

SHA512
d28bbdf6e451282083290bfe4132607ed16f3f84d548bad2daed56816ce2ff241b9d6d88c5a9f0c7a3177977c401d33d4e1048e9735fe24fd920b05ca1e29ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUAa.exe
Filesize
200KB

MD5
2238883db75d72db5a9e5b602907de42

SHA1
02e2b76505013d2ccbccf1a6a8b93d0e58a0bc17

SHA256
4a7138c0ed3cc74a128418ef368bb1fbf91c0ee7d61c04568264c16da551e1b6

SHA512
8ef6946a7ca835ff5122c7ab6f66c0e01d7a4e42af1e1a18679a0f961f57ff8c2bd57f02481ba0bb9c4397d1aead1335f8f91b61ea8200eb389bf919a790972c

Download Submit
C:\Users\Admin\Music\DisconnectSelect.rar.exe
Filesize
709KB

MD5
c73f532b234789f29fccfe5a476ebee9

SHA1
84044b2c783ae62a0ea22fc679c596da22e5114c

SHA256
95ba78a035e0957bcdd6290db79ed6906b1d05e158fc28747cd7c613adfcd134

SHA512
d33f917cc6e2139caa0eb41a1a1a1fb2356ca2d675935826260a85895cd1e9b0bef466efacadebbf034c97b0dbb2fa113f2f03165b06849e64251d912c7be928

Download Submit
C:\Users\Admin\mkQgEMgw\LGQAcQkA.exe
Filesize
179KB

MD5
698adc05b3f44b88a2d0196b3e91e9c2

SHA1
cbb617cf1e12c5d134a3b657de8d61a71faf0f44

SHA256
125274be4406cb2f5c98af51d5db015c1261502624e0fc9921b51160427ecb67

SHA512
e458ebca0f241d1f86380998be9ac49b49f008c428cc127a5ba2902a106327bf272dfe656fe2b788204320bc53e91ac2b71ed3cbff805ce8a7eccc247d28a61b

Download Submit
memory/504-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/504-115-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/580-456-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/580-463-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/624-444-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/624-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/676-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/676-70-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1092-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1124-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1124-142-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1276-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1276-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1284-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1284-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1304-536-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1392-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1392-288-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1444-380-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1444-390-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-91-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-107-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1648-471-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1860-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1860-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-302-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2136-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2152-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2320-492-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2320-482-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2488-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2488-372-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2488-206-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2496-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2496-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2576-455-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2576-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2576-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2576-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2744-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2948-202-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2948-218-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3012-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3012-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3016-252-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3016-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3020-500-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3020-489-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3088-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3088-43-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3200-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3200-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3208-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3208-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3248-181-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3248-166-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3512-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3512-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3544-244-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3544-227-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3568-555-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3860-545-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3860-537-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3948-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4048-30-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4048-46-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4068-528-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4068-516-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4100-399-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4176-69-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4176-83-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4432-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4432-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4536-481-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4536-473-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4544-265-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4544-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4608-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4608-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4608-34-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4728-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4728-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4892-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4984-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4984-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5008-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5008-416-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5060-427-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5060-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5064-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5064-194-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5112-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5112-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5112-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5112-501-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download