082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113

Analysis

max time kernel
150s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
Size

273KB
MD5

455a7fabe1641afa6940f7537d7cee54
SHA1

dd544da1945c8ea26acd229eb8712378d0225227
SHA256

082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
SHA512

8e7547c8d2e73f5e3b9ca65a0d80436d5e83dba239c03801e56a708c31952f857364d4a486de507c6e589072b01b38f28939401634e0728a7659bdd339b48238
SSDEEP

6144:jV0X5Gl3WlRYgwERjDuV7hOWC1ECIg6dY1c+V+th:je5xkyRjD2cWWHtaYy+0

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VqYQoQwg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	VqYQoQwg.exe

Executes dropped EXE 2 IoCs

Processes:

VqYQoQwg.exeNYEAQwck.exe

pid process

2788 VqYQoQwg.exe
2816 NYEAQwck.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exeVqYQoQwg.exeNYEAQwck.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VqYQoQwg.exe = "C:\\Users\\Admin\\GGoMsMEg\\VqYQoQwg.exe"	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NYEAQwck.exe = "C:\\ProgramData\\KYYUQsQQ\\NYEAQwck.exe"	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VqYQoQwg.exe = "C:\\Users\\Admin\\GGoMsMEg\\VqYQoQwg.exe"	VqYQoQwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NYEAQwck.exe = "C:\\ProgramData\\KYYUQsQQ\\NYEAQwck.exe"	NYEAQwck.exe

Drops file in System32 directory 2 IoCs

Processes:

VqYQoQwg.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	VqYQoQwg.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	VqYQoQwg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1988	reg.exe
452	reg.exe
1604	reg.exe
3940	reg.exe
4464	reg.exe
3188	reg.exe
4964	reg.exe
316	reg.exe
3288	reg.exe
1564	reg.exe
4204	reg.exe
3712	reg.exe
1012	reg.exe
1492	reg.exe
3452	reg.exe
1352	reg.exe
4952	reg.exe
1188	reg.exe
1808	reg.exe
3212	reg.exe
444	reg.exe
720	reg.exe
4740	reg.exe
820	reg.exe
1720	reg.exe
3956	reg.exe
2876	reg.exe
4612	reg.exe
2196	reg.exe
1540	reg.exe
1132	reg.exe
2572	reg.exe
4612	reg.exe
4272	reg.exe
2528	reg.exe
704	reg.exe
704	reg.exe
1476	reg.exe
4780	reg.exe
1564	reg.exe
3772	reg.exe
1376	reg.exe
1564	reg.exe
4220	reg.exe
748	reg.exe
2196	reg.exe
3188	reg.exe
4220	reg.exe
704	reg.exe
2696	reg.exe
1488	reg.exe
2972	reg.exe
2316	reg.exe
2984	reg.exe
3240	reg.exe
4396	reg.exe
2892	reg.exe
2072	reg.exe
4468	reg.exe
1872	reg.exe
1824	reg.exe
3028	reg.exe
792	reg.exe
4716	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe

pid	process
1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
792	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
792	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
792	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
792	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2148	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2148	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2148	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2148	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2592	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2592	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2592	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2592	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
3352	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
3352	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
3352	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
3352	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
4072	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
4072	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
4072	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
4072	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
452	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
452	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
452	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
452	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
3220	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
3220	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
3220	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
3220	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
3272	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
3272	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
3272	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
3272	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
3308	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
3308	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
3308	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
3308	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1720	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1720	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1720	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1720	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
5020	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
5020	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
5020	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
5020	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2280	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2280	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2280	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2280	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2848	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2848	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2848	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2848	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1124	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1124	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1124	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1124	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
452	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
452	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
452	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
452	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

VqYQoQwg.exe

pid process

2788 VqYQoQwg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

VqYQoQwg.exe

pid	process
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe
2788	VqYQoQwg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.execmd.execmd.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.execmd.execmd.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.execmd.exe

description	pid	process	target process
PID 1568 wrote to memory of 2788	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	VqYQoQwg.exe
PID 1568 wrote to memory of 2788	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	VqYQoQwg.exe
PID 1568 wrote to memory of 2788	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	VqYQoQwg.exe
PID 1568 wrote to memory of 2816	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	NYEAQwck.exe
PID 1568 wrote to memory of 2816	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	NYEAQwck.exe
PID 1568 wrote to memory of 2816	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	NYEAQwck.exe
PID 1568 wrote to memory of 4824	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 1568 wrote to memory of 4824	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 1568 wrote to memory of 4824	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 4824 wrote to memory of 792	4824	cmd.exe	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
PID 4824 wrote to memory of 792	4824	cmd.exe	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
PID 4824 wrote to memory of 792	4824	cmd.exe	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
PID 1568 wrote to memory of 2192	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1568 wrote to memory of 2192	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1568 wrote to memory of 2192	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1568 wrote to memory of 3288	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1568 wrote to memory of 3288	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1568 wrote to memory of 3288	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1568 wrote to memory of 1540	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1568 wrote to memory of 1540	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1568 wrote to memory of 1540	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1568 wrote to memory of 1508	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 1568 wrote to memory of 1508	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 1568 wrote to memory of 1508	1568	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 1508 wrote to memory of 2540	1508	cmd.exe	cscript.exe
PID 1508 wrote to memory of 2540	1508	cmd.exe	cscript.exe
PID 1508 wrote to memory of 2540	1508	cmd.exe	cscript.exe
PID 792 wrote to memory of 4988	792	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 792 wrote to memory of 4988	792	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 792 wrote to memory of 4988	792	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 792 wrote to memory of 2448	792	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 792 wrote to memory of 2448	792	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 792 wrote to memory of 2448	792	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 792 wrote to memory of 3952	792	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 792 wrote to memory of 3952	792	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 792 wrote to memory of 3952	792	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 792 wrote to memory of 2660	792	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 792 wrote to memory of 2660	792	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 792 wrote to memory of 2660	792	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 792 wrote to memory of 1360	792	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 792 wrote to memory of 1360	792	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 792 wrote to memory of 1360	792	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 4988 wrote to memory of 2148	4988	cmd.exe	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
PID 4988 wrote to memory of 2148	4988	cmd.exe	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
PID 4988 wrote to memory of 2148	4988	cmd.exe	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
PID 1360 wrote to memory of 2220	1360	cmd.exe	cscript.exe
PID 1360 wrote to memory of 2220	1360	cmd.exe	cscript.exe
PID 1360 wrote to memory of 2220	1360	cmd.exe	cscript.exe
PID 2148 wrote to memory of 932	2148	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 2148 wrote to memory of 932	2148	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 2148 wrote to memory of 932	2148	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 932 wrote to memory of 2592	932	cmd.exe	cmd.exe
PID 932 wrote to memory of 2592	932	cmd.exe	cmd.exe
PID 932 wrote to memory of 2592	932	cmd.exe	cmd.exe
PID 2148 wrote to memory of 1220	2148	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2148 wrote to memory of 1220	2148	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2148 wrote to memory of 1220	2148	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2148 wrote to memory of 1744	2148	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2148 wrote to memory of 1744	2148	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2148 wrote to memory of 1744	2148	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2148 wrote to memory of 4164	2148	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2148 wrote to memory of 4164	2148	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2148 wrote to memory of 4164	2148	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2148 wrote to memory of 4760	2148	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
"C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\GGoMsMEg\VqYQoQwg.exe
"C:\Users\Admin\GGoMsMEg\VqYQoQwg.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2788

C:\ProgramData\KYYUQsQQ\NYEAQwck.exe
"C:\ProgramData\KYYUQsQQ\NYEAQwck.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
2⤵
- Suspicious use of WriteProcessMemory
PID:4824

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
4⤵
- Suspicious use of WriteProcessMemory
PID:4988

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
6⤵
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
8⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
10⤵
PID:720

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
12⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
14⤵
PID:3636

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
16⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:3272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
18⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
20⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
22⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
24⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
26⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
28⤵
PID:4144

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
30⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
32⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
33⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
34⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
35⤵
PID:3352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
36⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
37⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
38⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
39⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
40⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
41⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
42⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
43⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
44⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
45⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
46⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
47⤵
PID:4248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
48⤵
PID:3308

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
49⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
50⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
51⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
52⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
53⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
54⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
55⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
56⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
57⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
58⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
59⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
60⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
61⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
62⤵
PID:4736

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
63⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
64⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
65⤵
PID:4216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
66⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
67⤵
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
68⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
69⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
70⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
71⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
72⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
73⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
74⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
75⤵
PID:2952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
76⤵
PID:3500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
77⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
78⤵
PID:2748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
79⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
80⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
81⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
82⤵
PID:4080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
83⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
84⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
85⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
86⤵
PID:3356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
87⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
88⤵
PID:60

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
89⤵
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
90⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
91⤵
PID:820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
92⤵
PID:4552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
93⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
94⤵
PID:2500

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
95⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
96⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
97⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
98⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
99⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
100⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
101⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
102⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
103⤵
PID:3924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
104⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
105⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
106⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
107⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
108⤵
PID:1476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:2404

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
109⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
110⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
111⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
112⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
113⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
114⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
115⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
116⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
117⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
118⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
119⤵
PID:1116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
120⤵
PID:3520

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
121⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
122⤵
PID:1720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
123⤵
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
124⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
125⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
126⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
127⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
128⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
129⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
130⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
131⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
132⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
133⤵
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
134⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
135⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
136⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
137⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
138⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
139⤵
PID:3316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
140⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
141⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
142⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
143⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
144⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
145⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
146⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
147⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
148⤵
PID:5004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
149⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
150⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
151⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
152⤵
PID:1584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
153⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
154⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
155⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
156⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
157⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
158⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
159⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
160⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
161⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
162⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
163⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
164⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
165⤵
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
166⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
167⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
168⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
169⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
170⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
171⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
172⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
173⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
174⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
175⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
176⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
177⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
178⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
179⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
180⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
181⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
182⤵
PID:1580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:364

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
183⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
184⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
185⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
186⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
187⤵
PID:3836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
188⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
189⤵
PID:728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
190⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
191⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
192⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
193⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
194⤵
PID:3448

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
195⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
196⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
197⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
198⤵
PID:2404

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
199⤵
PID:3080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
200⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
201⤵
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
202⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
203⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
204⤵
PID:728

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
205⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
206⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
207⤵
PID:3460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
208⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
209⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
210⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
211⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
212⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
213⤵
PID:3352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
214⤵
PID:3948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:4736

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
215⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
216⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
217⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
218⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
219⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
220⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
221⤵
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
222⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
223⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
224⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
225⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
226⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
227⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
228⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
229⤵
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
230⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
231⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
232⤵
PID:4312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:3564

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
233⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
234⤵
PID:3620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
235⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
236⤵
PID:4456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
237⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
238⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
239⤵
PID:444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
240⤵
PID:116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
241⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
242⤵
PID:3284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
243⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
244⤵
PID:2472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
245⤵
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
246⤵
PID:728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
- Modifies registry key
PID:720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:4116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- UAC bypass
- Modifies registry key
PID:1564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SykMUswk.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
246⤵
PID:2984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:2328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
PID:372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:3556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
PID:4716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCUkogso.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
244⤵
PID:704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:1824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:4140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:3272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
PID:2812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQEEMsoc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
242⤵
PID:1764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:1656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
PID:2528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:4572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:4760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:2952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkYgUMYg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
240⤵
PID:2028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:3624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies visibility of file extensions in Explorer
PID:3460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- Modifies registry key
PID:792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keMcAIAk.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
238⤵
PID:3104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:4204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
- Modifies visibility of file extensions in Explorer
PID:2892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:2728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:4940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMgoEwQc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
236⤵
PID:2984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGwEkAQw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
234⤵
PID:5040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:1464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
PID:792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:3500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- UAC bypass
PID:3736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUsYocAM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
232⤵
PID:2024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:2568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:1132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCcMIcUA.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
230⤵
PID:376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies visibility of file extensions in Explorer
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:3896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- UAC bypass
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqMIIAsc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
228⤵
PID:2448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:4700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:2176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:3924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sacsskUY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
226⤵
PID:4796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:4780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
- Modifies registry key
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XyoAUEoI.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
224⤵
PID:2700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- UAC bypass
PID:904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUQEYMks.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
222⤵
PID:1264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
- Modifies visibility of file extensions in Explorer
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIYgQcgU.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
220⤵
PID:3408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:3272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
- Modifies registry key
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMgYYcAo.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
218⤵
PID:4248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies registry key
PID:3188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
- Modifies registry key
PID:704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- UAC bypass
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOsooAMs.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
216⤵
PID:1544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
- Modifies registry key
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMEYokAA.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
214⤵
PID:4716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- UAC bypass
- Modifies registry key
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqkMsoEY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
212⤵
PID:1768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
- Modifies visibility of file extensions in Explorer
PID:364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwMocIoY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
210⤵
PID:4964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:4560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOUkEsIY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
208⤵
PID:1292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:4364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:2700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmMYYkQM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
206⤵
PID:4264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:3640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies visibility of file extensions in Explorer
PID:3988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
- Modifies registry key
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- UAC bypass
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egAQYwYc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
204⤵
PID:4248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- UAC bypass
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmsAoUgo.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
202⤵
PID:2848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies visibility of file extensions in Explorer
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
- UAC bypass
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgsAoUsE.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
200⤵
PID:4780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies visibility of file extensions in Explorer
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIcIMUEE.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
198⤵
PID:3116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
- Modifies registry key
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgcEIAUk.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
196⤵
PID:3888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
- Modifies registry key
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
- Modifies registry key
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ausogYEc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
194⤵
PID:2144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies visibility of file extensions in Explorer
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmIcEogU.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
192⤵
PID:4312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- Modifies registry key
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoQsEYgA.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
190⤵
PID:2804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:3272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies registry key
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
PID:3316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsAcMEcE.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
188⤵
PID:3196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:2176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies visibility of file extensions in Explorer
PID:2764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWggccUM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
186⤵
PID:1132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMoQkQwY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
184⤵
PID:3712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:3624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkwQQEEI.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
182⤵
PID:2340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies registry key
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
- Modifies registry key
PID:1476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAMEcEgI.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
180⤵
PID:792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:1068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZugAggQY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
178⤵
PID:2448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
- Modifies registry key
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:1960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmYQkEYg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
176⤵
PID:1508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOQwEEkw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
174⤵
PID:3896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
- Modifies registry key
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmQIsIYA.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
172⤵
PID:3564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
- Modifies registry key
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSQcckQc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
170⤵
PID:4296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGkAoMgU.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
168⤵
PID:4232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGUQcgYE.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
166⤵
PID:4356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmggYAUw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
164⤵
PID:3564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwUgwEYg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
162⤵
PID:3836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksgYwoUw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
160⤵
PID:1396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEwgQEIo.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
158⤵
PID:5052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwgIgQgk.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
156⤵
PID:3668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:3496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqocYUUo.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
154⤵
PID:1264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiowQEAw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
152⤵
PID:996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuAEgEog.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
150⤵
PID:3012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oawMwoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
148⤵
PID:1824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AiEQoQIs.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
146⤵
PID:1264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCQYMMcI.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
144⤵
PID:4964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIgkIUYA.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
142⤵
PID:3012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:2800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:1548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqYkMUwA.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
140⤵
PID:1516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:3500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UikAoEkc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
138⤵
PID:3888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
- Modifies registry key
PID:3712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
- Modifies registry key
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUggwoYc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
136⤵
PID:3940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
- Modifies registry key
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsoEYQck.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
134⤵
PID:1620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:4804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgcQAwkM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
132⤵
PID:3220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:1396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
- Modifies registry key
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xewogkkM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
130⤵
PID:2876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:2968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
PID:704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEUYEowI.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
128⤵
PID:2568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQQQskAM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
126⤵
PID:3896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:4264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:3156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqYwkoEw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
124⤵
PID:2296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:4236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwwMUEAw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
122⤵
PID:2584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
PID:5000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkEEMAUI.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
120⤵
PID:4336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:4876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYMUYIQA.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
118⤵
PID:720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:1064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYgssUEw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
116⤵
PID:3924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
- Modifies registry key
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuMQIAEc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
114⤵
PID:2032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:1464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyEsAokQ.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
112⤵
PID:3912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
- Modifies registry key
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmcEcYIM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
110⤵
PID:1796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:3988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yeAUwcww.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
108⤵
PID:2196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:1580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:4220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:3188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYgYcwAU.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
106⤵
PID:2960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:3736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMcUoIAM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
104⤵
PID:1188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:5052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
- Modifies registry key
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqUQMIEQ.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
102⤵
PID:4704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:3520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- Modifies registry key
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWEkYwcs.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
100⤵
PID:1564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCowYEUY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
98⤵
PID:3188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
- Modifies registry key
PID:316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- Modifies registry key
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSEQQYQk.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
96⤵
PID:1544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:1376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
- Modifies registry key
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMwcIogA.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
94⤵
PID:3352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:1064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYkUUgAM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
92⤵
PID:2700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:2232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
- Modifies registry key
PID:704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaMQkkEo.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
90⤵
PID:3324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:2876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:4248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BaYMEwEg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
88⤵
PID:2280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:4844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:3192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:1420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:2892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoEEkYMc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
86⤵
PID:1108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:5064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:3576

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:1604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaMgYgYs.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
84⤵
PID:2124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:1552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:2324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOwsoQgg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
82⤵
PID:3236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:2952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:3988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uIMYQwks.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
80⤵
PID:4504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:3116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:4340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:3156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KksgcQEw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
78⤵
PID:2260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
- Modifies registry key
PID:704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
- Modifies registry key
PID:1376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:3736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REQgIssM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
76⤵
PID:1548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:1720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:2324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:3556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIkEgkcI.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
74⤵
PID:432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:3912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:4392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIowgYAU.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
72⤵
PID:3108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:5076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:1292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:3452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkEEMcUg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
70⤵
PID:2584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
- Modifies registry key
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- Modifies registry key
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQAwkAME.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
68⤵
PID:1116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyQEEggo.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
66⤵
PID:3668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:4264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:5052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
- Modifies registry key
PID:444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCMUQswQ.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
64⤵
PID:1744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:3736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
- Modifies registry key
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umAgAUsI.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
62⤵
PID:3356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
- Modifies registry key
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:2296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCAQEMEk.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
60⤵
PID:2236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies registry key
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:3500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:4940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VeAwYQgM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
58⤵
PID:3352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HagscwQw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
56⤵
PID:3520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
- Modifies registry key
PID:1132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEMAAIQQ.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
54⤵
PID:2540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RksksMos.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
52⤵
PID:4356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies registry key
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUQYAAEs.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
50⤵
PID:5040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcwUQsME.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
48⤵
PID:3408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUUQgAIo.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
46⤵
PID:1984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWsgAgEg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
44⤵
PID:3712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies registry key
PID:4220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGoUcoMU.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
42⤵
PID:4140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- Modifies registry key
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaQYUMow.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
40⤵
PID:1068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:1128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqQwocco.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
38⤵
PID:4144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:3988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SeYUssAo.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
36⤵
PID:1464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:3736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
- Modifies registry key
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIMUQMkY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
34⤵
PID:668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIEcAYQA.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
32⤵
PID:2032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSMoEMAw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
30⤵
PID:2184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:4964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIkAQssY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
28⤵
PID:536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:4316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwEQMQcI.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
26⤵
PID:3208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- Modifies registry key
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycoMwkYg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
24⤵
PID:3500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCkkMEAE.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
22⤵
PID:2528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:3288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
21⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmgEYsMI.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
20⤵
PID:3144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmcwMgAM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
18⤵
PID:2932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQQgQMwI.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
16⤵
PID:2592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies registry key
PID:820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWAIYsAc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
14⤵
PID:728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwkYgkoo.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
12⤵
PID:4824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:4740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- Modifies registry key
PID:3772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGkYwsAg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
10⤵
PID:4860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWUYcMAY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
8⤵
PID:1808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:4164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAkUMAQo.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
6⤵
PID:4760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:3952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGsEEgkk.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:3288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYwsYcwY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2540

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 2d211e182c3f6a143a7b4d718fe9983f cHcqgO0aFESLKlzkNKqyAg.0.1.0.0.0
1⤵
PID:2992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:5016

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:5056

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2220

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv cHcqgO0aFESLKlzkNKqyAg.0.2
1⤵
PID:1676

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KYYUQsQQ\NYEAQwck.exe
Filesize
196KB

MD5
a5329875c66564666abe62acc4f24f9f

SHA1
28ef38636ad96097aad32c1c709effa34a3d7087

SHA256
961e4deffb0c1a82e068e1e90a2d1432c63b430153214772cddae1e7a560e0b8

SHA512
4ab9060e32dbfa1d886c67771200d477ba56ee2d5aaf7907cc8cd2e876716b913fcb012a248ee297e5d7d9c8d45d37ab29987c66aba208513ef0c61e1be93606

Download Submit
C:\ProgramData\KYYUQsQQ\NYEAQwck.inf
Filesize
4B

MD5
6a7d0115575210e2ec5e1eb3bb6bbdaa

SHA1
0bc04be315c846c33bafcc3bf3bb13ab31357ade

SHA256
1971d467d0a502a00b46f5eba5456aae06d784097b2364b27748b006f9c0aec1

SHA512
d228361e57dabb283343cb1b1311a880727d53f28664d4c20b50dfb22e9237342342ce50f75c5caf2c7175ea6e9548c3ae544f5cdd8e377a52cb37307cee2967

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
Filesize
214KB

MD5
414027faf1ec854a95fab296a632efe6

SHA1
1c43da3c67a36d9a93e7d724442d10f6340a04f1

SHA256
135ab3b4bd067c84d98571ebcdb3b6cf41dd59c201b739ddd8f74ee8c171f1ba

SHA512
1fee4f0ff1818d4d10ebfaedd0e5751f565b1538db5f2cb039b2ae1e6614f378fcedcd58abdc2a66c5dde923840a8d56e0d442b55b21e73f48a41968e23de375

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
310KB

MD5
e3820c35faa1249ab259f8250ff70b2b

SHA1
ac7a2cdd239da25d5cc2b045595e351b7de1af01

SHA256
ef980febe08595965644e0dc7d54315fbee48ae8ef428976658fbb4c8d88fb61

SHA512
fa725459291ee50f262eaf13f3c423cf01641821a538d5aab0dfef63e8e67e8e336d5eae810e9aca6f50694bf767ec8ba307e569d74c84c81689b99db0a8885a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe
Filesize
184KB

MD5
bceb685ca6b7e608732dac68a037e33c

SHA1
ecf1f6f60eeb90cfa42b5dac9753b01b27bf2621

SHA256
9dd2f9aa16a360ad3f2c7a4be3c39b1eb4ccaadbfbba6527fe3e11c695e312d9

SHA512
89bbb81bfc7efa44300eb673e556c4fe89e233a62026573ffcb1ec618f55caba91055f299545226a003e26225112969541e73405079f37bae230a5ccb55d3c10

Download Submit
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe
Filesize
793KB

MD5
8085dace216f4471fc822beb2c4ece19

SHA1
c3a80b3dbfff2f602e31102038aa711b4f6d5eed

SHA256
d1432ba924cbd01457f9e81ab0fe06a494159c3a3cc8cf0f339ee8bea888c18f

SHA512
3c907fb478ce4dcb8aedf2f897fed1ad083eb08786344926fcaa04ef74feaa5f4fa6b90d2debbfd1ab4f9edb90374b49484f7f65527b5edcf1840cac9350f3a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\128.png.exe
Filesize
188KB

MD5
10b0b3133ba7194a72f560c1b6d9cd16

SHA1
fc479a8831817cb26e40576c239dfbf21b9d7728

SHA256
373ae0b1c14f6fa7b300234e0d93efa9052bbb574aba034be8e4ac72fb934c0b

SHA512
f1c39f61f2cbe1b2bb89300dd4ac80e32d6a65b20beab1d346f3f712786c748bd37948841025082bc002a570a70b147243e9bfa9ae4c9cfefc8cf9c7f05a5499

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe
Filesize
198KB

MD5
b4c260d298944aae384ede4df92240e2

SHA1
3a50e1a6b64f4a5aedfd2d4b7add546a52d75f52

SHA256
8ccc78cb2594b78e9790fbd00f8cf663663f8a7ebb6148fdbbb2e42b2f50b615

SHA512
f153980be59f84cb89850c2629c1441c0019212b9d54a3bf3aa4810a9450c1437923d933b0199c2a8839179ae6728a8cbd9c27e92d45b65b2ade571db92f6e67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe
Filesize
227KB

MD5
0457b516cbaa51ed48870313d8c59129

SHA1
28fa828699f97101b4f4709bdfac608b527ca560

SHA256
f25d5a911c16de65c053bd7c322fd9ae44432b5e06e4cd99e963da65ccff031e

SHA512
2de51b425559d868a4dcbaeda31561c5b3b70ab04b288dde5db16ecfeb6c5d48dbc364f4765f19ad395c542779cad3965543b06902d9bf9b02fe6e002231c34e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe
Filesize
186KB

MD5
d9fc368a4d0465777ffb4a1091b21044

SHA1
773295b6f889075510aef05c768259b1d65b41eb

SHA256
5ecb5671cb4cc203cd0ce234ad2bf0dbb0040771f4ac3380d065c613d6c6fb72

SHA512
62e67a3866afee6cca0d482f25ffcebb65f6ab24bdc8e8d493192cdb78129d804214d962a758b8e5c4d82f76df34f80c5b80211e7a578178586c6a18a9fe3207

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe
Filesize
183KB

MD5
b20ce39c0c37eec5ec7a4020563ee53d

SHA1
00514ff7e9236baabd6b3ca67f0457c396018cf3

SHA256
1a04cbd2df2725363936911d49af685fb9221a21b1f2b16c3ece3e29f602e9b3

SHA512
f7aaacf81266bf0a24d603cb697e5f6a3d891592e920d1bb0b6cc92ca721754887d4f9effe3a73005553c1a483cdab03dc6d23f53c4d770f40bb8737c491256b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe
Filesize
200KB

MD5
da6c55336363ed10052e1a63561e42ea

SHA1
e4a349f7ad27f418a2f9b912a12289921321f170

SHA256
59c0a2a60b2ea51ad4c832c19679ebf2578c4df96bdccbce2dbd1f314e6f0377

SHA512
1f161da1420c7a08bb3968edafbb2ec9de38243e2f884f4e097156344d5f2049cc71d312d5e051df653d016c26848e0faa7a5f78491814be3b9d2471db8cb430

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe
Filesize
184KB

MD5
e066f536cd855618e790c410bcbb3e2a

SHA1
90ebbaebda13e80e40add1ee9df5b632b44e6991

SHA256
de3fcefd96e33cc61c17634cda9f6381f6f714d94c307767651a6d27a5988633

SHA512
2468380fe7574cbf3bdce1d5500ad96e4553266ef6f9b90cf82f317b2c32866c89edef89fda71126bc08105dd60363711d6da35fcffbeeed194c280285557aa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe
Filesize
182KB

MD5
416301cf18c08bb1da43290ec62c4f02

SHA1
badeb30a30fba35210b4478a474a8f08f00c4c2b

SHA256
6168ef1894f03bdd36ad08a230fc961b293e07842dc939fad01c471de2bbb18f

SHA512
3ece1609a895a555edc729330bf93c6f51fc0cac82d51797815aa9f199718b8ae19120c836428a7070f0d25a52f13facd8c2b95acf8c2ecec6fa9dee51096466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe
Filesize
195KB

MD5
1973d0128263f178d0492ce5c16e6036

SHA1
488ea16dbd9b31da6e3951b38e110c9178749371

SHA256
ab6a75e674a3e2b02782bb38b2b01b2b28fd1fb73685fec0454fcdd7e1f52667

SHA512
03b45ac449d1cdedfdb4ca8faa2286153d9037cfd725bc9d1dafc2a4baeb5769257c5405139581d302daff905e5f008aef991e067672ff86500830edc2815d08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe
Filesize
201KB

MD5
e367ea964f70e871660e14f87f042410

SHA1
57488598fddb9c53c532391d8ce925e24f57133c

SHA256
2d4dd0aa0e05439a67501d0a661e8c53cbac9a498b93983091421b165194d9b6

SHA512
9f40846800c4f0f1e788050171371a0f6556af01f8f53c951bd51b66ccb45dcdb9e9943d24bf1d42c26826f8361a4cbffe28fba46f481f9b5a0f95c0386e244b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe
Filesize
191KB

MD5
e7024e5d5b1c59acf81bc684b855a125

SHA1
279d15abcc9523ba6e51c6a439f85e06de6d7e42

SHA256
037cf380292701bb5acbad9ce95ac18e7d60fbfd5be887a28bf6956957598b6e

SHA512
9aeb922cec84f70bb742fba025c6b5723f725f1e43af29638b939c5c6927f52279b2057020bc4f651004d48ded8e179e462d6948fd9905cb8382543f44e7568b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe
Filesize
192KB

MD5
d5b7e5e9878be93bbe567f8bd3c170b7

SHA1
620e68a26bca32023569e85f06f1df2c94f20355

SHA256
86ecfbafb6c1bab40e76e04017a7ab3abd4f28921bf0805b2a7142d5b44d6a4c

SHA512
76191958a1b8c842d200480b555ff91546750a12358ab94ed607134f25487817b16b22803510dfadd03413911e4cfceca4e4fd8943e9aaa4596d3fcbf8f94c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe
Filesize
203KB

MD5
0dbb147e2fd448f8c2d241f0a50579fc

SHA1
a65387f7f45b8f8ab6e4f26c2bd336cfb00dfb22

SHA256
b2ee22db47cd1a7ff2bf3164dd4d5cbd6da01441483dc602aba70d9ca6d52e82

SHA512
6571d72a9c2d6fb35db3406901f69497c76ba99d3de0893b16ae0138954ddc1bb5ee135c26b42f95d7dd0486ff619e8f9a32c4eb3814148b45dc2d83303393af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe
Filesize
204KB

MD5
f49bbe89cda33217ad082a772f0a83ab

SHA1
7b11e57f21c89a0d0e45c8ec8bab27391885d874

SHA256
ca1978d9613bcc4a81b7004a5b1cc099b3b95935a9b6ebbb9917dea4434e392c

SHA512
94dcd93515d06308e36926940b9e971e611faf794cfaf6bf582b4cb2f301c5e8ea765692a5c1ef1a98bec3ca39dd757294a9367e50cf64cc905a1a1a406a4948

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe
Filesize
203KB

MD5
8d900bfb56dce76675c9f088f40442f3

SHA1
d7a858794a77b9ab17b3afd1d9661d62368bec46

SHA256
ecb20dca7c1a0707eea5cb0674adc69b4dabca329b0f4641c69c93a91ef0cfa8

SHA512
bf99b933ea9425f4c906f8fcbb84f699dc8c25288a38e6028c7d258b72902e387a4177590911f011588513a76a34329ace5bbf92625883c2ebae144af447029f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe
Filesize
195KB

MD5
86097f6a2f8e2b10ff41a21b4f0fbd88

SHA1
8287fc088341d809d8f33867c2d0393f389d7691

SHA256
d138f668b9788711e3977bf3e39903741a5411eb8a2d1c66288ca0f6b160502e

SHA512
32ce22b1a4ea2b8beb63fbd6965e41765877424d25574fd5a4de59b0fe9d480d33a596a6224b1d3a66c2ed5b4b97446360370c7707f7e1178e4ae4b61012475d

Download Submit
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkAq.exe
Filesize
5.9MB

MD5
aa5baa554e463daf3320405269b1f38f

SHA1
9129e02422191d2bf710e0c117d954a4358587f2

SHA256
88cdb3fb30867bea249384e3b5aa807f409affaee06bfef57f3bb8a7f94660d3

SHA512
dc9104999cbe6f3987d32390c59e252341fe5460f00ea78d724c4571011894631950b8ca7aa4a7d63eb1a4189e5fb6e8b516aee52c2266cd18072e49642b214d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwIU.exe
Filesize
636KB

MD5
08731940a04a66d23b0b2d7bf0978e84

SHA1
707effbcf812a21e852fce679e06c47dc4a33d50

SHA256
246690522ca1e992632cf0e601d70176e1ba0dff52df63e3146a81c31bbf3844

SHA512
2170c9b27b58a80f2ca44f496c76349a510c85c24b59697c2765a2c7f728786afcb1c3ae275bba6bd49d2984437b542cf0df6a7ab538e177615519b5baae7b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcYA.exe
Filesize
5.9MB

MD5
0c3c831ba9e508f6b582983dc74bb9ab

SHA1
ae42a883c3be8f3dc277038a0b29ce6ae9500329

SHA256
075e7415b799c118c6839edcc3869773231c9c71baa69251a5a737d92ac815a5

SHA512
0ebeec58116cd15a234e614cb6775fa915f4a8e9c982e74125c579d93b4548a3c266ca5cc1a6727be443edf9dac8ca6922295e7841034b6abda1be5579221fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BsMS.exe
Filesize
727KB

MD5
524d64224b19a2abc00c7ba5457c0237

SHA1
0e35ab4955c8fa91d4f75d7dfda8d9ba89ddbdba

SHA256
c615f8567ca547573f466daec92f2af75010c866944377272d3a8f91eb530ac4

SHA512
8d7a9927886abfc64221535dfab027b8638847c82ce45129145e57f23b8467bcad569ca5683d4a5dc67deffb17943c15c4496e0a0adcbbd26e4ebcc0e4147d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcEM.exe
Filesize
649KB

MD5
c916ec18761f1d08d46fa0a72c4a3962

SHA1
285f84575ab074b8b229e6be60839752d5f5d2fb

SHA256
2594ce37305463d0790540297de4fce2cc76041850915f54b06c7dff0554c65a

SHA512
ef3b0706dad61f5cc977024d3d563014875fe6e89e7c31028c37a625df6c50fda12079337bc36894282163e1e94f9779ebc3f01a63f78267c0d2bfa2ad712210

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgsW.exe
Filesize
1006KB

MD5
48c63120bb35fa4579185a0a72e04c8e

SHA1
483ff252b00f2d97db1e3c7e15bca27ed44d23ed

SHA256
e85a4424ea1f503f2e5cfc9c30b17f10881f0458129cca64394661b738b8c78b

SHA512
ea776797e8bfe81d1ee4ed2ff28a9bb7c7d3486b3a3bb5a17f65b0f59bc08d0c544746609962ede894d96d92095b6321a6b7ff5fe66965d5880f7e8a229403e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIAW.exe
Filesize
199KB

MD5
385f746db044bb9874b0857c6c676d1e

SHA1
f17cb87a1dd1a99ec59c4528a97ba7053abdf42d

SHA256
1c204f11b7f0a8dba56861517c0851daa8cb714c7a1f422e3120684edb857ef2

SHA512
7653295430f612fd63ddd94f2782df86c60c5f6893778a6689b2cf7e1253bbad4fd2e1e2d64168e094314a3f27d74e39f3f92707407d6708783de2a8b0d87f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUgS.exe
Filesize
191KB

MD5
cbe6e3737fa4faadbf16202e65160b13

SHA1
b02e4bf8cf01a01e5e253b2b192d08a7a89654e3

SHA256
3ea7f1e3ba62d2c26016904d89026bb983f94408506f8274cc0cf9e6ed3e55ae

SHA512
6e14dd47fef78a8f5447b3c32132ddaad9520cc7f8bc4063631bbc5806bb81e3b13704b555badac6bb22823a01407d5770fac715c2d8ffb3ccea3e6e92b9f1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYMs.exe
Filesize
1.5MB

MD5
c18b5c27a7bd1d7c7d91d068a139d90c

SHA1
186c2f27e66482c3126f58fe4de9672634270fd2

SHA256
91be8c572861b4bdec72b33ddcadc6dd796bb0ef53fc1902169af55fe3e5769b

SHA512
6ca1cd14b3e2ee1962642571e2b9c3528b568a0396aae698fc9ea6d5c27c84a1332755738556dc88ef5531c3e3301d4bc98c924dc7fec724ec35366a3a665f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYwk.exe
Filesize
232KB

MD5
97626ed6507b98876b372e9073b194a5

SHA1
efdcbc973413632d1f93bfbbb521d5e46553037b

SHA256
3d39e2f5d8766fdd9ec026f556aa22671afb2f19c2ba2a2b95ba0202aea164bf

SHA512
b14f647732652b02abdd42a139cf171b31d1c3a938f2ca80e8a72479dd121a9c2a36e12025d858586306a95db85e737a928c7fdf07a201cd1d44c66571f64439

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgkK.exe
Filesize
197KB

MD5
0b746d18d2bce6c36bc7fde666aa00a6

SHA1
14e6ca154205822475889144f300710ce687495d

SHA256
eceb56e278161aef95a9a4139d0eda8bf7167534dd610ab1e5cd25fb3fc1dabf

SHA512
1f3dcc76e578c3d5a1c43b7392a73fbd6f1e2bfab4220d9c62b358b768c2ae5dcdc675728074a01a4dffa3d137c79f8c81595e8c8af70fbe153b98abab628637

Download Submit
C:\Users\Admin\AppData\Local\Temp\FkEs.exe
Filesize
187KB

MD5
83dcbc53feb45ccb1157d2f812705c94

SHA1
c790b8bebfee0b9cea415efc06c8bd6e9152ca11

SHA256
4cf8855b2577e5ffd15e059cea08a317a5dc2215517a47378de8ef1b6133aeae

SHA512
979a38a78c4f44ca7b5c3e9c6a2034e81c0cbb0e97185410eb49db66eddda3dab3c9f49324bb8a62c00dda9065cdfb644c6c9150380bcca1ccda40c7e006b2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgAc.ico
Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IooG.exe
Filesize
182KB

MD5
9c40f131d3607505dbc841b301b52364

SHA1
5f8ab60ec2950be9310c39f85aa05d8cbc3a2d93

SHA256
90579a6c4c41f5b0358515aaff123862c71a66655488ac6c6c9af22d8c906886

SHA512
421391eb57c8b44abc30a8753db79d203d899f222cd8e7a8d4776df3b750de48f7968df6c3f5d40a958fea7569750a1aa8c9f70b4ffc2f52c7e343499486fb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwMS.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgss.exe
Filesize
210KB

MD5
be6723eaad600262bda3e476e15fa92e

SHA1
e7997a6b1770fcc05df441802a0d92ee9f860607

SHA256
6fc5828278672bcada6162dd90126bfa4f9400f01d995be467a777a65079e516

SHA512
c394ae2ac9027c0fe7db02a9d7ad2ce8d84a6a6f36496d6e2a91e1bd394ab099d50de127bda0be5796dca34b58111724e21e214b1ab5cf27800f518b14fb5a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoUu.exe
Filesize
192KB

MD5
a98bda6eb44cbd25c5fd0e87954e6471

SHA1
10d479069beffce1aa035bdbd77eb8762fafefb7

SHA256
47b72643d9cd0f13c347ea1902fb09fe59d350bef6b060d7a34e50943346de88

SHA512
7ec8ec7948801dc27a9d01b65c223b00448057b6b2f72fdb804389a18c61c9d2480147f2a7640f62867146ee956d53574d04720710e66943dfc4fc3b57e1c153

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kscu.exe
Filesize
188KB

MD5
a8c25796002dc89f479715474eeb241c

SHA1
5e6b13cd23a51293cc5e19060fb8e3901171d9a2

SHA256
b076ee463a3f26be6d033a7767053bf468356afda191225f572a3d51c635d837

SHA512
cf068b499010554dd87308ad59f2c69c1399d6f2d8d746602b40a3b76b107ebaa521dff9296677a56125b1272a8ba9f5ecf318ba2c434645978fef785ce127b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAUa.exe
Filesize
187KB

MD5
a7b4076443f5f033e48d27355f8ea026

SHA1
25df6b3f9f5f070e2c6985d7e7ec694d19168f98

SHA256
25af45c046e215223f5ec5ede1441c089094c0700024c0754a07cc259f4fa812

SHA512
b7e7e39f66a6ddc97c1949a2853c79229143c527762cd383ed8f156921247154864d2c8bc4e2cdae4dc1013cc86f08d1e2cbf647a3e563c1c8498fbfea5ef483

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIEM.exe
Filesize
199KB

MD5
60691c1183384ebd034adafcb97f79ef

SHA1
493bd9c736a856eae6c75f42300a8e66380f875e

SHA256
f143bfa4bd0864cc979a844643e8f43040d9f6692db7cfd25310d949aed8567b

SHA512
fca9f8ed408deef116836a7aa6d72052747dd4aca8d433bb01d0f2e4d4d76c0467528ee3c719a7787527165121cd7bef605db0c8611e0e6ec7673d7c148d214b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEoM.exe
Filesize
820KB

MD5
c5f03dcaa0feebd075bf94e54900e20d

SHA1
773f854ed4b3b2fb32c7bf68dcaa003e8577d389

SHA256
e97601f50a3c21e480cc44c11f887febfdec66a19ca1aac9b562a9fb26de2e6b

SHA512
fe9d73b4a408f5636f179ef2f545f43c48277eda54219525c8cdb50b6e3028967cb56d83b3bf93d68c44eb5fd454023cc875faafa22e28d00836f6b9c1c361bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMEq.exe
Filesize
227KB

MD5
6d3f9b671da8596891e9d484b1774f93

SHA1
e7602c53154413cd6963f600a9356b6df68d4f91

SHA256
1a8dd4818bdf3227a3623fd299802109fb03f037cf44bfa1904b6f79ac0548ca

SHA512
a381026cd344c5f08a04be0740456915eb3cb05de566202763fe6abc28aac588743a9e118672d171c3db7975f9a629dd239f39308878ff2fa4a13ff5247ca971

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEAi.exe
Filesize
1.4MB

MD5
3c551c26c509e77dd9b8bf44ebbbd785

SHA1
ed8188a319a385971ed8913a0e4bf1c309eba422

SHA256
f81d2590146bcba6c9833f54e71cc8696b74a6c5fbf64cec2c0c8a9ec523d383

SHA512
1ae297a0029a2840195eda92d5b89982c8004aeba0640004c6e83d99efde8ca8458caf0858bea56207b7954630b955b9460b63778466ba9c922b29f46eb299d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEks.exe
Filesize
420KB

MD5
191a8d59e326956e1330cea8e86bc22c

SHA1
4a33eec2e1ce8a8559e7ef7847ffd99ebea55275

SHA256
6401a21de649dcf4e1cbd30cc925f970cddba6fe15ba591e81e29fa1cb6441d2

SHA512
be0b0dfa988f39ae9dc91d5a2fc68679a98d84583a38130d3402f48c0d55e566e75f133fd1a27da4a87ab2e904be1f6e881f4c829e114918086f9d12bcb9d18c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgMY.exe
Filesize
196KB

MD5
a24508e5304d904fdc4ee74cbfe3e2ec

SHA1
bdf7a57dec75287ccf1a4981308cf30d993d60e8

SHA256
ea2127dc9bf90d71909197109ab9c34ea4a9afb4add9bb85eb5998adc7bcf3aa

SHA512
8619d7b48daac6af2e3d6cf7df79a43e3c3843304f6b36fe887df024453b979f32498386b4357ada915c94878baf1d97c36dc6dc54fda665a1351cecb6698cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Okky.exe
Filesize
193KB

MD5
4952b8b206aa314456d33dd7a30e51fd

SHA1
3e9994aecebbf177c43214400c0e8b34f7655703

SHA256
f3345159026d98d7bf56c3e566205ac27e47aa4c8eb5598a2219e31d16f6dfe0

SHA512
93caf23513f443d126986cbf8cf7747fda650a670fe987c4f0ac09a67e231881eba76340fe893b8d481dc1b13ca702bc50ad7fe2b5b908c3b0e0653a17d2b43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsEk.exe
Filesize
1.0MB

MD5
35ae279fa6dced7d8168fa19f17f9df4

SHA1
4351644d6e4f5aea62e9a996ecf2285770ca0a94

SHA256
f33f1c7a880258c7bac3e75960a4fe48b8add35749ab2a162160c5d16a6371bf

SHA512
f04456cf5a7af7ae9792fa211261340b4dcee83eddc7d3d7a6f884235435ab6c52d2464d177ee65b7abf86fa4f8d4d52aa40aacb910ad51847c2d6d3485d268d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIwe.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qkce.exe
Filesize
314KB

MD5
3c61ccb219443fcdb24149315df5b07f

SHA1
e61c449eeb2d8e47864de64cf21dd85bcc57845b

SHA256
a9dc81e722b5c9de13143c72b76f4dde8fa8aed817685720549802f50017bbe9

SHA512
dd89d967842597a898ce7150ee3b83d4e9fd07a33d0cfb44d8cdfb38b491fc1fc2cea2d49097d64e61b8e707a4f753eda55553b566d9ee12b782612932672905

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoEG.exe
Filesize
326KB

MD5
cd8bb5c92bbeb0a79fe01d50212c455f

SHA1
373e0d6389e6e3fc2b11a4d252a96c60026a94e8

SHA256
312e47c8a3c0d7164fd23f3aa7af8ab911d3d5aa0b291ba7686c9fd2b444a7e5

SHA512
219c969442444af56e0ad99184168a9f54d8e468647d918d16c8da4fdb0f5de24f6403920d4bcd6a7ae509903616207811342ec147e48c268270a9ccd8a3d9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQsa.exe
Filesize
191KB

MD5
6a61d579dbdb9f53eb4a496aed3a140b

SHA1
5186c0a72ff2493bcd8beff2372875ac8cdc9a6d

SHA256
a54a1fbe41c7cdb61e0d0458cc93034a92a7a7eb4068d942989ba079c54dfdfc

SHA512
b2a8b19d152677fb20084a544b0e3c9af660770ddc49bf94659917041cf8bb1ebcb2af782719d6fe4c372c804cc0069abc7e94737ff88c759d1cf8addc1180c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkQs.exe
Filesize
202KB

MD5
dc722fca00acf5fe37d95990a378e1ea

SHA1
48f3341df17457b0167c69a22238ec0ec2a85cc6

SHA256
735c3b7dc2f79c066a5ab64f8b97813c14241681c112b298dec991e5ff7456c7

SHA512
d807dfd37ebd231a124ed17c500d668f5f41204bae685d54e03d64c580a31e2f36625e562e52df721f3b6e715db035430cde7e59185bfd018bb7c5dd3d9a86b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUAC.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\TkwU.exe
Filesize
190KB

MD5
d00f4766e38bd8f9744f237d70f4bd0f

SHA1
f9086190e23c7de7cb4471d14bcc11f04c346402

SHA256
8a4fbbe7fc152061f79a3e55e8a240c76ae6b53af39ff983adcafaa5cbd2a22b

SHA512
5cfd37322b22f19822c35ffcfaae005c82222be23a710c1a7847e4f8ea2fe8ca1b735ee7c929d4fca5abc619ee332d4eeb056408a63ede56d8d4755109fd6b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMgW.exe
Filesize
1.3MB

MD5
1c1aba97c197f74fe3e0b93c6e3ff30c

SHA1
46f53aa5c08b33daa9d3e11534226fdadadc4d79

SHA256
8b62d0090663bb629f40ddb611d1b9f8254cc9d628bb59c08d8dda02bba9e800

SHA512
689d1158949b75fa28b2854458cd83dd402c494ac8622f5c1cfe9366cc42e2222c2657a9a73fdf21eea1b30cd1e3ed0a34d02183dda3404db5c57e877ec4583c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUYO.exe
Filesize
200KB

MD5
1184c2832cde89d24e601d34ce47fa9b

SHA1
2dceca17d8d0c8a7366230c66321ebac9f448ef6

SHA256
9c1f1533bc415c78ca71935b4c3d4a9bb544af867f4759fd894cbf52834561d5

SHA512
3e0b598239c1acfd128b9c65c2831d5890c9ec38a726afc6e5c0169df64369a459ba1ad200e1adb41bf91cd444352323a1e1c52987dcf0e285fd15ce131548f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcQW.exe
Filesize
184KB

MD5
35f704e24a4c22758dab487fec9eb2dd

SHA1
644dab0917215577cdfd07b45b4f7f5b4b60ea0b

SHA256
44eac982d6ded8c2b4f5b48b44e63acabf1657c297d88e4b1ec798f3e89d9dad

SHA512
50640302c4f3d86f339c8d73f3c22215ea969c3c8c0d2c809540f042ba890fb392442ce7a53de1820d518b901baabbd0bbd672023de914dc2746b778c96cee49

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwQA.exe
Filesize
216KB

MD5
0ebbbf15a2c518d933392fce30767a23

SHA1
c0b9ef28f5c95ca8d072d48ae8e08d898ac26510

SHA256
e7eaad1e952c48ed1a9893ef49a7bba1dc72da4b9d4463e0482ec8a1818887ee

SHA512
7ef5624f8faa0226ebf708d6d651e675a87924d131fbd419f4ce1dddd88b3a7806406b90966a250bae149e70ef38ec3769f280b31fe65d4d5a20129335a39a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vowg.exe
Filesize
190KB

MD5
50ee8d4933c175c74e0aa618023283e9

SHA1
09df308c7e98a892c2793883dd951570c98dec95

SHA256
6cfe65f615c6d33fc6b9474fbc997121ce8ec4453129f2ea566c389b5c41b8a6

SHA512
9c371b9be54f982195ffa83c33933616fde66f34f2f111818c6b0da3fd2b4a18036d9b4d86eafce08d6f3f2f591f20068d2d1fc8225f48b8754acfd6e84c245f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAcC.exe
Filesize
192KB

MD5
143fb917f2e4be2fa86838c7b4278aae

SHA1
2339a138d67ceabee5ca022f5a8c416276232ed0

SHA256
ebc99c8fca76b05e224eae0abb13430067db723af0f46a8ba1c10b1fce925cec

SHA512
32b4ebd476a7019b0a37989913002e9aa732891837e8d25aed53ed34cc654c5e3b9b8a5d393ad7535dbf0423607084073a809c75cf6dfe66f926710d4ce75d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIsy.ico
Filesize
4KB

MD5
7c132d99dba688b1140f4fc32383b6f4

SHA1
10e032edd1fdaf75133584bd874ab94f9e3708f4

SHA256
991cf545088a00dd8a9710a6825444a4b045f3c1bf75822aeff058f2f37d9191

SHA512
4d00fa636f0e8218a3b590180d33d71587b4683b0b26cd98600dcb39261e87946e2d7bdcfbcd5d2a5f4c50a4c05cd8cf8ac90071ecd80e5e0f3230674320d71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XcAE.exe
Filesize
639KB

MD5
0528c3498fb7c33b64a2f51aba521a47

SHA1
89a6785efe8f5a05432ee10bced91a7bc97f2f5f

SHA256
9c8670cca761312bd799f82fe071362f90b40fc5e52aa536a07b04da6e76e962

SHA512
7bed780d55887ba6c66dfd271cfabea66e9915e098622ea13317b877325f333de7b73282d13c17c9370c8673b5a0220fbc086657c04935b7931c04324167fa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoYA.exe
Filesize
460KB

MD5
c0bf2dd6bb6dd39e5b8d7127069f785e

SHA1
5875d8c50aee71b9653bc8a206e630276eb44096

SHA256
4d7f395cb439045f70f379d49efe0729510c01a05d557a5995acf1bc1ed61860

SHA512
4fe54b75602cf0c310510acb2512d4cda65dc25fa9f335c3e59a6bccbdc9127ec47913d4b51b0ce8d37a70ae7bce24df098ea52eabc3c8d00b40566a17348a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zock.exe
Filesize
798KB

MD5
41ca023b117c5740c97e55f85c73ca86

SHA1
f165fd6d90eb360a5230ba220fc897c41c6b4dc9

SHA256
62cc151b47ee19be6d69421008278cc15eb8fed38c301bc92344350157265b00

SHA512
1c6bbbdfa8882ad7eade9051e0698e58d188cb37552540c2f49e0176508f06da336c094955e394d9bced27c98edd7525b9129050ffb93697376d44698b327148

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZskI.exe
Filesize
190KB

MD5
05552bfbe79e90d7ca6cf0aa0d65f68c

SHA1
21de46ac3d7ec688d54b6060c6dccc7ac10e81a1

SHA256
95d3ebec218d80b32cc0bce243f9823a2e83afa266c54126b6b2ea9ec7241144

SHA512
49f263b7d304882f215d85a1ba3451bf95ffb8c8f4330a1322891fe41726137c7af1ebf31e987f48175cc2179a59a049d8fdb1019710133dccfbe4a1d53f65e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\akkw.exe
Filesize
799KB

MD5
7ca927cc215fef42217f9b48cf9f31ff

SHA1
b3b7f748f099c79b520044f5dd281b7ed225ff81

SHA256
2cd518e5a857341de10fe4f40690e5cef48896f0ee7e0bf9c3c84e333ab62a4d

SHA512
c693882ced8dbc7a6360c58cfce4616c3fa104ddc0af576e1c614bf8de17706f471bfe53da854e7da421763684eee5e2496dcd98c79c78c54c906a3dea2b48a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkMO.exe
Filesize
768KB

MD5
94b951111cb614a8bac50133bfd292a6

SHA1
a104dad5eec585eee764803006a5724b0a82669c

SHA256
25088126a7239d7843c2f32e74494e31db9327a00909507f6bddefdcbac10b8e

SHA512
1cf5f5e49b198d144c1fc36eb1ed0e7414ac60b7e5c11cb0159a9c9367eb657f9583d24dc167e77c0e1cfee64137e96d6378ff3d06207e7c9c73f9f227f07353

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwca.exe
Filesize
194KB

MD5
fcb8ddaa9d1e318949348e3f142b04ed

SHA1
80a3dadcba433ee56feebcbc2e67850eb95a6431

SHA256
ff42d2c4181afd4da3e288acb038ce0088a6135002e4181616078ff26871ca9c

SHA512
74a366822d2f491d25a5e6afd40d7cb46f623b8dd4ddee13330a1c55ccaac1f283d7d87c18ac7d2d3e85b8d9b1ebada4cf38a8523badc5a40a0155a2e946ba4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccAI.exe
Filesize
201KB

MD5
805cd903dc804ca2fa6fcf14e6b72fd1

SHA1
560858f176d616ed07234c448107c328aa95a8dc

SHA256
5c4a0858e1e4d28ce171e5379cac45fd6daee55768c61682d8929daa9eed5729

SHA512
795be281c070eb3715564b7c8f81bfd0e6795a1296eef6e30fe41efe60d28cb88dc3067e1c413687d04a0ea92e442d5e1a860cecb4d0659bb3160b2620dea522

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAcs.exe
Filesize
205KB

MD5
d521f2a598c05d9511b9ea50a3650388

SHA1
f0c944c185bc61828179508b2566f577c424b9b9

SHA256
ac94075e2937e6fabd367100e17ce12972ea4f3b2fe96048447f72ccd2626354

SHA512
1703e1262e36790b6d200cc1e76238c643f9537ca75fd7b909c59fc8be5c2b0d9577822e638cb76c9e465631afb36c6426bf114488ee94f28a3253964ec28f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dMAw.exe
Filesize
212KB

MD5
ddd124939fbdc81c7fec064f86630deb

SHA1
314b95010399509af2f187678cdb59da20c1d6ab

SHA256
d7a49afd5282b98f688bf1dd3ee983f356dd7fb1424d612c1596d85f5d1ca3ab

SHA512
4d05f68c23e209f68bdb4a5fd8494f66e1e30eb87b974929945d10a4986356a9179ae330c7cb5183a7de6e9cf6aab48f6a278fc716919e15f6278b6e55a83881

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgco.exe
Filesize
555KB

MD5
fd1eb93917855035cc9f0b2cd43c69a6

SHA1
b0206e5352efbec98eae330bc4cc17b2ff21338d

SHA256
f52251048e17dfa2a296d7564d5f71d5ccc261d526f2b067e6b70073327800b2

SHA512
8aefd6aeb7acecb2585269ca78e3f900b279c192157a4ab8297c752dd287de1e6c64802388977b0c89f615cf6cd6cbbfc9ac677e43d4f19e9a0b29e51b905463

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwgG.exe
Filesize
197KB

MD5
3185c2b4781c09c5f3f1e40586d74640

SHA1
276b03d21584a92c6972acda2455556723341e50

SHA256
a56a6da2df1b0ece6a1e32e554dc63fd34463ee6c7a202c654a502b8d7d59419

SHA512
8f29540470b71eeb1c52a82df7081099ac3e34ced9bcde99bc43702bbaf93135bf382e4d03dce5226d9d35a8387d94331ed9024d0503c8aea348bd3f4e740035

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEcK.exe
Filesize
640KB

MD5
e4582d8d82e3ae42e01352428cbde283

SHA1
7938c76efd45eb2cb4939bd11a5c59762eba36e0

SHA256
759648d03208b6ea24177d934569164b2cf0e9b28a31ea04fdc93f187fead053

SHA512
301194cb873175e1277976b9f34f8ae72a671161b0ac638e6350abe6ef0cb020d803a2b17a6b433decfc2af61711126c1c908f0ac3a42ed76294e3ebe9405ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIYG.exe
Filesize
194KB

MD5
c0d3c30742f70b6aa67a3986e83660d5

SHA1
79ca381dbcb45c39ed08d15bf025ed20a79409ac

SHA256
83b37368755879eca71511ecf304a5fdfad0ba9bdbaa69899c2c1b07d3ca22fc

SHA512
564040fff64688392f2de22ebedffef18cdad8cb5399217f98ffbea2c1b25b9be0b4b32e39c1d3f87a34522bbbd90f90be416367cf386cca8f8f99b30a79ae1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYwW.exe
Filesize
204KB

MD5
e21048299c463a92c4d4c219fb4b7ecc

SHA1
b101d9290418aca4c6da072cd1cdfd3ee652f719

SHA256
1bbf1ce9601dcd2bf46592b8561ef36eddaed3963a91a66231ae468b75d6e942

SHA512
784ee62c5c756caa5edc3966c4c2a20c9194334661544ed17f6d1b54dff1229ab7f53d2dacf6f30cc4d95be5f6cb300c78250b7d1551645761eba1ed56e80992

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYwsYcwY.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eosS.exe
Filesize
197KB

MD5
34f39ca5f37f5a5976ec3707f43d336c

SHA1
e49ce103827d3d0d110fc035cafe50dd23256391

SHA256
75ded3037d8abe2c4d484f708ea5283f8b6ba5668a75c014aada4ea784d6944e

SHA512
90d61c9e4cc10950383420094ad0264ef9b54b1f3e34c6feffc16a2efa436f0c655c58ce8bd8b7a12e834b52055ad84bd79e267c54b132beec97be13353ed382

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQci.exe
Filesize
1015KB

MD5
9c2fc484e2f9aefebd742f5d9e701a8e

SHA1
1c408015193fd76a5de6f171a70b693d980ced01

SHA256
b7d630d5a6bcb8cdf0a381afb0e364f7a324d4f3bbf3259a29d79136a9c97b00

SHA512
b56cdd2e05bc20c96479ca4a739e685f9bd97b60defb0186eccc026db039d8adf7ba356f882c0dc34072e9c453f25b1ca366591b9cba0f8b1abf049b6375d55e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\foAU.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYQQ.exe
Filesize
649KB

MD5
3d84303526f311aa7731d2f4194586a6

SHA1
bce77e31daf61d1632e98057b54f7ca4f9275cbd

SHA256
5a80f976eada00c3183fc436e0c5ee815b5f4bf3dd18be5542bdf6433f55286c

SHA512
f8ca97072e01321fa2034fd383a71f6eed73c768acd025b3f03b53c91aaf5837a1dc38a690e3ef37d9066f01b5995aef420210ad2c257c6cae91a3a157c0a178

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggcc.exe
Filesize
219KB

MD5
4e17b73f123c9d1010f2fc5c63b39aee

SHA1
66bfa6951bf79beefe39edc3e38f8f8325d4b313

SHA256
71cab1d6ea998d976267601e93584181096ee4f3e88c142ac00a9d889b2b4f16

SHA512
c5672082c8fd3b5d2c72f0c7f650c6ae3cf718ea961860cad7fbf1a86ce411bac851299823b4566b65259e1487e34647d2c49b039547d1d20176630113f782a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hEMI.exe
Filesize
197KB

MD5
2503edf8aa760c3e82774158d9c5ca49

SHA1
6e5a0c8b110b0ee9c8e723a3b5a527cf3188927f

SHA256
3560618b16ece349b6038c99499aa427c06dcffb21d31e6069e96ec4dce6389f

SHA512
773683205a1b5793dfc34a83821318ca5ebd954d8c57fc9e2640453bea4b7a3db333987438649cdd8638f6c20c0cc729f7a403d3a334bd996f30ecee90745ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hMgI.exe
Filesize
200KB

MD5
dc695e43afab0667721a9c1fdbc749d1

SHA1
7b2d0627a0bd09da08aef3f73d76c9b896133940

SHA256
bd7e318fa4732aea9628a968f1d2289461f018a40b669a8562ab25f344006ce8

SHA512
9c45fee19089e19111a8c2303a6a1a94f91d69ab665930367552332aa8ecac603faadccff872f9795e1686d203fcd295a35aab284b1be4f03da59fa0e4286f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcIY.exe
Filesize
824KB

MD5
1dbdd25805f8379382d8921e6ce24849

SHA1
823a4192f7e5b0dc9c03761dd33d263f7a6f3e48

SHA256
86aab87ce0fbbcb383fd41f8a70dcded2ea1858d98f7a61452c251cc6506fda3

SHA512
0d3ec9cbf943b039200dd0906768f285dd67b663b1eb7ec8d0cf9bc5bf7349ceab00f42830041b4541b9dd5bffde0afdca4b639b5197c2221798304b137e9c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\jEUe.exe
Filesize
197KB

MD5
41ede321c2d84ff8de2d078cb4590adb

SHA1
7b3d80f3ab886cad5846e17c3bb9d404ef2b2901

SHA256
e9e280c366b74e5af678d4dad4aef21591974b826ba6e952226569e06faaba9d

SHA512
dd9f2f67df5331bb5e12b6be6cefa4f76c12479c686ebaee2c66dcb9bfc7f777ddb4a5891dbb947824533750b3ec5ce4425c1fd69d293a0ead7c5f214eae7b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUoK.exe
Filesize
193KB

MD5
1e2a2ad1db050920e8c725711bc0c4a3

SHA1
7d0e21ec3d0e5a33fd975d7811210442c6442dd5

SHA256
76c1bc88c2e541b302bd2c175d7608f7f3d7232c1da764ca5ce34a0d59401c28

SHA512
033afdb8b2586cf6b625ae72bbcfb12562d3504c4e3b635556cc1e73fafd4f93cb3b4911dcfbb462a4eb99105166f675ac8ae8feac6a52e9070e386f4610bffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYco.exe
Filesize
196KB

MD5
629055d7b5691c06b0c2e7751bda8dc6

SHA1
b4c06181fdec1b31003fb69d6a3c35eab4a18557

SHA256
6cbc7564d42ff5e0de9887b8544af814d14a1fda2fe874080b0de569a8bee44c

SHA512
a6c384dcbc16532f05a199b7c793cd428296ccab7cd4335aafd56e83c1affe4f3a57f335bb89ad3101d84f9d180f5bfd4aedc165383579a4371c91e8189a8889

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEwk.exe
Filesize
217KB

MD5
9d6eb6f44a4de6c704f98e6fa85d362f

SHA1
243e0f4304f362592edc970f9adb8b5bfc50dbd4

SHA256
8d11af02bc25659ee0ce9016c6bf309419d2bf4f49304fd2c0215c1b7cc2d0a2

SHA512
012206d0ceabb452e6d9dcf6a9d09ba71faf28698ed8c329f8c99d13f43986bcaf6aafaaad16cba87a52e373960825086f95acdd0a109d9a95b3f5a3dade31bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMoS.exe
Filesize
5.9MB

MD5
a7da4f1f92ad73efbc221719aec56d17

SHA1
8ccf5ad8a510acf1f4e6aadc0effeff171193c91

SHA256
26e0c0f171005a99927231a51c4cefacddf4d3a2154b757894f1ef9878605f6b

SHA512
47a34524657c3702315a290bebad551f8881e95f9dba5304813f3b60de264ca0e2ef44d4953af9f1af7f558b821f84f43ea9bec6a8f727682b524f3e00c70731

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQkc.exe
Filesize
216KB

MD5
6f765a14520254c3e7d3351e6e6d1094

SHA1
5bf8951bf818643cef89fedfe9412591c372e987

SHA256
33b4f8a49708d2e82b0b9f4489c2657b9135a867c20b7e43bf9ce637ea0dc53a

SHA512
c3a223e69c79c0f9ebe34c1c371acc736578a8811a4e73d0c2ee56af45fa037004648d8b07eea5f42d14dba1f08bb95dfd6cb2f72ecb0a987b7307017269c713

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngEo.exe
Filesize
189KB

MD5
4448cadba20a0b58ee6ed3330c55cc0a

SHA1
b562020274465ba6a12890728c4aa063c87f2318

SHA256
ac693b573b2c2c8957bc2d6d5727dd36e05aa4ce38370409ee65889993d1147b

SHA512
e05085d558fa8cb6baa31fe13a75d7a8884960da92fd2c148e0933e8398cd4866f3d797ffd03ce2093484462d42463826dc631198c6595242c5b4911f5ffe628

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIYQ.exe
Filesize
790KB

MD5
5ee512f0cf2fa92e0fe66a1bff7552e3

SHA1
0961fb8e915fe81520d615d2c338e182ce6b1333

SHA256
e0d584c67efd7c9ca218506511e6af1e32b83f2a3689966b2e6b4feda4ed7405

SHA512
cb334fa2130f1f349e615e642dff8e99074bbd93ab1debcd588f3c8fdfcb601b69a018061ecbdd4042d99332460027de6d4cfa619e6fb315551eaa4a3edb3d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUIm.exe
Filesize
199KB

MD5
f85e6b5d9934dac88a2f6a6184f796cf

SHA1
bafbe2a53f2199cab0a9ed408caea0cac2891f09

SHA256
0830aaa7ff79f6458f3b6287d34e959fa307624ccbc159c37e1f7072d9307307

SHA512
b452e485198ae80b490ed7a0f4c37d245a03066efdb3126e3df0302260add9f1ef3e86577524f93887d501e54ddc90e2b98827f0adff48cfb41162215a445736

Download Submit
C:\Users\Admin\AppData\Local\Temp\owka.exe
Filesize
185KB

MD5
df33ecb312f9d1c42c7fcaca370a087e

SHA1
7c67c912749e7e3750e200175304c4dfb10e1e19

SHA256
565243eba18d16ca38ac8bb1a52ce7ee3937c21c97da2ede551f14d326f89fe2

SHA512
fbb0a8fa3d63fb1508fee5c6c0f65377451dabb974cc7c1a37780dd72da7726145a81cf0112e81da0336c00502d4b98100436ddf69b21f97c00cffa689911ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAAw.exe
Filesize
315KB

MD5
06110e23ff482a97ec604b721f6f1b45

SHA1
e107d203a6a7d7274444d5a3c517f6c667357d7f

SHA256
b8e984a4e230d3dac1d0c2075d13c5d3608477b1dfee2e52f323f8123ac3309a

SHA512
5401ee1d81741b753f96e0dac1599909a2aa582613f521fcc97392f47f90f66e9f7402e556da73686a65aa63f934ccd362212cc76ab0cfad8a022317b3971032

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQMk.exe
Filesize
191KB

MD5
4e170ef7cbb2dbdc3e03f63230832b9f

SHA1
7ba6ec9218d563a0f82da3ad59a15fb9e6cd5590

SHA256
3b9c251d77123e265f666bc8bf76c964bf5da730fbcc5dcfcf3b8640c9209e8e

SHA512
106b18d17ceadb9548d655771534500caf026c09b1a71247fbdc087861b111674071c3303e48d54863a11b4323d42a75c96744499741999f2f475950ea0f7bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQkA.exe
Filesize
191KB

MD5
2a9245bf5f3ee40a71a13d9d98fb8bc3

SHA1
67d572ad6bfd549c5726f1c8a9a02d4b420479fc

SHA256
b4c675e7dc111c73cf752d29b93d3c06c799c9bab6027ed5f2b57b06823a82e0

SHA512
1863b8ac7aba5f1452d4c6b61a9c36d2f03164e040630f4f479aebd99d1296a21ee0a83464fbf63e869ed3521ae543691a998dfd8d42b1b1cdae2849c151c7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgQE.exe
Filesize
806KB

MD5
8376b4c926fdf970eb6f54713368775b

SHA1
6d2b58031a60b34d98b0e617f0257475197f2a23

SHA256
70521e93def5290b0de421a281e1134db16d24418c352e08217386950c7d0135

SHA512
39623ba510477015e813e0611cb5bae0fdaec758095cfc8d89be63f8aa937f81f53e6801d6794bc7c4ec0b46d26aa677c07a176646734fd2dff8332432245247

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUsa.exe
Filesize
643KB

MD5
c440086dcc6c1acb34211f00459579a1

SHA1
70d682296f5b63a3ffde33bae0616fd4147a0cd1

SHA256
3ea9f785a37e5e7dc86ec198f2bd8f152f3101ab03d16065662bd3fbb2f5c6b2

SHA512
341a5af4e12d0ddcf553d3b61a3654c4afee39d9e29561104833b2ab250e7b0a9f89862624268bb63f3a8d70129d9fecf7655acfd83e4e499c5634e0833cc0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYwg.exe
Filesize
244KB

MD5
253c3d496de221f77d9ec036339aeb7e

SHA1
73cc65d4bec58a2c7cf48c5346612bb397ad2d5a

SHA256
ea7bf797a43ed0e0751516c810f6053f96e84e6c9bccd90e396a5c15360e5a5d

SHA512
fa592cbe3c61d98d9746d7565fb234a83bd2c99dcb773199507ab2caccb524b01ede8108bc59f6cbf8e940ab7b6c1e1d4add6da502dd2fb437cb1cb4a9aa8529

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMEs.exe
Filesize
195KB

MD5
ab3e6296fdc3a6aa22837a88124d4e02

SHA1
47c6a88addaeea08ac7fa3b59ca00c45b54205d7

SHA256
b19b10a649c00617e0644efd2d6e7085a3b46dc5de94f8457186b155a4531e5a

SHA512
d643bd13b152ca1ee9561aa95ef0fb87b8f009c4a9a8da9cf105a5ea6956e064b8c348d3d19b581cc042c54936962314cd3a3161ef2aced9bc32561a134d492e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAYQ.exe
Filesize
264KB

MD5
640973958ec647f721274f4ee1f6b347

SHA1
f1040c33d54e4545b1a33a0b8696a9e231f1de7e

SHA256
92a3e911d7cd386679b1ef40920c8f55a04aec4afa7ce61f993fa081ab508b6b

SHA512
ba5801236e8d02355e8d1b0368c2ea088c9f886a141a00fb2b0e651436d354abe1891f111050e447c6b68f5f098cfec14d11e40f38ecb2d8ba7760147213dcc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoIg.exe
Filesize
229KB

MD5
bbfc5958f530dccab4a7f6760af08fae

SHA1
87133f47a9cc21ec2b85214dcb904a538ce6ed86

SHA256
11c3a820ce8043ad394ec458899021e4085942cf767716d7b5ca90b8d1a25045

SHA512
43fb11b7b4b913d6c7eac2d2a7c8868dafbf0814001722de7689f90fdb14db515e0e849c36d7f2ced3e0cb9f03135940eb54518e2b628f3da054e3021d608850

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoky.exe
Filesize
236KB

MD5
4f8c36126af2e17bf2bae3f74fc15d6a

SHA1
52b8dfc6f9d96bd880bcd8be5e23fa021ed11438

SHA256
135c71c2ac68fd771cb3298bb90ba2defa6c873fb6600548d129bf025444bf78

SHA512
ff155961709153aae565d001a0e7c484cfab46cb19e16869e204039b1c840d93e36b80aaa19503fbc5e428a86016e064d53fb1898bbb503812618657fa501686

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAga.exe
Filesize
193KB

MD5
c8b8d48e59b665464f150731ab68f55b

SHA1
72eb6d4bd0cf61cf3d1194d1948cb913d16e242a

SHA256
1f8ea73660940b2a68f7621da4a757edbe82ee58b892d9b1486724047f020536

SHA512
2cd289930c5b8bf6ab6bc6100d5c56a2f62b3e9e68a1ca9bfb0734d8378cb111ebae60aacba4d854308a7fd96e94312c71882af73dc42fe14fc7531f70724ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIos.exe
Filesize
1.8MB

MD5
016919fa66859fc27d2ea3805085b980

SHA1
8ca713b67dc284fa07f6a11b17c9b08bd59c9cfb

SHA256
5dd0b2511aa0eb9535f59bcc32e4232a3ae46d16642f8abe8515f6db4e6c5843

SHA512
312da333f94d1749a7451b37dd0a71da63428aceddce3f3d2176ae6a7938e13f9b9f26b687421974dfff3ea8b023c5b1e3eeac3d3a3f09917a9b5d0f61522e82

Download Submit
C:\Users\Admin\Documents\AddExit.ppt.exe
Filesize
905KB

MD5
1ffa4ac6d49ec81227d828b46d3e8418

SHA1
8738aa947a6f0da92f861551e23d1a96b6582ae6

SHA256
7010c33a53b7600b0e5e5f00dbb23c9dae428005aa34ba3855b013cbc7228cf7

SHA512
ec537ab7926d21295068c37f8d1b6968fba020eded84dbc21e1f6ff7a0ca56a0455a7e1d01a060862b69f6d34fd2d5d4ed812cc6f903c84e42b552070cc08474

Download Submit
C:\Users\Admin\Documents\GrantMeasure.pdf.exe
Filesize
1.5MB

MD5
9fc80effb1cfe0e2245cfd6244e3b086

SHA1
16cb2a141c52a2e093e7d3a8b0d60baf23716d97

SHA256
eb257011a3a260ce74af2e2c8264d7ccd0b875387d3d0585133727068814256e

SHA512
9d2e063b5c20d256ad1705e78afe0952c24ec5c8c3e7a9584f247e77648594f6cd5f872354da1faa6e233a79c7cd4ba67ea386f8803c46fc9b8f3bb887ed64ad

Download Submit
C:\Users\Admin\Downloads\ReadInstall.jpg.exe
Filesize
696KB

MD5
10511bd7e56a23d966db3446a3610d83

SHA1
0584c9faa3bac739a49acf6993dd367eb48b3c69

SHA256
ff41eef9a4f7661fd9715ba6982b643163493928f7fc78b91134cffb5af045f9

SHA512
bd6e4fde58503b0e14c2d54341f46798ad4f77050a537fa6ea5abfc160a62d8dff4e57c0b97a4ccfd1119bfbe94e6dde47fe112ad3499fb73fcc6446dd6a3b37

Download Submit
C:\Users\Admin\Downloads\RemoveEnter.pdf.exe
Filesize
487KB

MD5
376f52dde2c5dab887fe1f584269d559

SHA1
5f4e5eade9a53f6dc47f152bc4a976aef7d12471

SHA256
9e7341c9a8c465f584c756b3c3fd0b3f23611705b9975e9286fb4856c993beef

SHA512
ed7b6dc853b583ed6be2496af3e3dcb5559c2de178c3baf202abf0fb2a72431696679f5bac429c4ad4873abf3bd741342d97d54ccef8b171e87a226a6151e028

Download Submit
C:\Users\Admin\GGoMsMEg\VqYQoQwg.exe
Filesize
179KB

MD5
f33a49ceaa2bd03ef97937d376c7c403

SHA1
3188361d49c8d2ffab1fb6fd3d55d061602d526c

SHA256
19e7c738180aac747d1bad27e455c896a2dd137f1b49c47a13dde31aeabebfc7

SHA512
5997244cf420388913345ac80382924b6550cff652e463c1337c9693407753cf75a9451d97686242b5ec2293c73f7c482969901eb248b4bf84209ee25eadba6d

Download Submit
C:\Users\Admin\Pictures\ClearMerge.png.exe
Filesize
589KB

MD5
453ec72b9ea59d6175c8f899e4a2dd90

SHA1
e482163239cb8f9b15f8bb44a1206ff577cc0bc0

SHA256
88e05161a4de09f3e54c95b71236c109fac392f0e6dd41f413487ebbe409db03

SHA512
857ff51d1f1f4e65d767fd1677d76aa4f77ca56a844487a9c02891e083a3cf076929e608bae83200d0f0f348a7a2d5998135ca427b7d85e07d5487a9c190d6cf

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe
Filesize
204KB

MD5
5888bdb34274cf385e356ca394d9c684

SHA1
dcbb226437d947e71ee0b99b4b128e8b93e03fb4

SHA256
249cb34dceeb07f6fc8c617defa00b70df3d867be4d29428f50c6430915d45df

SHA512
ae31742ae0a3882142c5531bc66b6bcabfc79380ccf03e3308a688f33f303033e0bcf7a7703942e5efdcf2478a9e12278d6527e8f42a2f689af4fd5c78d5ca50

Download Submit
C:\Users\Admin\Pictures\ReceiveDisable.bmp.exe
Filesize
880KB

MD5
bf50a0997c4158181365b119a52a3473

SHA1
3592652e6b409a79a2a50f83eeef2cab209c5f16

SHA256
8744e561d63c951fb826bb5da08da8a2dd28f16b46591e3311819a591e07fdaa

SHA512
987f10b3bd8246fb6171aaab9ed614149ca2c3e30863787e5040eed712e0df76c5052e590083eed349bb61fbcf44de8be4980f2724f6bc8e8bbd92e6af939adb

Download Submit
C:\Users\Admin\Pictures\SplitDisable.png.exe
Filesize
561KB

MD5
56f2384449a70a75170890340642f403

SHA1
1297645a21650aea87f3e93b8680bb5aa1450e75

SHA256
94534c67fcc4948b560b4baf32c59ab8e3faf8e6cd7aa68766f76ac2506abef7

SHA512
d6773ca39a0eaa3748a539e3ed7ba2968f9f2815fe48a3f135bde5be2bb13cbc8222dfc63a9fa6d72389ff5a65a7c230aa17914e3183ef6fa9116897e5031e0e

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe
Filesize
5.9MB

MD5
61de09732f53117a370c84c8a26a2e8e

SHA1
78ed9d3b26c65ebf5d1973629bf55748dda5d9e0

SHA256
e97df3529f99abff4c6cdb5099f65dd552f1a8acd703e4a47c157e8d168acd5f

SHA512
bc31897fc42bc5bb5908963e1e4d437beeeea400832dc68333eccde27e2d2ae160754abbdb68d505d2ed0608326a567c87982014965f551eb2561391ae92d1d2

Download Submit
memory/216-347-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/216-334-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/452-95-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/452-191-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/452-209-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/452-79-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/792-16-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/792-33-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/820-506-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/820-494-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/880-515-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1108-325-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1108-338-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1124-180-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1124-195-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1180-280-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1180-271-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1228-461-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1228-448-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1420-376-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1420-363-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1568-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1568-20-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1720-133-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1720-145-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1768-522-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2148-45-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2220-260-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2220-270-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2280-155-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2280-171-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2324-343-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2324-356-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2328-480-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2404-410-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2404-206-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2404-221-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2404-423-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2592-57-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2592-41-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2748-329-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2748-314-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2788-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2816-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2848-183-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2848-167-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2864-476-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2864-489-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2892-401-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2892-414-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2952-419-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2952-432-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2960-439-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2960-452-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3028-428-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3028-443-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3220-107-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3220-91-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3272-120-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3272-103-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3308-121-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3308-261-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3308-132-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3308-243-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3352-71-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3352-220-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3352-233-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3352-53-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3624-381-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3624-394-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3668-305-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3668-318-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3888-526-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3888-511-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3912-309-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3912-296-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4072-83-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4072-67-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4216-372-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4216-385-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4248-300-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4248-287-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4332-276-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4332-291-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4360-230-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4360-247-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4448-390-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4448-405-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4688-469-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4688-457-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4892-352-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4892-367-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5004-498-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5004-485-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5020-159-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5020-141-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download