a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
Size

207KB
MD5

17b82e64e80caab520aac1965ba4f8cb
SHA1

2e4a23c270b3e8d9324a7192f07f405ef03bea59
SHA256

a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
SHA512

e882a59ea0feaa556a303e7857f04f1415216509658ed5888c2e61b4de5f136e4cfe4f09e8e54ecee42abadec53431520aa3646401df400e87f2cace67eab3a7
SSDEEP

3072:+xeV4f7Gdz24bTZ6OoaqGGY6wzOKbghx0O8CLLpK6LC0Pybl:KeVwQiq9epwR0b5K67P4l

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

CAAwgIcw.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation CAAwgIcw.exe
Executes dropped EXE 2 IoCs

Processes:

CAAwgIcw.exeawooQcIY.exe

pid process

2816 CAAwgIcw.exe
2948 awooQcIY.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	CAAwgIcw.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exea376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exeCAAwgIcw.exeawooQcIY.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CmIUIwwM.exe = "C:\\Users\\Admin\\EYUoQsEs\\CmIUIwwM.exe"	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JIUwMcog.exe = "C:\\ProgramData\\ioYYEkoI\\JIUwMcog.exe"	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CAAwgIcw.exe = "C:\\Users\\Admin\\FMcEIoYo\\CAAwgIcw.exe"	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\awooQcIY.exe = "C:\\ProgramData\\BGMEcwkU\\awooQcIY.exe"	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CAAwgIcw.exe = "C:\\Users\\Admin\\FMcEIoYo\\CAAwgIcw.exe"	CAAwgIcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\awooQcIY.exe = "C:\\ProgramData\\BGMEcwkU\\awooQcIY.exe"	awooQcIY.exe

Drops file in System32 directory 2 IoCs

Processes:

CAAwgIcw.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	CAAwgIcw.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	CAAwgIcw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1424 4216 WerFault.exe JIUwMcog.exe
4328 3188 WerFault.exe CmIUIwwM.exe

pid	pid_target	process	target process
1424	4216	WerFault.exe	JIUwMcog.exe
4328	3188	WerFault.exe	CmIUIwwM.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
4020	reg.exe
1616
1512
3892
536	reg.exe
1420	reg.exe
1512	reg.exe
2984	reg.exe
1524	reg.exe
2932	reg.exe
3916
4880	reg.exe
4284	reg.exe
2720	reg.exe
4216	reg.exe
2792
2320	reg.exe
3920	reg.exe
1864
4140	reg.exe
444	reg.exe
1976	reg.exe
2312	reg.exe
716	reg.exe
2472	reg.exe
2280	reg.exe
4068	reg.exe
852	reg.exe
2160	reg.exe
4480	reg.exe
4232
1716
2040	reg.exe
2040
1904
3356	reg.exe
4324	reg.exe
4616
1272	reg.exe
1272	reg.exe
1212	reg.exe
3748	reg.exe
2824	reg.exe
3944	reg.exe
1600	reg.exe
1540
64	reg.exe
4280	reg.exe
2392	reg.exe
740	reg.exe
4284
5108	reg.exe
2060	reg.exe
2312	reg.exe
8	reg.exe
3352	reg.exe
4132	reg.exe
3196	reg.exe
4860	reg.exe
3664	reg.exe
4860
4880	reg.exe
2984	reg.exe
1544

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exea376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exea376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exea376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exea376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exea376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exea376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exea376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exea376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exea376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exea376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exea376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exea376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exea376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exea376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exea376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe

pid	process
2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
2096	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
2096	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
2096	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
2096	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4420	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4420	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4420	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4420	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
3788	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
3788	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
3788	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
3788	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
2560	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
2560	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
2560	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
2560	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4684	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4684	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4684	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4684	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1592	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1592	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1592	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1592	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
2148	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
2148	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
2148	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
2148	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1464	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1464	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1464	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1464	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1056	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1056	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1056	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1056	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4684	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4684	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4684	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4684	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1876	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1876	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1876	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1876	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1524	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1524	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1524	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
1524	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4944	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4944	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4944	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4944	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4564	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4564	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4564	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4564	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4352	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4352	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4352	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
4352	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

CAAwgIcw.exe

pid process

2816 CAAwgIcw.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

CAAwgIcw.exe

pid	process
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe
2816	CAAwgIcw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.execmd.execmd.exea376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.execmd.execmd.exea376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.execmd.exe

description	pid	process	target process
PID 2536 wrote to memory of 2816	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	CAAwgIcw.exe
PID 2536 wrote to memory of 2816	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	CAAwgIcw.exe
PID 2536 wrote to memory of 2816	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	CAAwgIcw.exe
PID 2536 wrote to memory of 2948	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	awooQcIY.exe
PID 2536 wrote to memory of 2948	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	awooQcIY.exe
PID 2536 wrote to memory of 2948	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	awooQcIY.exe
PID 2536 wrote to memory of 3824	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	cmd.exe
PID 2536 wrote to memory of 3824	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	cmd.exe
PID 2536 wrote to memory of 3824	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	cmd.exe
PID 3824 wrote to memory of 2096	3824	cmd.exe	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
PID 3824 wrote to memory of 2096	3824	cmd.exe	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
PID 3824 wrote to memory of 2096	3824	cmd.exe	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
PID 2536 wrote to memory of 4636	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 2536 wrote to memory of 4636	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 2536 wrote to memory of 4636	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 2536 wrote to memory of 4396	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 2536 wrote to memory of 4396	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 2536 wrote to memory of 4396	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 2536 wrote to memory of 2300	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 2536 wrote to memory of 2300	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 2536 wrote to memory of 2300	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 2536 wrote to memory of 372	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	cmd.exe
PID 2536 wrote to memory of 372	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	cmd.exe
PID 2536 wrote to memory of 372	2536	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	cmd.exe
PID 372 wrote to memory of 2268	372	cmd.exe	cscript.exe
PID 372 wrote to memory of 2268	372	cmd.exe	cscript.exe
PID 372 wrote to memory of 2268	372	cmd.exe	cscript.exe
PID 2096 wrote to memory of 3904	2096	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	cmd.exe
PID 2096 wrote to memory of 3904	2096	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	cmd.exe
PID 2096 wrote to memory of 3904	2096	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	cmd.exe
PID 3904 wrote to memory of 4420	3904	cmd.exe	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
PID 3904 wrote to memory of 4420	3904	cmd.exe	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
PID 3904 wrote to memory of 4420	3904	cmd.exe	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
PID 2096 wrote to memory of 2280	2096	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 2096 wrote to memory of 2280	2096	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 2096 wrote to memory of 2280	2096	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 2096 wrote to memory of 400	2096	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 2096 wrote to memory of 400	2096	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 2096 wrote to memory of 400	2096	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 2096 wrote to memory of 4940	2096	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 2096 wrote to memory of 4940	2096	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 2096 wrote to memory of 4940	2096	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 2096 wrote to memory of 3656	2096	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	cmd.exe
PID 2096 wrote to memory of 3656	2096	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	cmd.exe
PID 2096 wrote to memory of 3656	2096	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	cmd.exe
PID 3656 wrote to memory of 4436	3656	cmd.exe	cscript.exe
PID 3656 wrote to memory of 4436	3656	cmd.exe	cscript.exe
PID 3656 wrote to memory of 4436	3656	cmd.exe	cscript.exe
PID 4420 wrote to memory of 4236	4420	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	cmd.exe
PID 4420 wrote to memory of 4236	4420	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	cmd.exe
PID 4420 wrote to memory of 4236	4420	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	cmd.exe
PID 4420 wrote to memory of 4616	4420	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 4420 wrote to memory of 4616	4420	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 4420 wrote to memory of 4616	4420	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 4420 wrote to memory of 2920	4420	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 4420 wrote to memory of 2920	4420	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 4420 wrote to memory of 2920	4420	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 4420 wrote to memory of 3148	4420	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 4420 wrote to memory of 3148	4420	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 4420 wrote to memory of 3148	4420	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	reg.exe
PID 4420 wrote to memory of 2972	4420	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	cmd.exe
PID 4420 wrote to memory of 2972	4420	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	cmd.exe
PID 4420 wrote to memory of 2972	4420	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe	cmd.exe
PID 4236 wrote to memory of 3788	4236	cmd.exe	a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
"C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\FMcEIoYo\CAAwgIcw.exe
"C:\Users\Admin\FMcEIoYo\CAAwgIcw.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2816

C:\ProgramData\BGMEcwkU\awooQcIY.exe
"C:\ProgramData\BGMEcwkU\awooQcIY.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
2⤵
- Suspicious use of WriteProcessMemory
PID:3824

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
4⤵
- Suspicious use of WriteProcessMemory
PID:3904

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
6⤵
- Suspicious use of WriteProcessMemory
PID:4236

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
8⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
10⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
12⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
14⤵
PID:3188

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
16⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
18⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
20⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
22⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
24⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
26⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
28⤵
PID:4284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
30⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
32⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
33⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
34⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
35⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
36⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
37⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
38⤵
PID:1552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
39⤵
PID:612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
40⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
41⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
42⤵
PID:4640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
43⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
44⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
45⤵
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
46⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
47⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
48⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
49⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
50⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
51⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
52⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
53⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
54⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
55⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
56⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
57⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
58⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
59⤵
- Adds Run key to start application
PID:2072

C:\Users\Admin\EYUoQsEs\CmIUIwwM.exe
"C:\Users\Admin\EYUoQsEs\CmIUIwwM.exe"
60⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 224
61⤵
- Program crash
PID:4328

C:\ProgramData\ioYYEkoI\JIUwMcog.exe
"C:\ProgramData\ioYYEkoI\JIUwMcog.exe"
60⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 224
61⤵
- Program crash
PID:1424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
60⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
61⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
62⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
63⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
64⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
65⤵
PID:3080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
66⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
67⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
68⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
69⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
70⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
71⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
72⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
73⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
74⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
75⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
76⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
77⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
78⤵
PID:1920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
79⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
80⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
81⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
82⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
83⤵
PID:4004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
84⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
85⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
86⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
87⤵
PID:612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
88⤵
PID:4616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
89⤵
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
90⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
91⤵
PID:728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
92⤵
PID:4280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
93⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
94⤵
PID:4488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
95⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
96⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
97⤵
PID:724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
98⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
99⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
100⤵
PID:3240

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
101⤵
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
102⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
103⤵
PID:656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
104⤵
PID:4076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
105⤵
PID:3840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
106⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
107⤵
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
108⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
109⤵
PID:3372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
110⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
111⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
112⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
113⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
114⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
115⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
116⤵
PID:3828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
117⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
118⤵
PID:4288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
119⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
120⤵
PID:4852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
121⤵
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
122⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
123⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
124⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
125⤵
PID:3372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
126⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
127⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
128⤵
PID:1512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
129⤵
PID:3852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
130⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
131⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
132⤵
PID:4360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
133⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
134⤵
PID:2392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
135⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
136⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
137⤵
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
138⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
139⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
140⤵
PID:392

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
141⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
142⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
143⤵
PID:3096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
144⤵
PID:1752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
145⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
146⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
147⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
148⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
149⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
150⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
151⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
152⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
153⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
154⤵
PID:4932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
155⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
156⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
157⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
158⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
159⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
160⤵
PID:3904

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
161⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
162⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
163⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
164⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
165⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
166⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
167⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
168⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
169⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
170⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
171⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
172⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
173⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
174⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
175⤵
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
176⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
177⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
178⤵
PID:4684

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
179⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
180⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
181⤵
PID:728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
182⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
183⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
184⤵
PID:2144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
185⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
186⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
187⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
188⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
189⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
190⤵
PID:4088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
191⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
192⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
193⤵
PID:1332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
194⤵
PID:4360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
195⤵
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
196⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
197⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
198⤵
PID:4544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
199⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
200⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
201⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
202⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
203⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
204⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
205⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
206⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
207⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
208⤵
PID:2932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
209⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
210⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
211⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
212⤵
PID:2080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:728

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
213⤵
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
214⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
215⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
216⤵
PID:656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
217⤵
PID:444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
218⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
219⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
220⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
221⤵
PID:724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
222⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
223⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
224⤵
PID:2996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
225⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
226⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
227⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
228⤵
PID:1976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
229⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
230⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
231⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
232⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
233⤵
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
234⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
235⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
236⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
237⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
238⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
239⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
240⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
241⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
242⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
243⤵
PID:3412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
244⤵
PID:4688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
245⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
246⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784
247⤵
PID:3272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784"
248⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
- Modifies registry key
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
PID:4224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:4284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgYQYYcg.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
246⤵
PID:1376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:4480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:1388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmUcsUgA.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
244⤵
PID:1056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:1872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugcYccsk.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
242⤵
PID:4592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:4084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies visibility of file extensions in Explorer
PID:1288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoIokEMM.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
240⤵
PID:2672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
PID:896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:2812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- UAC bypass
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMUAowYs.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
238⤵
PID:3684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:3704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:4260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:3840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duUAgMsI.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
236⤵
PID:616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
- Modifies visibility of file extensions in Explorer
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
PID:1772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeswIcUU.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
234⤵
PID:4596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqQkYIQg.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
232⤵
PID:4472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:2276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
- Modifies registry key
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
PID:2364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUgsggkE.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
230⤵
PID:1656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:1396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mockcMos.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
228⤵
PID:2672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:1628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
- Modifies visibility of file extensions in Explorer
PID:5036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:4292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGMUgcIk.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
226⤵
PID:4976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
- Modifies visibility of file extensions in Explorer
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
- Modifies registry key
PID:2312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWYMYswo.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
224⤵
PID:3148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
- Modifies visibility of file extensions in Explorer
PID:756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:1920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- UAC bypass
- Modifies registry key
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYUogUQk.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
222⤵
PID:1904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQkYoksY.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
220⤵
PID:372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:4084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies visibility of file extensions in Explorer
PID:1728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCksQIkk.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
218⤵
PID:1520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:1384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
PID:4848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- UAC bypass
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceIEYYMU.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
216⤵
PID:4296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:2264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
- Modifies registry key
PID:3920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWwgkUEo.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
214⤵
PID:1876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:3892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies registry key
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
- Modifies registry key
PID:4480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:4436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duMsMMYc.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
212⤵
PID:4640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:4084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
- Modifies registry key
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- UAC bypass
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWQUkQkU.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
210⤵
PID:3352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:1420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
PID:800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgkUQYwc.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
208⤵
PID:3120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:1344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
- Modifies registry key
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:1552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owkQIAUE.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
206⤵
PID:1772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:1524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies registry key
PID:3356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- UAC bypass
- Modifies registry key
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOwMcsYc.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
204⤵
PID:2288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umQwskYw.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
202⤵
PID:4080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies registry key
PID:4068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsAcwIcY.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
200⤵
PID:4112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:2856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:1180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:3840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwAQowEs.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
198⤵
PID:3836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TukgAgAg.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
196⤵
PID:1904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:2360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYQQgAUI.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
194⤵
PID:2592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:1900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:2256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSskUMAg.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
192⤵
PID:3560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:3876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKUgwoMY.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
190⤵
PID:3120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
- Modifies registry key
PID:3196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkoIMowg.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
188⤵
PID:876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:4264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies registry key
PID:4132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:2848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:3388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:2652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CscIskwU.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
186⤵
PID:1616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:2304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:4696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:1656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSMEAQgM.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
184⤵
PID:2800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:4116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:1644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOoUMEMA.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
182⤵
PID:4880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:1904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:4540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUocksQA.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
180⤵
PID:3560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:4724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies registry key
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQoQQgIg.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
178⤵
PID:740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:3332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
- Modifies registry key
PID:1420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQUEkkEc.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
176⤵
PID:428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:4284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- UAC bypass
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwEYgccY.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
174⤵
PID:4932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:3096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iwgQgIQc.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
172⤵
PID:4852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:3704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acssQgIk.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
170⤵
PID:1628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:4052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUgUkEog.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
168⤵
PID:2800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:1656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:3612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuIgMQUA.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
166⤵
PID:372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
PID:3388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAcsMoEk.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
164⤵
PID:4232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
- Modifies registry key
PID:716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
PID:428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yyAwMoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
162⤵
PID:2372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:4288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:1436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOscsgso.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
160⤵
PID:1092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:2656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:4308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQEUwUgs.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
158⤵
PID:4196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSMYkIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
156⤵
PID:2264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:4972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:3920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
- Modifies registry key
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQQUkgcM.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
154⤵
PID:1524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:3356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XScskkEQ.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
152⤵
PID:444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:3080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:4068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYsowowA.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
150⤵
PID:2652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:2796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icwMgcoI.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
148⤵
PID:4692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:4264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYsgkQcw.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
146⤵
PID:2400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:5036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- Modifies registry key
PID:3352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCQIMYEM.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
144⤵
PID:4476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGUAcMYI.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
142⤵
PID:4848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:1772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmQoAgog.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
140⤵
PID:1916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:2144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:3704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:3456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeAEAUMs.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
138⤵
PID:4564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:2656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:4476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ricYYcIY.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
136⤵
PID:4544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
PID:1760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:1976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EaMkoUwU.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
134⤵
PID:2720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:4112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYoUcMcU.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
132⤵
PID:4824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:3936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:2400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:2920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYAMoAso.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
130⤵
PID:3920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:2080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:4932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:2848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmgAIgwY.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
128⤵
PID:3944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:1056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies registry key
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:2392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:1832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKUAkEsk.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
126⤵
PID:628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
PID:3436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEAAMUYo.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
124⤵
PID:1524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:4876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
- Modifies registry key
PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGQwcAEU.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
122⤵
PID:1436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:4596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyQEUsMU.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
120⤵
PID:1056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:1352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgggQoMM.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
118⤵
PID:628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:2920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KygMMsMs.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
116⤵
PID:616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:2268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:4128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUYIUEgE.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
114⤵
PID:4680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:3388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyscoMEU.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
112⤵
PID:3384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:3420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zioEocEk.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
110⤵
PID:2904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sucIogAk.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
108⤵
PID:1180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:3876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:3656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:3332

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKEwwMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
106⤵
PID:1552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:1272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:2636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkkUMIEo.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
104⤵
PID:2144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:2656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkkMYAEM.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
102⤵
PID:2756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:3356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
- Modifies registry key
PID:4880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAQEkEEA.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
100⤵
PID:612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:64

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:4788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:4824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUYkcsAs.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
98⤵
PID:3504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:4068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUkAsoMo.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
96⤵
PID:632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:2720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vugAMYUc.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
94⤵
PID:4968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:3656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQUkUMYA.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
92⤵
PID:5024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:3704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:3920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAswUskc.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
90⤵
PID:3384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:1832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:3852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MiAswIkY.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
88⤵
PID:724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
- Modifies registry key
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQgwgYkA.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
86⤵
PID:2924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:4080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:3620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- Modifies registry key
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fmgAYMkY.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
84⤵
PID:1476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:1904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoIEAMww.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
82⤵
PID:3148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:4088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- Modifies registry key
PID:2392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIgQQwsM.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
80⤵
PID:756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:2636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZsEYAEks.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
78⤵
PID:2720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:3904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYswcAUE.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
76⤵
PID:1476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:1836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:4564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:3632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQgEAcow.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
74⤵
PID:1096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMMkMksw.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
72⤵
PID:4548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEosgAMY.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
70⤵
PID:4564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwcwIows.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
68⤵
PID:2684

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:4328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:4036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- Modifies registry key
PID:2720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZoAMEgwQ.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
66⤵
PID:4088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWEcMIck.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
64⤵
PID:372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:3356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcMUQYIc.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
62⤵
PID:116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies registry key
PID:4140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASAIkMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
60⤵
PID:1864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:4036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:4116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEMEcMkI.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
58⤵
PID:4324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUwMsQAA.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
56⤵
PID:900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- Modifies registry key
PID:4280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUYwoIgk.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
54⤵
PID:1700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies registry key
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- Modifies registry key
PID:4284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcgQYAAY.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
52⤵
PID:4396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies registry key
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tksYokEM.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
50⤵
PID:2072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:1200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:4824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgIQwgYI.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
48⤵
PID:3980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:1524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgoYocQw.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
46⤵
PID:4832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:3080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:4284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SykIwMso.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
44⤵
PID:2900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:4116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:3920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEgskMoU.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
42⤵
PID:3612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies registry key
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:3148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
PID:4900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McMAcMoA.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
40⤵
PID:4412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCAwEgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
38⤵
PID:3384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies registry key
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeUEQwcs.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
36⤵
PID:2916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:4824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCMYokUw.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
34⤵
PID:3240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:3920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vowgscsg.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
32⤵
PID:4696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:2572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
- Modifies registry key
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aickAcIw.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
30⤵
PID:2848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgYQgUsM.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
28⤵
PID:1056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:5108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoUYkAIY.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
26⤵
PID:1644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYUMsIMc.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
24⤵
PID:4216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMAAAYIw.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
22⤵
PID:2616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:3156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMYkskYk.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
20⤵
PID:1404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fGEMsEos.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
18⤵
PID:4812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:3564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWwgsUMg.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
16⤵
PID:4348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:3696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEYcoIcA.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
14⤵
PID:1944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omcUAsMs.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
12⤵
PID:4068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:1832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:3176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKcggMwg.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
10⤵
PID:2072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYMEMggA.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
8⤵
PID:4016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOYEUkcg.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
6⤵
PID:2972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:4940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POAIgIok.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deoYgsMQ.bat" "C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2268

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2900

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:8

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4216 -ip 4216
2⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3188 -ip 3188
2⤵
PID:1832

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv RCFiib7AzkG2NjixNBBvAA.0.2
1⤵
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

Filesize
660KB

MD5
00374f10a952153417f6ce40fc95190b

SHA1
1132cd0a8473b25e76fae74a5203c6602c127c43

SHA256
b55c3fb26e3e40586d1dd1f03b40d8806fde91718c1a4a7e648cf698dbec5758

SHA512
7da8ee96ec7cc999334068d2fffc72061a8b643b66fec0bb20c825d29a71d1547dbbf9149f8c020150405b3a8f2ae8e34e1270d1bee3632dd1f6817668f5cf12

Download Submit
C:\ProgramData\BGMEcwkU\awooQcIY.exe

Filesize
203KB

MD5
0629796c84ee6d9a433b3761b988d64e

SHA1
dd631e2084b0d4d2b496606f9ecd04e424f1c752

SHA256
be6b2033829b2f02859ddd7e6d307c62782015f1dfab4e49e00a6d1af2e3b7a2

SHA512
843b7b92a770b3f7de5b11f3d5fcd13e02bbac4bc4fac1b5a5a9de2cd860fad34b74aeb0064b8de27a062f136f52b72d3b49e918a34d79f0b4325c671a84b08a

Download Submit
C:\ProgramData\BGMEcwkU\awooQcIY.inf

Filesize
4B

MD5
4132559192c34711545e8fd0c1645740

SHA1
4d5b95ec5acafcb155167886ac7886781504f815

SHA256
693fd7c0e5ab3402840811087ad1252230e101135173b5f4b979e54781c7837f

SHA512
d65db5e1ee8f082982e2edb5e143c4479c25d5acc852ffc6de7775e3f22ca907e231170e680794f252c59f6c0fab2a0190155e1c67f5add005d1566fed92ec0b

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
210KB

MD5
bb6e636137decf0d5ad9c15e3770b240

SHA1
33d93f842bf2fca066b0b8f326b282d0461d0ee8

SHA256
81264f0f01fe716685a72bd6f8172de6e919430aacfbaddf392e6ac6c0dbc89b

SHA512
37be254572dc0c0ae5b44fe758b8fd5d82f00a911d0dd243f5373ca7aa1adda6083586a4b88f4c013ddebf1fb724fb4b0b1896d586d8931e0684dfddfee1091e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
776KB

MD5
56c95c9c2d10e2300657c0e844157547

SHA1
b573218f6474f35e3f78f4def6e232cb556965ab

SHA256
aa7a4c308464f1bac6d86bf956d9e076d68b20b83d71feee854deeaa5966a9b2

SHA512
608f901ed48e225fe116deef843ba77ea00e57da8b455be3081fe559671ac392c85c6cb87f1b380420da35ff00fe07dfd7e515106eec836009897a5c519f8bfd

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
652KB

MD5
2a85c2dc6fa80c84337f6902338f439f

SHA1
f2a3c5e843356bee509ca6319c02a303f97c5105

SHA256
6b664024c1fb7c20399dc4fb6e9bf4b3c02e0a3bcf74dc053050b978711c5cee

SHA512
7a91498df688dcc891b91a4d337310e82f6cf45af0f2f005da883a23cbb0138566383a7501460b0e375b7481b1e28b29995cf7f165ed813471350c02edbbb997

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
625KB

MD5
099168df91dfcebc4a8522d51ab370a1

SHA1
0aac15efd66d670622ab57200ddb08327ebd96cb

SHA256
bf04f42f00fbad20d4dd655ba593d1f04ff46fb676c38354aa6804f1ef6d6e29

SHA512
e9bddc80477bb72f5a4a34dceffc963b03d3be522796ca86f0c02e9863e5af5c5709ae606b2cfd6d262d6cff9b188934c02aa111916c6d2f88873701f4efd464

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\128.png.exe

Filesize
206KB

MD5
2395ec4f859065601fb7101a80a9991e

SHA1
98ff9a9889a6b6f6cbbd9b3bd861880213e249ec

SHA256
3f09339dbd6a71e65f7505f1895df125a53102a83f2fc940353b413c7f98c35e

SHA512
7ee5b6e29bd721a5121687a00dd01be5543197f59bc345a5dc6cfe1a60bc0485d385af04f667f0af35b974cb8749b7035e0738066711c8727cd8dbb0aeb18725

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

Filesize
205KB

MD5
879a6b6f4aa7dca37700346d66898987

SHA1
ac756958a2d1f0ae478b98a39be5ad42a3748fae

SHA256
2d9c8b735ddec79bbdb96324e874206796e500bdd6855b60e2cd2e37417012d4

SHA512
d2ce9e969f0fbbc220296b6c602b596f4b09ded118b5fff91d507e2646470c170bbb1f002627f4d3fdf10f70a3d866e04e69aaa6f8b18a416ecd89e03b5ab693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

Filesize
205KB

MD5
b2d2954a9b5715cc051b5b70125ee03e

SHA1
c0e134000374e3d6aa1d074e9841509b85a7ddd8

SHA256
6bb5b080dd5e969bb42837e0083f3de14834481ad1fa8c1c07bbdc6329c3e298

SHA512
e0c94fb8062ed3127f7f134fc1b9275f20e268812f642030f7c296ce2fa07fc3e0d8e8ff1d752a0be90eb51bbb315756b2334d27bb8249074aa3fd7ea3c983d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

Filesize
192KB

MD5
8eba76f1fbb440f1252b7d4db04369ba

SHA1
b4784e2b49291171e3876c26d2f36d044a673a8d

SHA256
aa9d0bc0b676645638ec4168feb8823c0eb59b82e7868824cbb5de93d53db7f9

SHA512
aef905d53232be937db64b450f1c5bc7e99446811a6e624011d716b86862ea6343bc8042f322ed55d5adaef2fc8d7f72c81c17f62caf170db5d8c2c8ea0637fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

Filesize
432KB

MD5
c3d3f7284293b4354f446ee0654413a1

SHA1
13dc71dc18dd28cd36473473d6654b3c30051e3e

SHA256
016ecd2e59b2295b790f0209fa3a449c7ab9980603972d7e32599075bc41f3f6

SHA512
1d7e94267c955da32f316f5f0b00fa3eb684067b8cf5909f0d1f4a59ee4023498da5c049d45c1109e852a563366b64c63cd4af38d33b72992040e7457c940589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

Filesize
203KB

MD5
941893950938dffa6385fea68bc0c90b

SHA1
e34d1caf6ecdda5723386bec3da3a51b69b7b4a2

SHA256
1f43b5711c05ff4fe629998bda950b7e64b137a3f00fb05021e6ee29263e4895

SHA512
e0b06a46498722b4a4d26e028483d06ffc06ed1669c2b5864483de7433bfe908e85460863ab4984254de84aa60db0a396111821800aba7ea5139c89147252730

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

Filesize
196KB

MD5
18c637b5bfd9b3fc21f0bec1a4ce85e8

SHA1
8bcd24a4e08523135cdb9c298d27f554fe8b4147

SHA256
0e74069a446091ab09a8fcc6a249e0ee9a42f974edacac844c34d5d69939fc9d

SHA512
6792a0a926effd0821fdb9b9c79451467e8036a0b2fcca7d59631c375d45e610e14facd897f0531552875db711713ac724139fe760c4e956d318805f89cdff56

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

Filesize
181KB

MD5
42a8f198b11103e3a38891808becb895

SHA1
66ea9ec32c03f30130ef6e31edfe47d38261a1ff

SHA256
59f2dbb501d0ff593fc041f18fee3e5ca6244af4fda0e807f842f0c1f614986a

SHA512
20a803978fc4d9ba03a4d12ae1efc9f4ee8a6e535ab5e6b4e1490f12fd9ef9fe3f262893c7d18b3907664493382fdf47a4ad3add6cdf36f0075e3871fc3bb8d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIUC.exe

Filesize
235KB

MD5
1ab0e329c727ecc364059838ac964c2d

SHA1
b970b525ee1a3eacc298c083d1cb1b3edbc02d02

SHA256
e1c89d0c5573c8bfff100c260180e0e9c39535938c3c786a9894537a57b55c64

SHA512
17c658a661dbb5b11f66e8166fdeb7d1344954ad105f756473c7b19217e81c255814c57352d93aac27c86cd5e895242660214ea12de565d5de83c3e12749f8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIwo.exe

Filesize
312KB

MD5
d6d4cbf968b0d4fcdc667418a86c2752

SHA1
fe16877ffef262517b906bea8f6e0cbeb30a383a

SHA256
e99bc28cdd17456597b3933c735ec8c4806e07ae30c85aee44c21a9aba2b41d5

SHA512
c11c28baa204c4748c2f06f320b422ea07aa2343620b698dfe413dda767934a265fd4d56eadac27acd8103af617759ac274140645fb642b0f299ea4f916921d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEIi.exe

Filesize
247KB

MD5
279736eaf4fac96c2100b66a73de0a8f

SHA1
e88e397bbd2a3f41975077d61394ac7d735ac07d

SHA256
c9f5986f855c9cbf199b5e1a32ea985411d7c1204681af0c4d614bd8ce8dccaf

SHA512
729c74b2084df06763ca99aff7c19dcb8b47527b2da3aa3a1477178ba0b2b94a9727f993bc5e7caa65075bd7e4a7ac13452762392fb02c95e3251378db28137a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYUa.exe

Filesize
564KB

MD5
cf04a2e4d39833ad3a53933082dcc99a

SHA1
dda21e7f688c9be7b1621a07cd666471755c8cc6

SHA256
23d022d5ec7ad57f13092ea1c14fc74856f1687764442fa2f0ef2f7b10c603d2

SHA512
7612b616ba3f0ac40da626c646705452b6751606b9db1c748e387210c7b7771262bf4994735ce29f9f7c5236de5966ccef533c604d060392a038e0864411cf49

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgwC.exe

Filesize
551KB

MD5
4a6595f7788ca22366adb938be262b54

SHA1
89fbc2681710c71f7557b23ecf0b63985edf804a

SHA256
3c8fd0d7de88ba30ff64c3015944e8f08c25b03bb4efbdf2d69e73dd0ecf1357

SHA512
7a676012f1473be4997bde16d452a6c6070ff0a24631fd9cf41149c89d140070e897481fa6e785f72a5ccb2b54a4bd846298f2cc01db217b23eebc9157ee7bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEQc.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQco.exe

Filesize
312KB

MD5
a1ba7190d3678183e2cbfba097affc18

SHA1
bba25bca590d56064d718487ec568811942ef892

SHA256
05e7cd8a1f4c59686eaee2060406784b0e59f718ade05e3f4949511a0bd98c60

SHA512
970a00c6df1658451a2fad78e943a38d97e04707b1203a4b065e2e34b6e9ddb84778393c4bfdea32a1b0395c9fb78094fad84db7008dad9bc64d937526e285c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQsk.exe

Filesize
200KB

MD5
69eef1ccda727517b30b886ba6505afa

SHA1
6dd0905696157d72a4dc0c41fc2c29a6594d2b67

SHA256
570ee0acf001ee56fec00974d62f13a6b4e1cffdc65ef96853a0e52a0d2edd3f

SHA512
4d0ef9374dc54531820a86992d65ac22c228fe40f016cc9a6cd89ece2ecdee6479528cbcd2b3f85b145611f21b5b07362ac87f15432579299d197e32622046b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAMw.exe

Filesize
653KB

MD5
e050612f51c433d81dce38283b40af3a

SHA1
c81b0b4a39965e1259f8c2ab9903071f9c6b1221

SHA256
c712f18e28cb02b7e2d5a92153af7eda9b64cb9d657407dc8dec61b5292b6b5d

SHA512
e0520bed7faefc9b0533553a588268c459c4acc5f0eeaafc8049935c64b83cdec3728886272adb374410546ea02326c31d4be0ac8a114eb6c55c6be07d2dcfdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEkY.exe

Filesize
545KB

MD5
fe244020ef43a266bfbb694c6c76f51f

SHA1
b1b6b17bca71025e588058bd364512fb6b96261c

SHA256
d0731f2070375cbacd2d3042119e5f6bbad1462f98e9507bdf67683a60c40b85

SHA512
354b707e2854a56ba0c1191ac5e7ad7183741902cd58a131edf9302bc5bc36554a91bfddbf6860b3de2a23a7bf70746879a35d92d14487ccb9c17e9128efe991

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkAY.exe

Filesize
901KB

MD5
256a42a6ae1edffb460fae2ab21e5f14

SHA1
175a23c2ce67653d201db420f9336b0341fed6e4

SHA256
9cbc251943ae3beea1bb5056c96d8d1765930a18b55a604439575563a3f7dbb8

SHA512
51f0ac3c2f16ea2d0c73310f5ff2a80036ffdd51d5e0d0308815ee30072a4db662629281eb6af497323950ca58acca439724f1e8b0c59bb5e78da0ed09cd4e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwsA.exe

Filesize
975KB

MD5
c2c946c82fa7307177710bd9ba50dc3f

SHA1
4b7df8be1d028b37909beae84caf9e77eb2af063

SHA256
66571b6f707bb12a3009d6b94826cf5d397f966ec9e234420733a5f719535d70

SHA512
15b9fbed091c6826f05906be403d7f87ac92b9ee6933f27c634ee0c48ee86060dd1603853323fa3341ff51816be817bea7e87ff48bc24fcd6403e1ed6b0ae2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcAG.exe

Filesize
189KB

MD5
6f959636d6a6d55be1bcad438d31606e

SHA1
4d0a4886a42b9651fdf20a594d699a78f0d2179c

SHA256
9f354e21d6b58b655621453474ea796b1527e93f230290a880f80be3a1fd2307

SHA512
6a128e96568499b7b501bb69380c7c2b41dee4c64f269f6d861fdc07d36875d150d60320f7c0da7ea0f5692134166af08a076ab16e0dcdc30e4ddbac496d2616

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsYq.exe

Filesize
183KB

MD5
5ecac5d914a5ec4686c86f3e0caa38f7

SHA1
e1b645eb8ab8117be555f6a8169da05c22a2b2fe

SHA256
01125581705be5d28e66d6f0c7bebaf617134d86495355aed30788b0a5989ccd

SHA512
91478860b6ab978f20dcf094e13be0a93a47665c711bb3a934be749683e53727107f653ec2ea754890e9be05ce5338a840b863367c04d309d0104a1d92ceee2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYYM.exe

Filesize
198KB

MD5
555cfcad21a79b7fcef8253038781715

SHA1
0825196bedc3cfd24fd7395a4d03709a9697ab58

SHA256
d17ad4a22b1e614ab6108bb9d52788e3eb7b878d2a063c4324fb3124f57988bf

SHA512
e8229782a345a588c840c58cd20d6e3f010aaf418b88a25f465c45666db1b334c8ffa55bb00d8604bdfc6fec97761675591c28c86c80789ba827d493014c0aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kcgq.exe

Filesize
199KB

MD5
ed471647f4b845c51fe0286fb79fb1e3

SHA1
254eb9c32133f10babd1f51fbf0d46a999fbfdb0

SHA256
f4e8f0455c6b665ed7db54db14fcb29962d9b14fa4339cfd719ffe38516ab01a

SHA512
7c1fdb0a301466a6b24fdc33fa7a952cab49d7d6aa685463cb8e51e7117ee6656ff337af3da53b4060aa6be68acb1a7a6fe971e61382fd4645c287071ba3dc9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoEM.exe

Filesize
182KB

MD5
0e8189ba34ff4bfe362caaf7025f89b9

SHA1
a4d41db57393c17433064ecf2205972dde8eef51

SHA256
d3aa44e22200dd8b0d36624d4271dd735863741d5e3ae807f19cfc05a8a5b136

SHA512
9d342c0b4d9a7811f519abbd7603e52073355a137f2c2721362723225e0376f1f9e8f7486a2eb9082f20b0bdeac2ec32ff549d2ce91e300132eec3d9b69e9420

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMcU.exe

Filesize
559KB

MD5
d1b768fc4553e508becb72c220086f6c

SHA1
aa9f111087aa790e1f3454d291437011f549c03e

SHA256
91646c0dd7434dd8c585f1f1076319e45f33d9097a7606bcb2338ad6ac27e107

SHA512
21ab761728f7049357e05a1c724bf53d8d3def74d07f4c3d91b527313af59ac1170d6c9ca85e0e9508611fee490eeddf51061e51e28caf84eb9037c3465e8984

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYMO.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEMy.exe

Filesize
219KB

MD5
80a02553d65d947298c0e4476f1c0d99

SHA1
067c84561a7126d196f0558f00aec46d3966761a

SHA256
f483ae1c02a92ecc1ec9546bb87378236bf7179b27c8fc583b56c0a84b524973

SHA512
dfd58516e9335c49c777e794467407d5df164349e80e773642fc68a407b2554dcc1ed351725b364404b35942d8c9ff6d05dbe14bd0415d2ad68c3000249153a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OccS.exe

Filesize
558KB

MD5
10ed8ea7376a677685ca50f7197df462

SHA1
e553c515f76c557754d8ab5a9d7c3c5e52b68328

SHA256
171b1f0be7dd10ff21a8500d44b621078d7e6a1c0b8bb22916463fbcbb34035b

SHA512
361f2c690c9da4ee4c37148c62e883ef60fa64a05ca38d0b1eeadbb2db799855156218e0835b5a9dde2dd08fbf4761883ed761e199704fc4171e98a3252cab1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsoY.exe

Filesize
859KB

MD5
a018c2e71eebcfb593e4874d9f0cf1de

SHA1
538b7194d1032a7581bd631f9cea54a8a7dda134

SHA256
782293697596ad5cc4509744375e2d26d9eb37cb4d1f218111a28a59339381b8

SHA512
8fb1533e50e5dfa88e92dc77e06940d579513d7a025f804dbc7742f7656fbd4d0e17cd31fe204fdcae6b501f7d560c75ba59cd5ce5b127aba46b868f5413a45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUAe.exe

Filesize
202KB

MD5
8b586cd7bae653dc0f99fb920b0d1f6b

SHA1
a7dde0434161ec8ed38625aa114be205db743652

SHA256
df00ff5cbb5b54d73c7676e2b3feba144b4c4cda6cc07dea9d645998b4389001

SHA512
ee4c27c363ed09d019d3d0216d657a6fccc1bae3ecf3917c10a951c151ef4b0ea9ee77c96dde18d40cfeefabf87fbb000d87bc6edaeea84b4a0a13bca85d30f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYoq.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcsW.exe

Filesize
207KB

MD5
228eb76e372d75fbbdcb30b71537ad54

SHA1
d6e9976a2bca4c80fba41ec1029440040121a419

SHA256
cb29eeeac3e9505c243126aa4ac6b9ceb693f3b1668e0a80ef31216ed9548b3b

SHA512
4e9ba91e00a0daea6c00795b0e61bf5cb46d0ee7788d6593941cec3a6e52ac78dcd6562153c0eeaf2b9bec148466e2bc329552b4d5b70fb4385a452e9a2536c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qgcq.exe

Filesize
218KB

MD5
84a7f4952054526bdf40f8e2108b49e9

SHA1
502a4b87fcf0c75be5c581ee7872d4fae1da6ff5

SHA256
2b657720f711578a057d234a5752997a36c6492d53ef0aa4c2fa2974dd36b875

SHA512
7a9db7e325c84d35a32d36fc83d3d8b6981c9b43a36a68b0c8f5226f38443b6cc04840bf09053cc1765ca5518e0f983e9ce545671ede459f26b580ddd7373cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkEK.exe

Filesize
202KB

MD5
6f2567cca8f38bb5e93af7f2d4ded6dd

SHA1
d0286badcc51b3909fe3d0323f8663300bd40fb1

SHA256
e8c9b159651d3a7aea28ef26387662d2518c4581114a4f2e51ba02dfedb51636

SHA512
8cfec579237cf0c7ba50c733a4579591927f89b95fe1f016642afca00e74bcee0b7065f97f26ddbdf2b5e9afab8a102261cf882c1e527203f5d62c51aa3450e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoIQ.exe

Filesize
5.9MB

MD5
ade10b7d448c7316517f03b22bee77a8

SHA1
2c4b3de86184a26c7d7f1195d4f0220dc0617c70

SHA256
94decbff96cf6d740a984ee9992c3d9c9f9615f33bdad98173c5b08505560cbe

SHA512
1d616d338d2c27eebc245f33e388a5a8a78bcd740aa0f98009b7b941323d87c164f46dcace3f0c52f765dce222b44b3846b1c80017249dbea2d6d93f783eb59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIkW.exe

Filesize
188KB

MD5
d8fa5981cb8815c9fe75a75dcade2c38

SHA1
8ec6303600db1e1c9230fbd0ca6773b4729fa70e

SHA256
09f3cb9c30dc4a21a698e36c86dfd808b8b7497a374907d4de04bdf4a24e3417

SHA512
08ca528a890181672569a9dcb4d72881e1c40d0ffb8294ea570632d67932f0af1e53707bfe3cdd91baeea55bccc8d9a2bc02337b6598c109151f3a7c3aafec99

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIsM.exe

Filesize
818KB

MD5
5cbb388f86a28c5506bb753d09e0e470

SHA1
1073e742a3bb0a11e359ca1baa27f852cf3269ac

SHA256
d7d38b0535374d22afb4c66905c415f31768df439a28bdf28f4302cb7ef3d316

SHA512
f74fa6a145a73bf3034eba2f88020841074e93183c0d9852830984be62f99b974c18e179fa2aa07440cb172cb41aa098ab400d15f31f8ec18e69f1c4c1584501

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMsA.exe

Filesize
195KB

MD5
4a239f8b78869d32dfa4fe2623b0c211

SHA1
9ef1be3ab310bb315d750a5f551869e49e3bf19b

SHA256
b16aedf6e97a92b7c0c261d013363a2e37ba73abe409a6eafb6a480a4f0cfc6d

SHA512
02568129e41a7df95cc95383c83818308f3d6b1286eec11eff49271e3175ddc0f052ded9e02f9bd4e03f59537e03d2d2ed36698690ed76ea1fe9d33fef92726d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgsA.exe

Filesize
202KB

MD5
05ffc70bed410a01924f068c8cd30275

SHA1
9fb3a3528417d81ecb027de2e4bdc4f74fc544d5

SHA256
d701e6968db59ab3948703f943ed72636144b511f2d19c12f5ff8b5b7ac101e7

SHA512
e6b44b1825b620c58f22c8500d9196512260f6f0351ba806adfa8829efe19036ca7f2aeac7776b08bd064daf3fd7c0b6ec9884357eb45ce575b3f0048283c355

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAUq.exe

Filesize
201KB

MD5
ed42ff603901a14a34355b9e9b1b2673

SHA1
9bf78415dc3c42bac7cea4f84d1e61151960cfff

SHA256
585a1178c4126a4e2004926c69b074e0fa053a18f98f07dada7694eb055ff3c9

SHA512
faaf6a5faf31d3dacc48439cdfc6458f7f6004aedbd6611341554337e35ed0b1b618527133a7e88cf8bd25447036429b5ffea43043d4a7564d331ba8014f1ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIwK.exe

Filesize
226KB

MD5
bd7b664f83e72c81e1ee8aa92185a712

SHA1
3d811fc4ba46127da745e0e1988f6fae6780d724

SHA256
9b327cbc2eb287b37f342b3b73765bad7c4ef3b499be5fdb25e1b87785f0efea

SHA512
5cea35f6c1c4a55bdc5efad1c09bd80f2b454164ecb3de65568a6c4eb3fc75d140d59bdf293bd19c678843e7d0572a00960ba0f9a9ef7f7ac8fdf5207e3f1690

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwkE.exe

Filesize
200KB

MD5
826148ec735097ec364d0104ecb1e4c8

SHA1
3134b6897754c6e05c0be9566c5a328cd225a438

SHA256
4b361688cc6af78e765fbb1535350c94533bd3a9cafd508930c0307da05c6aa5

SHA512
6b956a1cb16d12faad75c3ee16b875248d676f2bddadfaf8c3e079edc28d754c62c42b00eb999fcbf0f8ce9c03d97ab43d3ad2dbc45583a31f04805c4b9f5ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEgS.exe

Filesize
189KB

MD5
cac8d25af0e5f4414d57fe41c26069bb

SHA1
050f5a85483f99bb6a1f7ab4eb100eda2d172df4

SHA256
13df8bc4304c038fea4a0f863a9cc58730ed27fb49f58b1a8e49f61cd7e5664a

SHA512
dff6c7685a401b5e435447ef17595d47c67d108e10604b2eabc31fcb2da3a4f79b502d6f4d8bc1825a56cf76f4cf15162efc0e7d08000044a734cd3066ae8d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMEo.exe

Filesize
188KB

MD5
722be9c8f53f3591ab9f9fa92ee832ba

SHA1
85c138121978cd0c11e03486d025f54a8c1b31bf

SHA256
c3e9328e338582fa19a289ef81ec3bfdc093e34440c1565e6555f4e20adea012

SHA512
29f68b57f430539b3685f594485053c921d879a8ae9c4a3ee3622f985a5e2db55de8041cb066b45a1087fd9729bb07b51a0889a9951cd3c609adde931e92a166

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYwQ.exe

Filesize
191KB

MD5
625f90c0ad2fad66e277e70e5a4baf66

SHA1
2ed8b53cdeddbc93b453d48e72bf23c2cb537884

SHA256
be32e91202a35f6325f8462436b0d93312654ba94379c8ab8bb841e56cf551d6

SHA512
e649d16a13af068699bf15d30df9840dbacc00802387cede4636c1c706441db872bdc7a772ff586b63a3df8bf94656ef2cd1019b8ae68e877b5ee87a04925cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoAu.exe

Filesize
196KB

MD5
4327cdbc93fe0fe24c0b94606223efae

SHA1
deae9a8a7d6af4dfc8185f0e7c60cc3d07dd2e9b

SHA256
03a1420c338b62c4f27115945e64afd043aa98dc0dc70ca1faf39042dd9603ca

SHA512
266186240e69cdc9a48a42887c0b98aee8531e2d1b5d52c730a497c5e249cc1bc5e7f0d208cbb1672c86eb8e4c46512618b5df7f6d95b4bddc8b8c96d9998c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwIw.exe

Filesize
208KB

MD5
488470f9bd3a55c66aa71a7f7789b5d2

SHA1
fe8af5a8640b708ca01cfae98d4821093d187186

SHA256
9804257fa8aac5ed38d574b0d81dec3fb494623458980b3dad3d55bdf199da6f

SHA512
51dffb17be914ff616140f796af11ecd0bc47cdba854877881cf6a4ac2c797d0b64ed11549ea23a4405a83b6a5761b5eda91154ebfb86c6f97391f6e8d1db061

Download Submit
C:\Users\Admin\AppData\Local\Temp\a376ad480944f8a6e3dd1fe3a260a9d6196b88010a91e1af0883d2f44bc29784

Filesize
6KB

MD5
c5a954c9c675475ac522b45ffd52d03a

SHA1
1fc5bf8d724c665da276aa3284942b1b9d822935

SHA256
a1030522425b3258e21b3fd2a1dbafef2ed07154142dead7e9b7f4ae667c8726

SHA512
8828630868f5b8b694c4cbcca3f995ae55f2edf7a93e970aa11fccddd484fc4b869389dff9875c1c890e7e6c32050d669e42f009eee8fa519f94e865e4164da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\asgM.exe

Filesize
185KB

MD5
20898c76c0cc26ef8f31981df0fc43d6

SHA1
f2229e2efe2af10ed99a7805767646be9e74f47c

SHA256
abe105b3743738e2741921257e708f4574fc05e048cabbc46d52e293870fa314

SHA512
14f258b7cbf0deeac2e16ea612975e7477292d7406f8c5137aab78c8e0c9d2c28858b07971644ba1e8eb98830b1b717c09683fa2832eb837ca6c6970acf47bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIkg.exe

Filesize
194KB

MD5
98af92233803024297744df5eb165b61

SHA1
b249e8533bd68ddb609a0da0ecaf8524d6ad3aa0

SHA256
14524878d8223c8eb41f57c2f96be4a4615a1ddc49d9d66bbb34593eb27bb4d6

SHA512
f6eb9c1abd03881c53eb56fbfc7fb43f81bee6b033530207261a27aaaac4a5f33afba3349402d1babc2722f57b12c1af15af57bc8e847e9cd9c195e89a67da9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIsg.exe

Filesize
215KB

MD5
bee11fb89f5822589ca10aa398d2d103

SHA1
0b5b0b8d06bef97814711da07ba3618d98a92b6a

SHA256
b5a588a5bfc596e0bba1ff7041a11dc8ff59e7f78cf809bebee6daabae4d9e7c

SHA512
482d46254e82cfdebd48f3bb9e3e7910e83ea9f151836421a71b7c73366af141f3ba3c4b8b40b5b55cc2d7f3b49bd3b75863e4aeefef7bf469248a548dc2d46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIwQ.exe

Filesize
908KB

MD5
9f4ee909fca6ca9b29a22f4efc047b76

SHA1
b46e8f24e1f10087abe05b3fdcb4ffbebc8c36ae

SHA256
e9c3732990ff970bbabee457477d4853425ca2bf35245073162b75a37d970b26

SHA512
b57780f7b9a02007d4edef58f84a9d0731130db8a18756d0c39924f548322e574fa9ff32677d80d328406e3c15abe19eb25682a84a8a24db5daad2cd78d03c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMom.exe

Filesize
523KB

MD5
222b553d38b72c9214e5eb2238182ddd

SHA1
2c133aecfff842996847024638336a81b0160302

SHA256
2f8f75c26a452a6a1db2dba9e447378d0166e3b93db429a77cd912fa723ab604

SHA512
d7afb0865553370eed5ffa9469f8d547ce30eeeb98e66004bd720ab0e6d35e7dea549984bee5b77090fc2c7e5e24393fdf566078c536a109b10ad5f38eb25b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYcg.exe

Filesize
201KB

MD5
ffca6aac49798af706768d4023088f6b

SHA1
4a9d1e79f5861b23737ee46b158f397d878ad6f3

SHA256
2c761bff2537d9cb6f540670ba26fd74eb2704a16fbca1e511af1a2661147f01

SHA512
9f80c2f5cfac8f62a47b64f7c7181899f7fae362a8db6e98856546df92631bbef4c8cca17fbd00b6c803d38667602b69a0bb4e15b56ad17f05e0e00f14647090

Download Submit
C:\Users\Admin\AppData\Local\Temp\coME.exe

Filesize
205KB

MD5
8803c771ed60fa212b3199aafd04cbad

SHA1
49c368b31ec4f977fc3d281707aeb79048ed6657

SHA256
ef7dec9faa579b5b91afbdda1ac6a5071489c7f2d0064ca32b50db16f1e3bccb

SHA512
8c6b245e1cc1064bffec9fe71a48e745f149c09a5ee1b8a02b4c34dfaeca71ea18b3afdb1e1345ac9ee9412afd0fee6c209175aa8b47d165c203e8eb1132e615

Download Submit
C:\Users\Admin\AppData\Local\Temp\coYM.exe

Filesize
188KB

MD5
188459ebddc8c4240eecc8c00a6ca412

SHA1
6598297531113c4aba25278aac858f1d5aecc545

SHA256
6b11b1c59626ac3aa1c437c14acbae50cec4ca32d61ded133621393886579255

SHA512
7d1a778a2294e96c21432df24f6b0647ea46c22d22f89db31d76de13cb855543fc33081906943df2a0ccdd56f0adbd73dce0bc2e980e0b8574fd5c6bb52920d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\deoYgsMQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEoK.exe

Filesize
194KB

MD5
35e6113e546288e4c5dba8da93ab8421

SHA1
d7ab9e77f853c7dc10f6f53f0a89691c23dd657f

SHA256
44f19322dadafb2f52a3891aaa5577e464289b2c171ea38f80b1f54ee07086f6

SHA512
a277aa68674470340bf0a0f94747ad86023ae978fbc4f8ac0b1c0fb56cb5e87efdaf85d6c1aaee94c3358e18083e781633ba07836ed1ca2ee5b405b179b17a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMIk.exe

Filesize
191KB

MD5
c5e6e61b7e5ddba336104845cd724025

SHA1
533cb9575b3fe75f83846af9b4c9744188bfae1d

SHA256
995b0c40d42563257149b02678c653a85e616014ab1bb7022429638a16845aa1

SHA512
aa254bffc04dfe605455fd4ec9475c5f89c75631b53ef5eb0908eccb55578f7dd7c9ef10b5ead84e7f0f0d42f51219eeb502fecd73df50242bdc2789a7a5f1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekYK.exe

Filesize
198KB

MD5
38b93585b0cacc53f47c5e05405ce106

SHA1
fd3687d5cff68afd23782fd51dc8a5ea6cf4edbe

SHA256
6bff2e3df0ab0c771a0edeccfb18916e877c5989e3ecfb9500e08c413bbc88f3

SHA512
4e6468ac63d98f1f12884bd7d76bb37476d34e9b445b49729512d2ec2a35c5e720db6a90e95bf842c1b7659d76f790fbf114031093fb076c7c1ed1211439d427

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIsG.exe

Filesize
182KB

MD5
c6ae885310bf4bed7befe46318c57c37

SHA1
0029ac454bb21e5b6231de05d787d0fac584ab20

SHA256
03ba9ecb0051ff3eabeb00af1f76800d112a4004cb7e877c6b929bfe1722eda9

SHA512
e9f9417d058993f0bebd8cfd74a6633f4a2bf155210297bbb4c5199bdbe0c02c5b20da10ed4bf6ec8eb161b04269092fe272f54a6fd92d547db4eea477bf3ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYQq.exe

Filesize
208KB

MD5
6f2962e0bc72c22228de48ed685ca049

SHA1
4d77454a1036935f84c14ba3e835bd35b9cde05a

SHA256
f39b64f2e18c2ac778baead0f8052f103ccd0627e34b1fbe2d43a6a6d4bb9a38

SHA512
817af9be9a348029d827de29228de96de23fc3798bf21b98a4747adb51a081bde36769f6e99f131a50f7654705303617b476b34c2c4539d45c206c5179406fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYYS.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkEw.exe

Filesize
789KB

MD5
f331bbaae3b9f9fa17bf42ef3bcb0836

SHA1
1a3658dab040e60667346b9aa2ba469edf6728f6

SHA256
2f061f4da40f28979303e7204192579a594acf7ba4dd2299714e3dc0260338c3

SHA512
f41084c1ceb5c4bc28a2cecec543166f21f13337ac8388439297863c70d9473bfc9614319e2cf56370036a7963324676779f908e9c0d49703305d49c2f097c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIMQ.exe

Filesize
272KB

MD5
f53d89aaa93a7de3a67d977b68c3933d

SHA1
67e3b9854df0d2340cb17b97f188b6ea56d19210

SHA256
cbbdeb359a7e20aee375cf9f4ee53184aef8d9658db377bf2b91c26f5a6dda12

SHA512
df4346117824e16586cc8a7abe45eb21f9aa9a42bb2583a7f201457ab7ea66abc519272fa77c8111d25e885f917df901606780b1cdd2c58953350e09ca578540

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQwM.exe

Filesize
5.9MB

MD5
1bf1eb0a90829ee348990f9be9875b41

SHA1
2c819e210b9b4e102f3369bc1f514a1db660e611

SHA256
715d4729aed089b6be035dbf455c8b85bd75a504276fa54a95e636e6af742211

SHA512
1cc2e341589378fde940c28785a95783ea5772f44218d8fc0293fd7052ffebbc21f8f100695742c9fb077bd9125fae99077e93fe9c325e455af5c30766da8048

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYUk.exe

Filesize
195KB

MD5
3a40bfeb606a03c73b6cacae0f078477

SHA1
451a9947365c2ba66be1dd9baa58d006c6316cc3

SHA256
eb3284e151a22f558126d9b1c6deabb17318dbc05fe0c3bf11455b5fccebd15e

SHA512
619a5a2df9a904aaede16b5bff28c3cd725ac72cf360e90aef5e4b26dc515c8728a3a5c80a69d8969369e24d16f8dfcbf5ac95beb6d64b57afbd6909bbce2c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYoy.exe

Filesize
205KB

MD5
a26550c754510ffcbae5a2d5a0297f84

SHA1
0cec2fe639fb77941ad4236b443f4f71e2cb9307

SHA256
1253b952e2951098c05a1cc1fa41c729346a34131b3eedd9c7aec225494d5ef0

SHA512
24cb7725283ce5c4e459806022c9b2fb99b0e584fa461952bbb2eb680defdda3f0107007f963383d6fc1872aee94db74ea59227e79371715b521d098fd01554d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQUY.exe

Filesize
5.9MB

MD5
abf1fd137928d453f1dbfa208ff2606f

SHA1
cdbf5870f30e950888d12b9c39f6e2ea365f7926

SHA256
a76a09592dfb37f848eda49af46a3af55d7c1201165ca8846470cf7225bc277c

SHA512
9e701074ec21d05076be89a181ce713c75d12b7c33ed956189fac089d6daeef8e97bdb3560ef7a65545750a926236b3fe721609242fd73b7f1f94e1221cb6009

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUwA.exe

Filesize
188KB

MD5
6fd6975b50faf0a48bc778632d76807e

SHA1
63a31696de846f9f736dcf15dd5162c920c2b971

SHA256
9cb749af1dc27950343ad7d68061cf247997bcb858f6f81c61347f53e2266e5c

SHA512
665964cece3881e68047193cfea66b1f2ae406a94080e8bf05246dab41981c9736e53a32c52f80f0120a9fa1605df28bbceb8da1d5d452dbc9f1b913891681ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\kggI.exe

Filesize
193KB

MD5
9aba6df95fcdb6bde88248a4720de823

SHA1
71eaa49a8ebff42b702b55d88465514404d2d630

SHA256
6af2f54d50a532901155def6a92222bf159005a688ff39c92baeee88c6566dfa

SHA512
6c6b27f0dfdd25c30ac855b04d7cc25ba83ec42622285f4c0de59e317b3c9e258de026e509cde2295696a8aaef74e8b5c2ccb0628d8e3ae2030749623660c9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kowq.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwAG.exe

Filesize
214KB

MD5
4d393ea8852981208ca51e136143b1be

SHA1
0be0024ceef0b6567829aa319e79f4a7db46a51c

SHA256
dfaf9c02d99d201625193cab76bfc3c2c5a7ec064b59ce4edc79e982be0c5d04

SHA512
663d25e6ad925c93f4b70e5a93547ce529b1399ff7ccefaa3bdd4ec0eaa88afe98ca0cd8a565d6598bcf3dcb45b1a45fdc4a9ee9fdf52607d5a517664b47a520

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwEa.exe

Filesize
236KB

MD5
7adf4aac9824dff7ad9651517d5aea46

SHA1
389ccb7a920fc1119053c4caf87d71e157136059

SHA256
8db4afa65a0e8e1242aa551fbb50c058a83ed92f1c9ead7cf0125852ee1bc935

SHA512
2b4dbd0b07cdef2b6c307755e97f76d3b6cc516bf947466faad25f08d1615ed23c065c2d960f37c7832aeb1db93b2eb7b35311163c8fb86db85373a8a73a7661

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwUI.exe

Filesize
188KB

MD5
06ecda567707112d866abe656fdfadd4

SHA1
008e6e7c2bdd270905cef8f15f840342cea03a5e

SHA256
14fec5df668fe95f389c00427d6752048f2a813e30db6ffc105890e1dab5e750

SHA512
f684f97dd7194b708083852ea6d1822c5e0aba717328b31c8435310ce4a97f803db7b1971bb020900e25648cc49f389a866daa5909cdf9aeca6079e3246b3c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwoI.exe

Filesize
803KB

MD5
b5f5d155ca348584ef040ec267cd0378

SHA1
0bf5f2af7da20df5f85a9e2e7b336e161ef7270b

SHA256
a60f641ad9b356a77b9aa87080417840d69cd9a7d9ae4a332080de785cbb0d47

SHA512
a41374821b12e798221bb931f6f7402e96ace95ffadcaaf45131bcf8509053af66dc141048743f7e4e564993eed538856183e393911c1fd220312315b6ea04f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQYk.exe

Filesize
188KB

MD5
07889ca411cd7b3cf5435085e05a8f93

SHA1
3233a01d81ebacff988f3cf5f56375364b75b77d

SHA256
e526aac252d210033698463a40bbf4bffb49e520da6ab9a97398a580e6734f34

SHA512
50a3b03b736c548a2558f2d2e6c59d6f8eae10c8d7cc64fb9b41318f508483fce7ec79ac04608d20db085be5c5aee6529acf3802fcf7cd66eb7b740cde580aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUUA.exe

Filesize
198KB

MD5
01d8676bf7d5c19d015179b2677fb068

SHA1
54c2c41702644900429ad12bdbafd83d349ed59e

SHA256
2eb3427912e797688dd0e86bf64f962e68e69c1052be71e9449f9aa219999fa5

SHA512
9703ad9eaeb0b624f0726ec632badd64dc8898490442cf25af2187e313d4a6679aa33e76b938fcc369b30652a27be971b7ad8c80d236b726d917b1d1ee80967d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYAa.exe

Filesize
186KB

MD5
3df32e0413ab1a180ce10f60665f42a2

SHA1
d19765a11c3a1c13a6a6ef30b08f2502bd6b0247

SHA256
c97129f3ea6101863bd30a62b5c4b923f7d6d93ce1937f224b0862d14525847d

SHA512
8d71f86191d134aa7b5cba90bd16240b16c1f1435ce200a08c982efc0d188900246c4b85d4dfbfc8bcabfc50f967a79cc2c0850330764c19a7c6fa88d587846e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogEa.exe

Filesize
317KB

MD5
c22dbdd388d0813f41b8e536b99529ab

SHA1
8ca108af07e0c79a8f31337f9bdef5d4c9015207

SHA256
8c41915b403e94c62175294b9ab2fb4225807256caf31ef36d478433c22d72fc

SHA512
23d92be4f1dd46b444b6a3a047b280e2cede5e72b5c60e8111082d576dc8d699e794e886062ec0b3993a9216e8bdbea74737f9ad618c756e8dfad74b62f60f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogsc.exe

Filesize
821KB

MD5
06d202cbe313e168c9f9da6753524d2a

SHA1
7629bc2203109d55a0392d54c5faab29ad6cc8dc

SHA256
9a96bb812e3264d81d1c74a03f6ff2d7ae797b22c20762c1fe8dda23d849dfb3

SHA512
8a3990941f703d325fc890313b047664218677c06d0dfd37791782bad7415da7a746b22deda528d2681e08be9f079005ff42b1ec36b66da54759a36517bcd058

Download Submit
C:\Users\Admin\AppData\Local\Temp\okIW.exe

Filesize
204KB

MD5
5035ce5d857b3db973b0eedbdae53d7e

SHA1
a9c10c33d1ea19972a55a1ffddcef57e4e634845

SHA256
f331844c4610774d448bdf4dca36a08691c82ddefab65fbc9ea2ba9403c982f6

SHA512
ee5275c978b9f688d991b93abcabcb81782a27e9bd74cac72fb2f885d547ee9b17bcf2aa379d040615ac3456b3b12bb6dc9405efb6e808942754075cd3120daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooIq.exe

Filesize
188KB

MD5
6c141d7088b6bdad5eea49042057ee44

SHA1
e38da886d27c995bcc4925ac1ee8f83927c890a7

SHA256
8e9bfbcbaa917aa4e1f79ac9e3dec160994dc010cd19f8d3d15863eb07e31696

SHA512
f52894becfa705c15d1cad6efb4c228d1127f1624640a4bb8fd101a05d1613c1971b689e25da93d4959c39eadd82fef078dadbe4649c9fce732d7ef7173d4443

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIMq.exe

Filesize
190KB

MD5
58a254d78e48b335698bd0d271a4b6b7

SHA1
f426b672c16187a63bd75a2092afe00df2960cf4

SHA256
4d66b5d9f173861a8740c943ed82b5d9a73257e9d80dd139400754df29e649dd

SHA512
c53f197cead9471458c2e1418cc19eb91b930ea332dedfe44b3f6d161d0bc97d4cba2299a73fdff63af0d411db8c0727b5ec322f0d814157073d5dc62c936504

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQsk.exe

Filesize
206KB

MD5
ebcd6f7dfa19772b67d5949e1a5e5d06

SHA1
3351ae554ad263eea69920d8c95835a6d51ac01e

SHA256
70fd38a436dea274521c54472bbd3413f26b90faa2db245bbb816af92d8bb9a8

SHA512
fd26bd27b65209e6e385847d7fe80051cc0fd1dd381d071b4708ea4f9d3249af5e3ee68f857cefd289e1d0712386062e676086af9b26d9143142d227655349a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qowQ.exe

Filesize
409KB

MD5
ce9f7a4c32802887cb1e0395de91b754

SHA1
d855b7be153861d209566f989cc7322a53e14f08

SHA256
bea79292d964ea045b9f8f9fcd3c11a905601f412e2e1156e9dfa21dc25d3705

SHA512
a7cf35c3dc07908c9ab329b17424926826098cdfaf6ae600e69d114d4780e3d4e4e1e359adc133060c196d33a0c6ddeb4f643ae2ecc03e695dc325829af00126

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsgg.exe

Filesize
227KB

MD5
3d9f2462aab9bcfdd8af3fd546bf7faf

SHA1
ee46f897c1bed6b1e9d8c2c46b24d4d05edd27e0

SHA256
27a8d7ab7154c3c24dd5743a5c0eb87987c5044375a73441188f9c46cbca8d05

SHA512
af1b7a495ebeb25c88e99fb016e27a5a4068193dc105e9fba8833e3cdee6769f0f3ea5b4d9b1a389b6e1caa0ea735338ff519de286db27249cc9a48a87ad81de

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAwO.exe

Filesize
812KB

MD5
48cda2fc0e45bb93d8ff781af71faeb7

SHA1
59485f8b02471def0b3f250584dde308fa4b8af5

SHA256
1049093ddc1b3abf2a1152be9df667024cdcfd16f5d5c847a754f9e94682db0f

SHA512
1a81eb58520a55a2cb265b78780dbe7e0df6e68a0bc7ae6f652530c1122307b39a8acb44d832fe5dee863cea205752852c92cfeb3cc6d1a96e3da0a333523a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMIy.exe

Filesize
804KB

MD5
81682f66ee32a795e69db39f384c2501

SHA1
c685c7f1a928aa50b892518e2fc6fca06a09fe5c

SHA256
0c4d6df450b9db9250f980a2ddfa41252c41e24e9d37904571b3d219767d52cd

SHA512
299a4e8f5e23b93c951526c2b9f7bfe7d6da0db576e1b78a818a5390dbcf89b69bd3aa2507b6eec467b6630efe5c53e8bec16b2c4cbf6918ca4b88ec04990846

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMkK.exe

Filesize
205KB

MD5
ed71ae9737bfecfb7116a37de9e1ac15

SHA1
124961a26f83accd962aef27b96d5406664f6565

SHA256
6a7ecd9c76ceab58b19929f930ab9bd427599b0d9f8bc5511108785fd675f31c

SHA512
0490c4a56aedf232b01973c61cb98650ccd9d553adde04c4c5d18f1e7e2228f5d89a8f679fbd825ebcf587795f19760917b3ae95914de66e4795a1b4e3b8c4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYMO.exe

Filesize
200KB

MD5
df90ae73078db1a124f0d88e2db7a89e

SHA1
b601afdcb2b1ea2b1171db7eb824f873ff40f00f

SHA256
354aa44908d094a72afd621ac37f11398ee7a2e313c9a43104465397f4b7cfc7

SHA512
1378c1a99ae6c10efef28bd6d4b50129c626c9c78d969ba625d7aef935b291acd3b65bb2c2c12d960ddc4c6896585590cbb3ee0bb9b24b618fe30df50e1b7953

Download Submit
C:\Users\Admin\AppData\Local\Temp\sccC.exe

Filesize
5.9MB

MD5
2810d3e5969e59fac7dbf83a315b06ab

SHA1
d7173763d3f921ffd1efa1f94d15198e6cf971d7

SHA256
628eef0ab3df2c3b76f920ed4894133d451a134ab07bfebbb139d04d544610ba

SHA512
121c6ec5e4150cd3a4a9fb796423146009210300947330fd1d81988187626f8924af9abd428705ccbe6bfb512433e7a814aa02ca309862f3cabefb7d9755ceb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssQC.exe

Filesize
637KB

MD5
c9a73c1d31a4a3d12201de7651a07169

SHA1
590f28acdebf0c33bb998a0600185bc1e6c66dfb

SHA256
0f3a63549eec6a61e88dec81fd0ab226e4388adc365208ff0f0f71f47b3edf5a

SHA512
58f014c35808ef38691e79525965f6d888e8f3e6e0cb43ef3ba375663441583af30249b4fb435d8d430d040ce3fbe8b5e7e6f00a34e7a459ca7eab588416922d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAge.exe

Filesize
205KB

MD5
c563786194f552a690e97642d0409c8f

SHA1
8f34d8ad07191746498d8ae9bfa463c0f87eed96

SHA256
32428607014cbaf9a72a0c4660d9a060530708a63b187ae8ed0710ebeabfbbe9

SHA512
73932244c9dbc4fc0b48e71c65ad0721c86340f5d8cbe8fdff640428fe29d63540ed96608fe191ee044c5d9b57acf2e2f7031c187a6f1c9e812d331760c81a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQQm.exe

Filesize
600KB

MD5
8e6f70cc4d640eeb271673a2cbf875a6

SHA1
ab7d8fe44cc49eca2b3dd581a4076f2906b166bf

SHA256
e98166f99fde39b9986eb47e2d5dd8bf2ae23e494b3ec46931829cb521629f6a

SHA512
857f840d41d658f05418194f61985f55e67c6cd92161253bac951fdcdd7b1f3fb846e1cc8eda2905e59cacad817bb96697570b3d7346bbb28f3de63c611d67c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucUo.exe

Filesize
206KB

MD5
530f2457cf4e8b1095f957e2558233c1

SHA1
d5a688db97ff7ef220673ce78a927c91bd856471

SHA256
a03f97a19a56c1f8cb030246b0dd6367c4b8c55948b5d4cf8208057973696782

SHA512
e261de26c1d7cae730c55523337bfed3bdca21450e221a2baddd23e8e6e67e80f51bc315214fe2df904f1dc7fa8ee710914b39c9ab1f79caf9b8cb9d8f67960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugAW.exe

Filesize
182KB

MD5
1bcb5e6a27665a0a27868c093f7be614

SHA1
9e038917108472b381fb886fb9c4788f053c373c

SHA256
40d585c984c3bec1e45b5eb36cb0cefdb359b01e32c3e8a0533c75524c29959d

SHA512
51f29775e993dbb9c99489c961c5ce6083ef3c37f7e7caeccb20d90fb99859c337458651d05d69f575d7d8da2010a276cbcf6bdf269993c50486c2f7ad6e1dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukYK.exe

Filesize
821KB

MD5
2134ca35d4e88786e0b1bc16001a967a

SHA1
a3e3cf097f637bb6431812659f484493a7902d0f

SHA256
3446e5760c24a063e357a00a5217bcae8a5e9f707563abeaed32f790a3ad924a

SHA512
1630d18884f189bec958247ec2d7311db125cc07fb681db8f81971dd4c4fd0b2f0f946a3fb53ff3cef5c1f36f29396554481a4765ce5f9f9e805f3b3bb52bd10

Download Submit
C:\Users\Admin\AppData\Local\Temp\usIS.exe

Filesize
204KB

MD5
8e0a633d07a881b8a32f97ec012f6373

SHA1
f554a32b564362a279b91640354d0fd976aefa19

SHA256
abfe3e47072c45f1542d4361ae3ca75ce6987ab1dd0ec82233686c985b39a307

SHA512
ec655aed5b233f39d5a1c36c18c502bcda5a3fa468c86d96753c80dcabf446adfc12b1776fc869687d7706084513225360b1e834d7c58f4c1cdd65d5249a98c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\usYU.exe

Filesize
610KB

MD5
76b1e7e21fd3650b83de9de81fd4d9a2

SHA1
c857f1a7757c9551fe00479c890924fe4a14091b

SHA256
6d3718ec9128ef823cb59c1d1d2262e6ebfcb6218dfd06ed204220aa0216fb78

SHA512
6d370c34135aa159d2065bed507b027a978842ca250f0593b91a2653f75920eab0789bba8de7fa784b636346e3ee22cbe85e985cfab0d9d2a6bf99050481cb0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQUC.exe

Filesize
219KB

MD5
49d2ea421c72b6354c02732bc75ec28a

SHA1
5e700df59b0965eaa88d34090a8ab5891e3979d6

SHA256
e7403e698889547e0539661225427fed55d482419313976c4d6d79c4f3832bef

SHA512
d248462b520b276eea24bbdd913cd16960361960eaf28e8e8abd649959390082960dfc7ae059881242592b9238d5884a068285ead96714fcf1a826a4dd74fc72

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUQo.exe

Filesize
1.8MB

MD5
193075237477b8be4808015797fe0c18

SHA1
2aa3a370f7d11f3125de166260aa49e4316b4838

SHA256
06d4d9037e9bf91f5fd5c555d9d29ea538aa6119ba84f093f959ec3aba827bca

SHA512
a82eb743dec106c69210368c3eff24319c74226c4fbb9544f9d2a0795af744fba44e45f789cde817d45727c81775aaa1f1807116bb6e8c1261da8e59ac3f94f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wksy.exe

Filesize
5.9MB

MD5
4e98ed5f6f539d9bebc670ef6e906352

SHA1
a198d3b175c0f224b3b0bd1605653f42c50b9e8c

SHA256
f10e612fa07d6fa8561b61823df67cf6db10166bf36322500cde4e6245a1d128

SHA512
97d9f47183c309414922727522df466fd3d32eadb52e392b9ae5c68f7b2ff140dfb0913ba1ce8f7a9c1d5bd3f6b1e2c54ce2f98c12d41847c88ee21117c4cb5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsoI.exe

Filesize
797KB

MD5
8055a2842d011070ba9258ba70deadfd

SHA1
6394dcba3093764796569bfe6d6f83c4f0960bd0

SHA256
f0f1a02ad96046d41b704a400fe2b50544094864e131f955d635b0417f92b135

SHA512
3d14ad408826d7c2979324e1326bcdd23043afb07bea0cdbe702036a344d4e2b20c5a65a42a3d1c82028ceee08757e6e4b8271571367b7c0621facc1b2cf69c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQkS.exe

Filesize
205KB

MD5
b6fa9beeabcc72fbf33a2ba4fe586bab

SHA1
791f389d1682f43c9fad59b363cc8f770b11a8c2

SHA256
3056572c7947ec2c53b5c5443d94195c06eb096c5b645484607f87190687aa3c

SHA512
c80605fdd013f3546117157dd2e4857d798529025c6ab05b7917f61d502de50eae70fdc296e376b78bd01a7f53bfdb9dd8c9b8e991d8075d7fa6af8c8e2d108a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUEI.exe

Filesize
196KB

MD5
6b0348cfc626818a0d077d96a1fc3697

SHA1
b84d884e807884296bb381eeb99804405e982165

SHA256
4356ccc2b063a2bc0594f01ea7767f018f8a1f4501a7e9866af07fce09810e73

SHA512
eea9d9070e661f26c9cefc156ccd52b823fa5e0910e3f1df55ec862e8ea2e8fa83ad68deb305da197090dc42e9409f0a7243e2cdc633ceaf3cd90a790be9522a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yocW.exe

Filesize
315KB

MD5
3663ba96b265e1d83c147ee78d4bc763

SHA1
2c3e99885fcc1442779dad0699f4da943a439359

SHA256
71d422aec88c4f957a67d014d0ee34999bac7e296cc80edb01cb5ee4ae291f60

SHA512
4aeb7cc1b49a54aca28ac514fe441ef172166b705b2597786a09e873ef5a81fafb4f225545f90ea248a6408a14f8016a867b8a9ea54b7c4e49fc238054d7c7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywYC.exe

Filesize
190KB

MD5
5aaf96215017341d44d506685baf8ac1

SHA1
37a26e04ae48419cb817b4013e1aec225c95d054

SHA256
d8b7649ff952b4916b5f57546b4661018f26e0c24a51c8ee54295f3a7b6513b8

SHA512
f58aafbbd6434f9ac19337f59fb299672b096120f9876af7a6cff56b56eb141a8cbc42b7bdfda41daad8c94a440329f12838b1f435cbc9c936ad61791f3bd97f

Download Submit
C:\Users\Admin\Downloads\EditEnter.zip.exe

Filesize
921KB

MD5
fc1a1ebdb3f62aeb880ddebb45373717

SHA1
fc0376d1e08397400570c391cf5ab2804164c712

SHA256
11df3665e4027122b76a872585e0f633c0dce44d229e69bbacd1a7a81d5f855b

SHA512
c557b18e916fba53ef36c225d561d47d9bcb0c0bd8ed67eed600f56fdd5ba88fa3b216beaaa312a33be797f07756338f2d08542e561e8b4274cba12be9397eac

Download Submit
C:\Users\Admin\FMcEIoYo\CAAwgIcw.exe

Filesize
184KB

MD5
1af1ff052057dd0d0af2e1b8ee040560

SHA1
be8ec861d48a9b5c1426796bbd7f11ffe5e68cdf

SHA256
6d6911e35cf9797e8e38ae9de481a92c80c2f983a8d5f0ddebfe0b2448614680

SHA512
2e0159e3b18b8feff14a75f0d61e7ca07a5fb71ca5361a935e01d6bd91a91470980f150ad3e84f9deaf5edc0d03044f4f2ad8ced6c15d14b43f1c4309ea7f1d2

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.9MB

MD5
f986b4cd09956803b99a8689d46d37c8

SHA1
271bcaae5b40f0abf76689ad083ee21ec3d044da

SHA256
f4ff60ede4787cd12a79058ed490fea435e6ad5dbcb87d6f7155ac3f6f4d50ca

SHA512
e17e9f23e0ceddeabb0ebec103dacc56f3cfa12ff85c52f200697764fb2e345a9219f56f936c8c849340092b19209ff81b7046cfd4a69f7c00497393cc2d3912

Download Submit
memory/372-299-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/372-312-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/612-251-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/612-464-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/612-238-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/612-476-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/724-523-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/724-510-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/728-496-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/728-483-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/900-289-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/900-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/916-308-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/916-321-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1052-380-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1052-393-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1056-129-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1208-239-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1208-229-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1396-431-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1396-419-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-505-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-226-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-492-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-210-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1464-100-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1464-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1496-439-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1496-427-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1524-164-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1592-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1592-77-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1876-137-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1876-345-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1876-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1876-355-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1920-402-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1920-389-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2072-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2072-337-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2096-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2148-104-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2148-89-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2392-326-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2392-341-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2536-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2536-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2560-53-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2560-70-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2592-526-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2756-449-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2796-354-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2796-365-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2816-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-266-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2848-247-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-501-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-514-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2948-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-275-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3080-360-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3080-375-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3188-343-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3436-487-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3788-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3788-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3944-271-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3944-284-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4004-458-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4004-450-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4080-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4080-398-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4088-422-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4088-413-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4216-344-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4268-213-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4352-201-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4352-186-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4420-30-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4420-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4436-293-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4436-280-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4484-330-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4484-317-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4564-190-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4564-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4684-141-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4684-66-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4684-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4684-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4876-371-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4876-384-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4944-160-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4944-178-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5116-468-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5116-460-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download