asyncrat | 12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd

max time kernel
2s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2025, 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

764KB
MD5

85e3d4ac5a6ef32fb93764c090ef32b7
SHA1

adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
SHA256

4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
SHA512

a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
SSDEEP

12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ufbj:6nsJ39LyjbJkQFMhmC+6GD9mH

Score

10^/10

asyncrat quasar remcos stealc xred xworm crypt default logsdiller backdoor discovery persistence pyinstaller rat spyware stealer themida trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

ratlordvc.ddns.net:6606

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
tesst.exe
install_folder
%AppData%

aes.plain

Extracted

Family

stealc

Botnet

LogsDiller

http://185.235.128.145

Attributes

url_path
/b86b4c54b3438806.php

Extracted

Family

remcos

Botnet

Crypt

185.225.73.67:1050

Attributes

audio_folder
576ruythg6534trewf
audio_path
%WinDir%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
76y5trfed675ytg.exe
copy_folder
kjhgfdc
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
654ytrf654trf654ytgref.dat
keylog_flag
false
keylog_folder
67yrtg564tr6754yter
mouse_option
false
mutex
89765y4tergfw6587ryute-80UMP1
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
67y4htergf65trgewfd654tyrfg
screenshot_path
%Temp%
screenshot_time
10
startup_value
6754ytr756ytr7654yretg8765uyt
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
bank

Extracted

Family

stealc

Botnet

default

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

xworm

147.185.221.22:47930

127.0.0.1:47930

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000024317-1348.dat	family_xworm
behavioral1/memory/6972-1600-0x0000000000010000-0x0000000000028000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0013000000024382-4519.dat	family_quasar

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000024301-280.dat	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 5 IoCs

pid	Process
4512	._cache_4363463463464363463463463.exe
748	Synaptics.exe
456	Synaptics.exe
5800	._cache_Synaptics.exe
1464	._cache_Synaptics.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0007000000024303-472.dat	themida
behavioral1/memory/5616-1181-0x0000000000FC0000-0x000000000183E000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	4363463463464363463463463.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com
52	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
183	ipinfo.io
184	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\._cache_Synaptics.exe	Synaptics.exe
File created	C:\Windows\SysWOW64\._cache_Synaptics.exe	Synaptics.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0003000000023156-1921.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

pid	pid_target	Process	procid_target
11748	15592	WerFault.exe
1076	11744	Process not Found	2015
6836	24104	Process not Found
7536	23604	Process not Found	2238
11412	8876	Process not Found	1291
5180	20196	Process not Found	2146
16068	7664	WerFault.exe	1836
19644	9296	WerFault.exe	1825
6892	16792	WerFault.exe
9104	16892	WerFault.exe
4240	24232	Process not Found	2370

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
7744	timeout.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4363463463464363463463463.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
12744	reg.exe
11764	reg.exe
9220	reg.exe
11756	reg.exe
8568	reg.exe
16988	reg.exe
14740	reg.exe
14308	reg.exe
4936	reg.exe
12944	reg.exe
5964	reg.exe
20096	reg.exe
8320	reg.exe
8888	reg.exe
9072	reg.exe
3740	reg.exe
14316	reg.exe
12556	reg.exe
4104	reg.exe
16772	reg.exe
6704	reg.exe
6944	reg.exe
15584	reg.exe
13168	reg.exe
18012	Process not Found
8980	reg.exe
9064	reg.exe
17056	reg.exe
5340	reg.exe
13392	reg.exe
400	reg.exe
13700	reg.exe
12872	reg.exe
15700	reg.exe
9960	reg.exe
7496	reg.exe
1176	reg.exe
11608	reg.exe
12472	reg.exe
12916	reg.exe
14220	reg.exe
16580	reg.exe
14392	reg.exe
13008	reg.exe
5752	reg.exe
13516	reg.exe
7028	reg.exe
19540	reg.exe
16552	Process not Found
15700	reg.exe
8788	reg.exe
5024	reg.exe
18744	reg.exe
19616	reg.exe
5208	reg.exe
14220	reg.exe
1236	reg.exe
4936	reg.exe
10156	reg.exe
18332	reg.exe
13756	reg.exe
16940	reg.exe
100	reg.exe
11576	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4704	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4512	._cache_4363463463464363463463463.exe
Token: SeDebugPrivilege	5800	._cache_Synaptics.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5128 wrote to memory of 4512	5128	4363463463464363463463463.exe	89
PID 5128 wrote to memory of 4512	5128	4363463463464363463463463.exe	89
PID 5128 wrote to memory of 4512	5128	4363463463464363463463463.exe	89
PID 5128 wrote to memory of 748	5128	4363463463464363463463463.exe	93
PID 5128 wrote to memory of 748	5128	4363463463464363463463463.exe	93
PID 5128 wrote to memory of 748	5128	4363463463464363463463463.exe	93
PID 556 wrote to memory of 456	556	cmd.exe	94
PID 556 wrote to memory of 456	556	cmd.exe	94
PID 556 wrote to memory of 456	556	cmd.exe	94
PID 748 wrote to memory of 5800	748	Synaptics.exe	95
PID 748 wrote to memory of 5800	748	Synaptics.exe	95
PID 748 wrote to memory of 5800	748	Synaptics.exe	95
PID 456 wrote to memory of 1464	456	Synaptics.exe	98
PID 456 wrote to memory of 1464	456	Synaptics.exe	98
PID 456 wrote to memory of 1464	456	Synaptics.exe	98

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5128
- C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
    3⤵
    PID:1844
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1052
- - C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe"
    3⤵
    PID:5616
- - C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe"
    3⤵
    PID:872
- - C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
    3⤵
    PID:6972
- - C:\Users\Admin\AppData\Local\Temp\Files\2020.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\2020.exe"
    3⤵
    PID:11576
  - - C:\Users\Admin\AppData\Local\Temp\Files\2020.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\2020.exe"
      4⤵
      PID:14364
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:15764
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5800
  - - C:\Users\Admin\AppData\Local\Temp\Files\d4cye08a.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\d4cye08a.exe"
      4⤵
      PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\Files\NOTallowedtocrypt.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\NOTallowedtocrypt.exe"
      4⤵
      PID:2120
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:3684
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        Modifies registry key
        
        PID:4104
    - - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
        
        "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
        5⤵
        
        PID:5428
  - - C:\Users\Admin\AppData\Local\Temp\Files\installer_ver12.22.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\installer_ver12.22.exe"
      4⤵
      PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:556
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\SysWOW64\._cache_Synaptics.exe
    "C:\Windows\system32\._cache_Synaptics.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1464
  - - C:\Windows\SysWOW64\Files\ddosziller.exe
      "C:\Windows\System32\Files\ddosziller.exe"
      4⤵
      PID:336
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "tesst" /tr '"C:\Users\Admin\AppData\Roaming\tesst.exe"' & exit
        5⤵
        
        PID:1888
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "tesst" /tr '"C:\Users\Admin\AppData\Roaming\tesst.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp93C4.tmp.bat""
        5⤵
        
        PID:1924
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:7744
      - C:\Users\Admin\AppData\Roaming\tesst.exe
        
        "C:\Users\Admin\AppData\Roaming\tesst.exe"
        6⤵
        
        PID:11172
  - - C:\Windows\SysWOW64\Files\hiya.exe
      "C:\Windows\System32\Files\hiya.exe"
      4⤵
      PID:6104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.funletters.net/readme.htm
        5⤵
        
        PID:6628
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x360,0x7ffa7432f208,0x7ffa7432f214,0x7ffa7432f220
        6⤵
        
        PID:6692
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1692,i,17406970905158857367,11479452822064574037,262144 --variations-seed-version --mojo-platform-channel-handle=2548 /prefetch:3
        6⤵
        
        PID:5124
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2440,i,17406970905158857367,11479452822064574037,262144 --variations-seed-version --mojo-platform-channel-handle=2428 /prefetch:2
        6⤵
        
        PID:1952
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1892,i,17406970905158857367,11479452822064574037,262144 --variations-seed-version --mojo-platform-channel-handle=2584 /prefetch:8
        6⤵
        
        PID:6212
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3440,i,17406970905158857367,11479452822064574037,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1
        6⤵
        
        PID:7724
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3432,i,17406970905158857367,11479452822064574037,262144 --variations-seed-version --mojo-platform-channel-handle=3496 /prefetch:1
        6⤵
        
        PID:7720
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4824,i,17406970905158857367,11479452822064574037,262144 --variations-seed-version --mojo-platform-channel-handle=4800 /prefetch:1
        6⤵
        
        PID:9452
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5196,i,17406970905158857367,11479452822064574037,262144 --variations-seed-version --mojo-platform-channel-handle=5248 /prefetch:8
        6⤵
        
        PID:3704
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5204,i,17406970905158857367,11479452822064574037,262144 --variations-seed-version --mojo-platform-channel-handle=5292 /prefetch:8
        6⤵
        
        PID:9304
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5552,i,17406970905158857367,11479452822064574037,262144 --variations-seed-version --mojo-platform-channel-handle=4888 /prefetch:8
        6⤵
        
        PID:7652
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5768,i,17406970905158857367,11479452822064574037,262144 --variations-seed-version --mojo-platform-channel-handle=5776 /prefetch:1
        6⤵
        
        PID:11692
  - - C:\Windows\SysWOW64\Files\Mswgoudnv.exe
      "C:\Windows\System32\Files\Mswgoudnv.exe"
      4⤵
      PID:4176
  - - C:\Windows\SysWOW64\Files\NOTallowedtocrypt.exe
      "C:\Windows\System32\Files\NOTallowedtocrypt.exe"
      4⤵
      PID:4060
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:6664
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        Modifies registry key
        
        PID:7028
    - - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
        
        "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
        5⤵
        
        PID:7220

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:4136
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:3632
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:5752
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:4080
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:3740
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:3292
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:4308
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:1236
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:2392
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:4588
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:6944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5092
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:3956
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:7084
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:9064
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:7136
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:6844
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:8568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:400
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:6764
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:8788
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:6868
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:6592
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:9220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:1336
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:6568
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:9072
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:6484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5296
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:440
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:1176
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:5232
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:4480
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:8888

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c8 0x440
1⤵
PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:6724
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:6732
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:6804
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:6572
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:100
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:7096
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:5696
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:6284
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:7776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:5932
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:7156
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:11764
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:5456
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:7308
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:11576
  - - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
      "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
      4⤵
      PID:10220
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:9356
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        Modifies registry key
        
        PID:14740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:2800
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:5304
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:5480
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:12472
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:2104
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:12716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:4960
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:6296
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:6588
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:11756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7164
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:3140
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:8288
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:12744
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:8308
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:8720
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:12916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:4696
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:8172
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:5176
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:12944
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:1828
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:8392
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:13168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:6688
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:8240
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:8480
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:13008
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:8516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:6760
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:5260
- - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
    "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
    3⤵
    PID:16424
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:17372
  - - \??\c:\program files (x86)\internet explorer\iexplore.exe
      "c:\program files (x86)\internet explorer\iexplore.exe"
      4⤵
      PID:11372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5620
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:8412
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:8188
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:4936
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:9228
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:9360
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:14220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5548
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:8436
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:6364
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:14308
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:3024
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:9748
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:14392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5700
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:8904
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:9676
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:7496
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:9964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:2568
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:9236
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:9456
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:13392
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:9500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:4712
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:9060
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:9248
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:14316
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:9280
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:9540
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:13700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5264
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:9040

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:7660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:6888
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:10336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5192
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:11216
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:8896
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:14220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:6360
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:11260
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:10452
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:5208
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:6984
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:11364
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:12556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:3524
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:11044
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:11184
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:400
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:5608
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:5304
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:4936
  - - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
      "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
      4⤵
      PID:9716
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:15480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5012
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:7104
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:5340
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:6356
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:10964
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:16580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:6940
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:11284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7600
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:11344
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:11720
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:11736
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:11932
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:17056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:2772
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:11444
- - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
    "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
    3⤵
    PID:9324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:3560
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:12576
- - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
    "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
    3⤵
    PID:14764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:4088
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:12984
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:13204
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:16940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:400
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:12828
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:13212
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:12492
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:13760
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:16988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7736
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:13184
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:5544
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:13348
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:14088
  - - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
      "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
      4⤵
      PID:15632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8324
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:13328
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:14020
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:9960
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:14056
  - - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
      "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
      4⤵
      PID:10972
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:17344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8332
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:14244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8552
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:14472
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:14564
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:14584
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:14780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8560
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:14872
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:15176
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:15584
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:15208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8580
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:14548
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:14708
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:14732
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:15028
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:15700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8588
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:13176
- - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
    "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
    3⤵
    PID:19552
  - - \??\c:\program files (x86)\internet explorer\iexplore.exe
      "c:\program files (x86)\internet explorer\iexplore.exe"
      4⤵
      PID:14112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8628
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:14964
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:15512
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:15700
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:15592
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:15972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 15592 -s 1092
      4⤵
      Program crash
      PID:11748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8636
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:7360
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:13496
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:6704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8648
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:14608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8840
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:7512
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9012
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:15232
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:15544
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:15568
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:15040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9020
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:14724
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:15296
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:15324
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:15836
  - - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
      "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
      4⤵
      PID:10916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9212
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:14360
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:16844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9124
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:12820
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:12956
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:8320
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:12976
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:13252
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:11608
  - - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
      "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
      4⤵
      PID:8
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:11060
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        
        PID:8032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9172
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:14692
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:15668
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:15684
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:16380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5560
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:17056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9260
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:15288
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:15520
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:15536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9272
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:15272
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:16724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9476
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:16152
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:16396
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:16412
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:16900
  - - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
      "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
      4⤵
      PID:17400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9484
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:14168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9696
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:16144
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:15616
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:15388
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:16808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9704
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:16820
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:14392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10140
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:16052
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:13980
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:14928
  - - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
      "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
      4⤵
      PID:18292
    - - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
        
        "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
        5⤵
        
        PID:15296
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        
        PID:19016
  - - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
      "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
      4⤵
      PID:19732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10152
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:16600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10184
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:16792
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:16976
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:17156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 16792 -s 1100
    3⤵
    - Program crash
    PID:6892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10196
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:16892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 16892 -s 528
    3⤵
    - Program crash
    PID:9104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9768
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:15372
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:16980
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:15796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9788
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:8748

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:10324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10488
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:13748
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:16472
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:9136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10500
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:15936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10792
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:16056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10804
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:17012
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:9168
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:3848
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:10136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10888
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:14936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10900
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:10064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10912
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:15844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10924
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:15456
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:9024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11068
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:8708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11080
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:10680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11092
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:12556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11104
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:16076
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:12768
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:16016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11208
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:8912
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:15848
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:10912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:4736
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:12348
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:15728
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:10996
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:14004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7884
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10392
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:6360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:6752
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:16580
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:14696
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:10284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10108
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8164
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:16776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12156
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12164
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:15692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12192
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:15848
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:16528
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:16772
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:16500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12208
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:13432
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:12768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12216
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:10284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12240
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:8760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12248
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:10556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5700
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:10044
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:12828
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:13756
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:16768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12384
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:14944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12636
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12836
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:13536
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:16156
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:19540
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:10656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13088
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:9848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7772
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:12512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12516
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:15344
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:7360
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:18332
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:14552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13132
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:17248
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:6872
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:14312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12572
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:12676
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:10428
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:12872
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:11468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:4692
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:6712
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:10132
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:7808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13568
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13676
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:15288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14272
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:4268
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:16484
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:11032
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:15136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14280
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:7112
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:11844
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:12352
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14288
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:6216
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:17100
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:20096
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:11068
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:15152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14296
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:13524
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:12968
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:11944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14748
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:7064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14756
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14976
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:16172
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:15324
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:16712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14984
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:12760
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:11928
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:5964
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:13520
  - - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
      "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
      4⤵
      PID:8036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15184
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:8744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15192
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:14476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:6444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5964
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:17248
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:8616
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:18816
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:14604
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:12852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9580
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:15224
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:13668
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:17392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12916
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:14120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14528
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:17048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14792
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:13096
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:11640
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:18744
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:12428
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:8220
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:13516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17024
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:6360
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:9900
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:9204
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:15856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17032
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:16084
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:4928
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:10816
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17124
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:13468
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:13596
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8348
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:7632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15432
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:15088
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:12776
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:14488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:6288
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:13080
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:10828
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 16892 -ip 16892
1⤵
PID:8048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8056
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:9164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15368
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:7088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15696
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:12252
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:13248
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:11136
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:216
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:19616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 15684 -ip 15684
1⤵
PID:15908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 8308 -ip 8308
1⤵
PID:16160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9984
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:6700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 3120 -ip 3120
1⤵
PID:15976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12056
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:7108
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:17692
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:17740
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:18188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:6580
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:10320
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:18080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11144
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:12412
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:15812
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:10156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 15568 -ip 15568
1⤵
PID:13872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1464 -ip 1464
1⤵
PID:16016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10140
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:5496
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:17520
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:17552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 11736 -ip 11736
1⤵
PID:12480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 10336 -ip 10336
1⤵
PID:17068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 15936 -ip 15936
1⤵
PID:12360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 7360 -ip 7360
1⤵
PID:10428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 7512 -ip 7512
1⤵
PID:11336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 12984 -ip 12984
1⤵
PID:11388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 9716 -ip 9716
1⤵
PID:16556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:2824
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:20048
- - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
    "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
    3⤵
    PID:19236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:2428
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:12952
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:19736
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:8
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:20328
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:8980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 15592 -ip 15592
1⤵
PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15840
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:13236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:892
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:6700
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:18756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7604
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:18276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:6712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:14684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:4572
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:14164
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:12060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11876
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:19340
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:17624
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:16144
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:16692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9160
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:20212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 10284 -ip 10284
1⤵
PID:16324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14240
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:20196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7888
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:8840
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12108
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:9296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 9296 -s 524
    3⤵
    - Program crash
    PID:19644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15892
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:11076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10836
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5244
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:12824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:6444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:4892
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:13060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 6700 -ip 6700
1⤵
PID:11200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 15536 -ip 15536
1⤵
PID:15956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10612
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:18480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16624
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:11336
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:16356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16320
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:7664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7664 -s 408
    3⤵
    - Program crash
    PID:16068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:564
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:15876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14660
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:16368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15112
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:18828
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:14404
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:6972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16016
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:12216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16440
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:8912
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:17916
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:14136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:1188
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:2120

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:4360
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17544
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:20464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17724
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:10264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13172
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:13540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:20136
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:5088
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:9332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:20148
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:20196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:6148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19696
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:13596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19776
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:18496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:20116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:20124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17472
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:17760
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:15236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:20092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 8912 -ip 8912
1⤵
PID:100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:6300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:6892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:20120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:20016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:17496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:19900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:16336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 9296 -ip 9296
1⤵
PID:11472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:14644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 7664 -ip 7664
1⤵
PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 20196 -ip 20196
1⤵
PID:11076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:18600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:15252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:13584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12380

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\67yrtg564tr6754yter\654ytrf654trf654ytgref.dat

Filesize
890B

MD5
d8cbb3f177bc49f4c811988c704ccf88

SHA1
4d29724a02df2a449d61b9bce0c30fa2cd3609a3

SHA256
ce417637a1b2a47272a3937313c585fe60e4adbdb7b5f96f43710f170b63dfb0

SHA512
7d7655dbbe5fdf76efc85274561a8cc7eb53d0e62951311e5e54f6e0d216ad5992dd127f5ea53c23db3d32780f8892880bb5cf87519cac4e21ed6b8e0535a262

Download Submit
C:\ProgramData\67yrtg564tr6754yter\654ytrf654trf654ytgref.dat

Filesize
5KB

MD5
b0a15398e99886dd58cb19bfc21a684c

SHA1
4e671f34a8326344f1f45861cec340ce12167e78

SHA256
b76c33f8a5bbbb86c7191892cf77b67d25dc38a8dd86c7f726728d526445c4d2

SHA512
6aa6152bd35ca945826f680c6e4e6460d82f7354d87ce65cd030f127a52873d95669b3d9b571ca9dacbaae75da87b04f10008fe3405c4aae65d3f65540431cf6

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
764KB

MD5
85e3d4ac5a6ef32fb93764c090ef32b7

SHA1
adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52

SHA256
4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1

SHA512
a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
df2d1721cd4e4eff7049314710dc7c11

SHA1
f5aed0158b2c0a00302f743841188881d811637a

SHA256
ba336ffd1b01965d7ab0e5fac5415e43cb594139c76b19e4c0d9b5b3b67c1e93

SHA512
11fd520176193f284563c7d050e6a7ab4e9895bac49fdc05759bab2c8a69f224858ccc784b351fc1d3ee5d39345430f9234623c9390978d7daf6a08ff5576ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
481d0fda4685ad67336f3db7cbf51e3e

SHA1
d3aa2c2783e2ad5d9414f0461e33b3c517f149c4

SHA256
bb311a4b83a5cd00007a6d80676b8cd62996a82c6bd0c49afde70cb571bd3819

SHA512
072fb323e37fe335a3eb467bd0544865748acd486eeffd73843f533bb37dd232572a7f1c9f3d1ed05c1665d81eaad100ce9fbea1a36e44d5937a8f788f3172aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5814db.TMP

Filesize
3KB

MD5
7dc104cbdead37688057bef26ed12fe8

SHA1
dbdef959a5e45545ba4564ffac879c8d45811cdc

SHA256
f7d190821b6229d6bbf2a1f8ca50157caa5a0a7e539dbbece1a16324240d1cdd

SHA512
afcd1b18dd80fd26d647d3c2f91d38ba9a0b86274dd3647d1344f46ea29b13735c27c162e4aa08aa56b857ba01058415b01d8969c7c90b192c8af6c9bff5de76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\7373ba36-f479-4190-b7d3-604dd3453be9.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
0cfe22aea80b747468416654e41ccd4e

SHA1
e24d623f7a2652aff0d4cd1ccbad285055583fe2

SHA256
1bcdec88ce0eb5541d95101ee3a8fb23a150c9f237ae0f43cc709a6faecfa3ca

SHA512
52cb04e7b775a35afaba8f979bd968cdff30c68eabcf1ced6450fa0c9f052680cb849c9a37373cef4eb1cdb7ecafe62e7ec91d883ad5f15f4db02e5f2ce6ee95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
9797387dc3517ec2ed31f3269298f8c5

SHA1
0afcd0f46670f213df73e61e6ad638332d0c3195

SHA256
9c6e238fb5ba4e1c4d15f3b26745bd5e1e3e1be23e9e0044defdd82b0741cbf5

SHA512
9b9dd1cf7a3afa29de3498d3147a38ddf4ed7a02c0ef8b78c9ae3f1e47630261b4b58f383d65d584fceb884e995d50289b46f39cf06c76f202891fef706faaf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
90664717e0d6385e2b60c25fd666bb4e

SHA1
86b4384196dd775c723732340d5c0e7f2dad70b1

SHA256
751db7b0aae134a31dad090a8c87945585f31445ee944e59a1915db27f258c85

SHA512
9679ae79b6d9523062f801703bf4d0732a21b1c0ab4369b6d242bcb530d1c1506c0c3a7ecafc9e03f5ba8a42c321a31de744f7c25dd6f0df0d16e86deb730aaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
48482929ca2e70b6b6b0cefc5b8ee28a

SHA1
16745d59f87b117ec6d57cd65c5110f022b1daff

SHA256
905ce4c1186f9d226bcd9ddcfe102c6f25980866e16e03e34fb84ddd23049b80

SHA512
83c4aeaadfc8d592a19054c883223472f5f487873e4057c8dd53c690c119787ae0dabb4065ffe81b2485952b2cb27c2d4f3314686843d03732d5019dbf5c63cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
d1166bb96425ada08dd8c95fc7824be4

SHA1
e16e42d0ba5953da66b45a39f84338a225e97aef

SHA256
416dc9544b9e552d2a8fcda922395a4af518a86abc2751161d9f77a4be11dc51

SHA512
f9f05a448cf27ff3635c23882caf3f1dd00167b8972261eefa9a75b7355781eaba279aa73bf70ebcdf751e0ad87c6e57ec5ab792284d67c8fa603c0c63386e9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
16461011ba63c2fed608c8f27d4e74a7

SHA1
e372196c8c7ed1b2f770c1d267eb5db3f1301ed3

SHA256
71eb364f11a837ad4f348432257dc3db1cf54c3a16acba824e1dfd2ef0704938

SHA512
0e6d79ef0987d1d916664d09660dffed7ac833c9132c58405bdb5354d1db58a464810b6c736c1932a8143b6beade90a5f264efef6d2937b13f7e5a94957d3ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
18174f53e4e1883d8d24f2072b2e73aa

SHA1
ecf3dd62adec9feee6d4084bd863b9b149287989

SHA256
d9074d4924668503412e7909f376d55c045e4720c0c2a9ec9ab7ab5f5cfccde5

SHA512
ba8e97962610613d1e42bb5b3e681d5bcd788f5cb0b43c722665ef4df1bf7083c9449f9f0e7e01683d7a360f776573e081b921eba06c8fc39affbf285b318b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\67y4htergf65trgewfd654tyrfg\time_20250414_144551.jpg

Filesize
76KB

MD5
0fcadf46723926ae7420f2c56308a19d

SHA1
7810798586721a82d98c0be06484dd5b5cd9b901

SHA256
da289b6f1339860439a2395d5a84155128f24c48cfe90a8c695708f471cba843

SHA512
408e892a065a43889661f97679e19dd43ab968379f285f208040f2b9bbaa59e8c0f622a808234556a0e5c7d32367c2846fdc7c617fa810a2b3d7dc66085633d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\67y4htergf65trgewfd654tyrfg\time_20250414_144556.jpg

Filesize
87KB

MD5
c7dc2dc18b78d46c3bab07b52db7b811

SHA1
0069e38f67b6a4e10f3a488b62f954205f40a633

SHA256
12a181202ef9d72be2105982c5b3e1da14062f712abb51e02f9fd26bebc9e1c0

SHA512
2a62417fe52011dc69d5f842142f7a74972eb8bbc7a5a7f84bebee880d0f0dace75ee03b53d6fae62243837abbc586291536d76f29cb359b4b29de762377d8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\67y4htergf65trgewfd654tyrfg\time_20250414_144559.jpg

Filesize
70KB

MD5
54d82928086ed43c56083dfd7d19d5e5

SHA1
e5982c02fee0bfbdd18a3418520804ea9c665166

SHA256
d080355850e4f00847ad6f28d12338dd7f39f99e46a0ff73e9a1bb71d416ec12

SHA512
3f71fc65739808e8f05a2a1ae0c65d191f126e09240f9a3bbd075792b8b01c8d66524c02af72ee50bfd64f911b433f4897e5075717c1af6289a3351fcddf0a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\67y4htergf65trgewfd654tyrfg\time_20250414_144613.jpg

Filesize
15KB

MD5
db45c7ee6cb294e35d61db1d1aeea8d1

SHA1
cb35f2da5f9b27563636732752265f3e875addea

SHA256
4af14a000d98941a25f2bf1319e1f9cf7368930ccb7a82afc9ea6edd93d85a05

SHA512
832372cfe6e62e060f5cc66a2b0734a3879227ccc25f9d13c5e024073ce529203cca5a4a5dd53adce46ddc49ae6b69ed0e34154295907b963564880570834b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE775E00

Filesize
20KB

MD5
7be55b0038ca71114838c56a4da26198

SHA1
7be5a6ee059a9f1884c65d25643696c352565ff0

SHA256
0604a6f49c4def45458a30fec41b210fcd906b2f54572350310932a454546a59

SHA512
afd440378daca43207514138e01728cc2d477d9c2a8513a09aebfaf32fe904cd8ea95aa0f8f9f0c0cc20f1330c1963823445eaa40eb783e49f9f8cf66161caca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe

Filesize
242KB

MD5
41d0e0e338931efb7d8ff33804f99d0d

SHA1
618f80e08ca187bf5866d139e6569e70931912d8

SHA256
7c9ff41945cf9b4eb61dff6f1e6da787916fd8fa441ca281065e4cf786028dab

SHA512
84d3a39a7c0a162a02096085a261d224c0a54f6d9e1cc4235aa72b19e54d5ac35a8bb48bb0c4fc53cb2a9272ce371d618714d0381e08cce6bf3522f46ded40a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\2020.exe

Filesize
12.3MB

MD5
95606667ac40795394f910864b1f8cc4

SHA1
e7de36b5e85369d55a948bedb2391f8fae2da9cf

SHA256
6f2964216c81a6f67309680b7590dfd4df31a19c7fc73917fa8057b9a194b617

SHA512
fab43d361900a8d7f1a17c51455d4eedbbd3aec23d11cdb92ec1fb339fc018701320f18a2a6b63285aaafafea30fa614777d30cdf410ffd7698a48437760a142

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe

Filesize
3.1MB

MD5
11563580013b8994395ff739dc37ed4a

SHA1
c527a22166dc153687ca33a8d964687459a6b669

SHA256
7f5817c430e3906dbf287f92d2f5b140272644d7b2e902d2a343cba51c5bc7e1

SHA512
4047470a756067ca4a4a038c080039945f37220fba7554ecad5d4912d4ea8611bd5efa5f72bbc7084ecfdbee3d63e8a163b675639572e2b9f21253f4c6e93e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Final.exe

Filesize
308KB

MD5
d5b8ac0d80c99e7dda0d9df17c159f3d

SHA1
ae1e0aeb3fbba55999b74047ee2b8bb4e45f108a

SHA256
c330322b774eb263b008178ff707e13b843fd7df62445cca3c52356509c26f78

SHA512
2637cc05aa402832dadbf48431f1add417b69a8351de2a5edae80283da7a6924166ea56bc85865dfa993d88f467d8f540528627e5cbe64cc67ec8d5a3d6655bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NOTallowedtocrypt.exe

Filesize
475KB

MD5
2b8f487213f3da1f42779e22d7b02d1a

SHA1
77c96429d6facbd1900290c9cbfed378103b8e01

SHA256
a4da37e92ca54c8851ad144fba875b61e2018f69bbe43b11926d8f8d831b56f0

SHA512
2db88a30fdfc1e859edb7229b2073449b5d57640e484e21d78047fd674fc194c2c790995621b4d0ed7927ec06e8325c7333a1893227e50d38b2559fc267cc6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\WindowsUI.exe

Filesize
847KB

MD5
616b51fce27e45ac6370a4eb0ac463f6

SHA1
be425b40b4da675e9ccf7eb6bc882cb7dcbed05b

SHA256
ba22a9f54751c8fd8b2cfd38cc632bb8b75d54593410468e6ec75bdc0a076ae6

SHA512
7df000e6d4fe7add4370d3ac009717ce9343c4c0c4dbe32ceb23dc5269418c26fd339f7cf37ede6cb96ebe7e3ff1a6090a524f74f64485ba27bd13c893a169b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe

Filesize
464KB

MD5
4c4b53e5e75c14252ea3b8bf17a88f4b

SHA1
08c04b83d2c288346d77ec7bc824be8d7e34e40f

SHA256
799b9238ec23d902f6a9172e6df87f41faff3f639747f5f70478065a35a37598

SHA512
d6738721bcb0ec556a91effaf35c2795257dd0bbe6b038beb2d7843a2f490d66e75cc323dd154216350deee05b47aab6740efe12b869bac6bd299b9a2da699a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\d4cye08a.exe

Filesize
3.4MB

MD5
b96ad6b3be2efdf13980845fff84a3d7

SHA1
b3d8ed271431eab7c4c6a43a6a5556b5f7695aa9

SHA256
4bf82d194408267b8b9d2b4da4c877442a8470fb8fa1d5ba9b149d2a0cdb0b85

SHA512
30c2c3aabd8ea7ba03b7d1fa0530dd2556ec1381c796f5f2c76a27d99c755e1c99e0fda8bd7c3d4aa9bd932d78955e2e0460fc0c605b3eb811630447d5a7361e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe

Filesize
1.6MB

MD5
d4e3a11d9468375f793c4c5c2504a374

SHA1
6dc95fc874fcadac1fc135fd521eddbdcb63b1c6

SHA256
0dc03de0ec34caca989f22de1ad61e7bd6bc1eabc6f993dbed2983f4cc33923d

SHA512
9d87f182f02daafad9b21f8a0f5a0eeedb277f60aa2d21bb8eb660945c153503db35821562f12b82a4e84cef848f1b1391c116ff30606cb495cf2e8ce4634217

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe

Filesize
3.4MB

MD5
b45668e08c03024f2432ff332c319131

SHA1
4bef9109eaeace4107c47858eef2d9d3487e45f0

SHA256
4b5a876b1c230b28c0862d5f8158b3657016709855bf3329d8fea6cada3adbfe

SHA512
538c8471fc0313e68885d4d09140ec3e3374af3464af626195b6387a67b9bae9c3c9fd369d9dc7965decc182d13e8bbf95b4cf96b5ffc78af5d7904d59325bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\installer_ver12.22.exe

Filesize
1.2MB

MD5
95ab25ad6ea4a2a18c08ba4dbe1a06d6

SHA1
dd01fe70a4703b961e58dbd584ac189a44a8ed2b

SHA256
bbe52d4f703bf7b392c7c96ac53b733bbd3db1b21fb533f896fb1330c6f91f24

SHA512
54efd12795e12808f67193e810208ef0ca6cd5415df5648758337c62e47723bcfd750fce5458afdbd2b409feb3bdb67316fab61619093938bf14a4af2bc335d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\mzjfgebm.exe

Filesize
4.4MB

MD5
4e982fcb4a026c2987735c1360b6d969

SHA1
8c265d26382004d0a1777b0981d5cd933935dfbb

SHA256
2cc45efd900411904734536e38a68bef73802abe048e2c54fd677c06c7b34b72

SHA512
245e6ec29fdaeef1b403917b83aa840a525d6853899f3ba5783694192045d1b71e456eb118b32abf5af10e7350555169999cf3e2fd5c87ef16cf8cc7e4684f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\robotic.exe

Filesize
538KB

MD5
6b1bbe4e391cdfd775780d8502ccbc41

SHA1
a910f7ac9ed8fd57f7455f04e99bcd732bc8241a

SHA256
2999b0ecf157b9f37dcfa1cb4a0ffff73092c416499a356fdb1558d66985e9a3

SHA512
9ad2ca4cc8af0b6185be87d9026da5cdac2c52ff15b0fd2ba333ff3a25016e06a294d7cf5cf32b1869a1f5e3692f071f582ba2151ac16f9be738ea7862ab57d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\scj7cm7v.exe

Filesize
395KB

MD5
9a85b43f62ebde2feb56d9151cc71020

SHA1
d2b2f40f793e62b38e0c3ee9eae21df1a6dabbfe

SHA256
29cb81333a68014750ad292c9620b6242cb0cce51d2a9e8e64e6894e25bbcb54

SHA512
a380ff0385d9167e8eed0e5056b6806ef2c6f50a08c23572f023c92f33c1195f4b7f02e164ad9a505c439d6c5a7f33cbfab0ecd2e49de23584ef35c36ad32122

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\setup.exe

Filesize
3.9MB

MD5
835a2a0a948ed3464df9c5811d56a310

SHA1
561b79f5c0c4c88087557d28870a17cbae80a62d

SHA256
e26ededbe9b8f3d8d61d9d8f60ef652df642b51547d9ca2dee23f2cf3f67bebe

SHA512
edcb59d029a1cddfede46645996072dc18c2be900d9662e0c4fa995ce2fce42c85ec925ec444fb97abc7d7e1e32f3f4aec8a846f97744438a6588e9978daaa6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe

Filesize
187KB

MD5
e78239a5b0223499bed12a752b893cad

SHA1
a429b46db791f433180ae4993ebb656d2f9393a4

SHA256
80befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89

SHA512
cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe

Filesize
69KB

MD5
35de149d3c81727ea4cce81a09f08581

SHA1
dfa61238834b2f689822ece4f3b9f3c04f46cd0a

SHA256
1803c1f48e626b2ec0e2620649d818ebf546bfe58dffddfbad224f20a8106ba0

SHA512
dc7986c5849b6aa21ce27f0dac697f2a9d069fcd3652f1a50d1d50ab06985b6ea436458cc63dd16d7030be75db7e20c84e62bd05062b06a5ec18e2fca2b50152

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\webhook.exe

Filesize
184KB

MD5
5765bde6d3062b30890598996b671db0

SHA1
5b36dcecd5e3ba131fc05973179bffbbec08291d

SHA256
ebc2dba491422a0c420cc22ffe91483fe4885ecfae57baa2ed207252d9afd5de

SHA512
b7522888759ab43921328457c213d77338abc28cb967c645c82f26295dbc498937bb2c52dd7bb9252693ab3b26e221d26ac516acd2e4eb6fee5bf7f9bb7e839f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\whiteshadow.exe

Filesize
7.9MB

MD5
8398fc4aa3a5a5ab6ae7ed394b449d0a

SHA1
820ce4bb8eb51e31effa41e6829e84089b728760

SHA256
f25fab3f64bad2cd989035dd854b761fe06b97e76291bd180991d21d91ea5c22

SHA512
a44ff33aa8b477ee8a2bae6a3ac93da85df9a5fdf906baaa54b2513396df94b304bc626159e4d95561097bd3d112826e4254069320fc95f3fc167d9350234c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\GS7D9C.tmp

Filesize
44KB

MD5
7d46ea623eba5073b7e3a2834fe58cc9

SHA1
29ad585cdf812c92a7f07ab2e124a0d2721fe727

SHA256
4ebf13835a117a2551d80352ca532f6596e6f2729e41b3de7015db558429dea5

SHA512
a1e5724d035debf31b1b1be45e3dc8432428b7893d2bfc8611571abbf3bcd9f08cb36f585671a8a2baa6bcf7f4b4fe39ba60417631897b4e4154561b396947ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\gs7DDC.tmp

Filesize
24KB

MD5
e667dc95fc4777dfe2922456ccab51e8

SHA1
63677076ce04a2c46125b2b851a6754aa71de833

SHA256
2f15f2ccdc2f8e6e2f5a2969e97755590f0bea72f03d60a59af8f9dd0284d15f

SHA512
c559c48058db84b1fb0216a0b176d1ef774e47558f32e0219ef12f48e787dde1367074c235d855b20e5934553ba023dc3b18764b2a7bef11d72891d2ed9cadef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp93C4.tmp.bat

Filesize
149B

MD5
93d96310b8372694fa68deb60fd5fcd5

SHA1
478e24a89d555b26cf0295c7a99e59459e714555

SHA256
9a16a0be6b9f6685e582ed3bf0d219a33556ace7beff81243aab967a1860ddee

SHA512
dd1ed07357867ddda05fd57b9fe300479e89576d7634b98346d144b4951a644f242bacbd7b2b59c1bf8083dc29ce79de8466694e16819b096b1ea4ea4868fcdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\y7z3QnYA.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\SysWOW64\Files\Mswgoudnv.exe

Filesize
924KB

MD5
de64bb0f39113e48a8499d3401461cf8

SHA1
8d78c2d4701e4596e87e3f09adde214a2a2033e8

SHA256
64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a

SHA512
35b7cdcfb866dcdc79be34066a9ad5a8058b80e68925aeb23708606149841022de17e9d205389c13803c01e356174a2f657773df7d53f889e4e1fc1d68074179

Download Submit
C:\Windows\SysWOW64\Files\ddosziller.exe

Filesize
47KB

MD5
fcd50c790fc613bb52c7cea78a90d7ba

SHA1
06197d1e57e63af0b898de2b8388c447e2c6cc71

SHA256
1a626198cb756125b04335293477b64d6bf0b8c1a3c9dbee117afd247fa477d6

SHA512
1e9c923d08fae0818ba190efa1f7199ded9a04687022832730107cc9f9383262da14555d06f366df2b73123182ad4c9033a7205efc75b9535e39b8e676aef86c

Download Submit
C:\Windows\SysWOW64\Files\hiya.exe

Filesize
75KB

MD5
7f0257538089cd55fecc03bb86a1efe4

SHA1
50850beedb570d80971eaedba25c5ea9ba645feb

SHA256
0809c80c42e094b2695efbe1ca0532bc494b40c1fbd5967b05979c2077633e1f

SHA512
542e1f179976d4d8b370fd81e7633c6fdb33fe0b596e48170b31a04195f9809dc1a2268b6012f001dcd3ed62b068b8a34acc9a3450f1817206ffb1352447cebc

Download Submit
memory/336-284-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/456-258-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/748-475-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/748-129-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/872-1167-0x0000000000F80000-0x00000000011C3000-memory.dmp

Filesize
2.3MB

Download
memory/872-1312-0x0000000000F80000-0x00000000011C3000-memory.dmp

Filesize
2.3MB

Download
memory/1052-287-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1052-291-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1052-289-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1844-286-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/1844-285-0x0000000000A20000-0x0000000000A9A000-memory.dmp

Filesize
488KB

Download
memory/1844-288-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/2392-451-0x0000000000990000-0x0000000000A10000-memory.dmp

Filesize
512KB

Download
memory/2392-453-0x0000000000990000-0x0000000000A10000-memory.dmp

Filesize
512KB

Download
memory/2392-469-0x0000000000990000-0x0000000000A10000-memory.dmp

Filesize
512KB

Download
memory/2392-458-0x0000000000990000-0x0000000000A10000-memory.dmp

Filesize
512KB

Download
memory/2392-459-0x0000000000990000-0x0000000000A10000-memory.dmp

Filesize
512KB

Download
memory/2392-452-0x0000000000990000-0x0000000000A10000-memory.dmp

Filesize
512KB

Download
memory/2968-441-0x0000000000900000-0x0000000000980000-memory.dmp

Filesize
512KB

Download
memory/2968-435-0x0000000000900000-0x0000000000980000-memory.dmp

Filesize
512KB

Download
memory/2968-434-0x0000000000900000-0x0000000000980000-memory.dmp

Filesize
512KB

Download
memory/2968-446-0x0000000000900000-0x0000000000980000-memory.dmp

Filesize
512KB

Download
memory/2968-447-0x0000000000900000-0x0000000000980000-memory.dmp

Filesize
512KB

Download
memory/4176-493-0x0000000005810000-0x00000000058E8000-memory.dmp

Filesize
864KB

Download
memory/4176-485-0x0000000005810000-0x00000000058E8000-memory.dmp

Filesize
864KB

Download
memory/4176-491-0x0000000005810000-0x00000000058E8000-memory.dmp

Filesize
864KB

Download
memory/4176-464-0x0000000000DC0000-0x0000000000EAE000-memory.dmp

Filesize
952KB

Download
memory/4176-465-0x0000000005560000-0x000000000563C000-memory.dmp

Filesize
880KB

Download
memory/4176-471-0x0000000005810000-0x00000000058EE000-memory.dmp

Filesize
888KB

Download
memory/4176-479-0x0000000005810000-0x00000000058E8000-memory.dmp

Filesize
864KB

Download
memory/4176-481-0x0000000005810000-0x00000000058E8000-memory.dmp

Filesize
864KB

Download
memory/4176-478-0x0000000005810000-0x00000000058E8000-memory.dmp

Filesize
864KB

Download
memory/4176-483-0x0000000005810000-0x00000000058E8000-memory.dmp

Filesize
864KB

Download
memory/4176-487-0x0000000005810000-0x00000000058E8000-memory.dmp

Filesize
864KB

Download
memory/4176-1605-0x00000000059E0000-0x0000000005A2C000-memory.dmp

Filesize
304KB

Download
memory/4176-489-0x0000000005810000-0x00000000058E8000-memory.dmp

Filesize
864KB

Download
memory/4176-1604-0x0000000005980000-0x00000000059D8000-memory.dmp

Filesize
352KB

Download
memory/4512-133-0x0000000000070000-0x0000000000078000-memory.dmp

Filesize
32KB

Download
memory/4512-132-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

Filesize
4KB

Download
memory/4512-892-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

Filesize
4KB

Download
memory/4512-183-0x0000000004950000-0x00000000049EC000-memory.dmp

Filesize
624KB

Download
memory/4624-384-0x0000000000400000-0x0000000000CE8000-memory.dmp

Filesize
8.9MB

Download
memory/4624-383-0x0000000000400000-0x0000000000CE8000-memory.dmp

Filesize
8.9MB

Download
memory/4624-390-0x0000000000400000-0x0000000000CE8000-memory.dmp

Filesize
8.9MB

Download
memory/4624-364-0x0000000000400000-0x0000000000CE8000-memory.dmp

Filesize
8.9MB

Download
memory/4624-374-0x0000000000400000-0x0000000000CE8000-memory.dmp

Filesize
8.9MB

Download
memory/4624-375-0x0000000000400000-0x0000000000CE8000-memory.dmp

Filesize
8.9MB

Download
memory/4624-382-0x0000000000400000-0x0000000000CE8000-memory.dmp

Filesize
8.9MB

Download
memory/5128-127-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5128-0-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/5140-466-0x00000000004B0000-0x0000000000530000-memory.dmp

Filesize
512KB

Download
memory/5140-467-0x00000000004B0000-0x0000000000530000-memory.dmp

Filesize
512KB

Download
memory/5616-1181-0x0000000000FC0000-0x000000000183E000-memory.dmp

Filesize
8.5MB

Download
memory/5616-476-0x0000000000FC0000-0x000000000183E000-memory.dmp

Filesize
8.5MB

Download
memory/5616-1305-0x00000000065F0000-0x0000000006B94000-memory.dmp

Filesize
5.6MB

Download
memory/5616-1866-0x0000000000FC0000-0x000000000183E000-memory.dmp

Filesize
8.5MB

Download
memory/5848-259-0x00007FFA58BA0000-0x00007FFA58BB0000-memory.dmp

Filesize
64KB

Download
memory/5848-261-0x00007FFA58BA0000-0x00007FFA58BB0000-memory.dmp

Filesize
64KB

Download
memory/5848-247-0x00007FFA5B130000-0x00007FFA5B140000-memory.dmp

Filesize
64KB

Download
memory/5848-248-0x00007FFA5B130000-0x00007FFA5B140000-memory.dmp

Filesize
64KB

Download
memory/5848-245-0x00007FFA5B130000-0x00007FFA5B140000-memory.dmp

Filesize
64KB

Download
memory/5848-244-0x00007FFA5B130000-0x00007FFA5B140000-memory.dmp

Filesize
64KB

Download
memory/5848-243-0x00007FFA5B130000-0x00007FFA5B140000-memory.dmp

Filesize
64KB

Download
memory/6972-1600-0x0000000000010000-0x0000000000028000-memory.dmp

Filesize
96KB

Download
memory/8876-4287-0x00000000000A0000-0x000000000017A000-memory.dmp

Filesize
872KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads