50710a837e7e04b0ca0672729a2d18aca8f2820e9f16071ac43f604fdb2c9308

Analysis

max time kernel
154s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72fa596bea9904exeexeexeex.exe
Size

196KB
MD5

72fa596bea99044869b1fb4837edd93f
SHA1

f3d93b71db69ed0c6cc4c16a502a5a724f9f9ea6
SHA256

50710a837e7e04b0ca0672729a2d18aca8f2820e9f16071ac43f604fdb2c9308
SHA512

d7237f31458e5c66cbfabc77d9858c53578028ef30e63aca1c1de08f1ed55fc7673bde861188dea80dccc42c060df522b15ba5a8bbd0a7e963ec6b299b82bcf2
SSDEEP

3072:o24UhzMGVrQN3m9vxC4/zgDXRMRPcStGonSj+o/LCES/sK9cJvuXoOf:oBUK8QNeCczyRMxntGonSaIytyw4

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 60 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	72fa596bea9904exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 61 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	NAwEUEYU.exe

Executes dropped EXE 2 IoCs

pid	Process
956	NAwEUEYU.exe
2032	SyYAoAgU.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SyYAoAgU.exe = "C:\\ProgramData\\lIgUssUM\\SyYAoAgU.exe"	SyYAoAgU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAwEUEYU.exe = "C:\\Users\\Admin\\bMUkEAQk\\NAwEUEYU.exe"	72fa596bea9904exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SyYAoAgU.exe = "C:\\ProgramData\\lIgUssUM\\SyYAoAgU.exe"	72fa596bea9904exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAwEUEYU.exe = "C:\\Users\\Admin\\bMUkEAQk\\NAwEUEYU.exe"	NAwEUEYU.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	NAwEUEYU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5104	reg.exe
3832	reg.exe
5008	reg.exe
3836	reg.exe
1368	reg.exe
1232	reg.exe
4716	reg.exe
1528	reg.exe
3344	reg.exe
4044	reg.exe
1176	reg.exe
5004	reg.exe
3780	reg.exe
4932	reg.exe
2044	reg.exe
1176	reg.exe
4340	reg.exe
1008	reg.exe
1320	reg.exe
2392	reg.exe
5104	reg.exe
3748	reg.exe
4632	reg.exe
3052	reg.exe
3792	reg.exe
2716	reg.exe
2056	reg.exe
4984	reg.exe
4600	reg.exe
3500	reg.exe
3664	reg.exe
1628	reg.exe
3392	reg.exe
3832	reg.exe
4432	reg.exe
4644	reg.exe
2452	reg.exe
2156	reg.exe
1708	reg.exe
2304	reg.exe
2184	reg.exe
3832	reg.exe
2044	reg.exe
4548	reg.exe
392	reg.exe
2180	reg.exe
1160	reg.exe
2240	reg.exe
3712	reg.exe
2388	reg.exe
3248	reg.exe
2272	reg.exe
4292	reg.exe
1916	reg.exe
3168	reg.exe
1464	reg.exe
536	reg.exe
4092	reg.exe
3164	reg.exe
1928	reg.exe
3908	reg.exe
1200	reg.exe
4592	reg.exe
3908	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4288	72fa596bea9904exeexeexeex.exe
4288	72fa596bea9904exeexeexeex.exe
4288	72fa596bea9904exeexeexeex.exe
4288	72fa596bea9904exeexeexeex.exe
1200	72fa596bea9904exeexeexeex.exe
1200	72fa596bea9904exeexeexeex.exe
1200	72fa596bea9904exeexeexeex.exe
1200	72fa596bea9904exeexeexeex.exe
3964	72fa596bea9904exeexeexeex.exe
3964	72fa596bea9904exeexeexeex.exe
3964	72fa596bea9904exeexeexeex.exe
3964	72fa596bea9904exeexeexeex.exe
4772	Conhost.exe
4772	Conhost.exe
4772	Conhost.exe
4772	Conhost.exe
988	Conhost.exe
988	Conhost.exe
988	Conhost.exe
988	Conhost.exe
4256	Conhost.exe
4256	Conhost.exe
4256	Conhost.exe
4256	Conhost.exe
3812	72fa596bea9904exeexeexeex.exe
3812	72fa596bea9904exeexeexeex.exe
3812	72fa596bea9904exeexeexeex.exe
3812	72fa596bea9904exeexeexeex.exe
4464	72fa596bea9904exeexeexeex.exe
4464	72fa596bea9904exeexeexeex.exe
4464	72fa596bea9904exeexeexeex.exe
4464	72fa596bea9904exeexeexeex.exe
2724	72fa596bea9904exeexeexeex.exe
2724	72fa596bea9904exeexeexeex.exe
2724	72fa596bea9904exeexeexeex.exe
2724	72fa596bea9904exeexeexeex.exe
3788	72fa596bea9904exeexeexeex.exe
3788	72fa596bea9904exeexeexeex.exe
3788	72fa596bea9904exeexeexeex.exe
3788	72fa596bea9904exeexeexeex.exe
4988	72fa596bea9904exeexeexeex.exe
4988	72fa596bea9904exeexeexeex.exe
4988	72fa596bea9904exeexeexeex.exe
4988	72fa596bea9904exeexeexeex.exe
3352	cmd.exe
3352	cmd.exe
3352	cmd.exe
3352	cmd.exe
4460	72fa596bea9904exeexeexeex.exe
4460	72fa596bea9904exeexeexeex.exe
4460	72fa596bea9904exeexeexeex.exe
4460	72fa596bea9904exeexeexeex.exe
2484	reg.exe
2484	reg.exe
2484	reg.exe
2484	reg.exe
4436	72fa596bea9904exeexeexeex.exe
4436	72fa596bea9904exeexeexeex.exe
4436	72fa596bea9904exeexeexeex.exe
4436	72fa596bea9904exeexeexeex.exe
2112	72fa596bea9904exeexeexeex.exe
2112	72fa596bea9904exeexeexeex.exe
2112	72fa596bea9904exeexeexeex.exe
2112	72fa596bea9904exeexeexeex.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
956	NAwEUEYU.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe
956	NAwEUEYU.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 956	4288	72fa596bea9904exeexeexeex.exe	86
PID 4288 wrote to memory of 956	4288	72fa596bea9904exeexeexeex.exe	86
PID 4288 wrote to memory of 956	4288	72fa596bea9904exeexeexeex.exe	86
PID 4288 wrote to memory of 2032	4288	72fa596bea9904exeexeexeex.exe	87
PID 4288 wrote to memory of 2032	4288	72fa596bea9904exeexeexeex.exe	87
PID 4288 wrote to memory of 2032	4288	72fa596bea9904exeexeexeex.exe	87
PID 4288 wrote to memory of 4984	4288	72fa596bea9904exeexeexeex.exe	88
PID 4288 wrote to memory of 4984	4288	72fa596bea9904exeexeexeex.exe	88
PID 4288 wrote to memory of 4984	4288	72fa596bea9904exeexeexeex.exe	88
PID 4288 wrote to memory of 1368	4288	72fa596bea9904exeexeexeex.exe	90
PID 4288 wrote to memory of 1368	4288	72fa596bea9904exeexeexeex.exe	90
PID 4288 wrote to memory of 1368	4288	72fa596bea9904exeexeexeex.exe	90
PID 4288 wrote to memory of 1324	4288	72fa596bea9904exeexeexeex.exe	96
PID 4288 wrote to memory of 1324	4288	72fa596bea9904exeexeexeex.exe	96
PID 4288 wrote to memory of 1324	4288	72fa596bea9904exeexeexeex.exe	96
PID 4288 wrote to memory of 2804	4288	72fa596bea9904exeexeexeex.exe	92
PID 4288 wrote to memory of 2804	4288	72fa596bea9904exeexeexeex.exe	92
PID 4288 wrote to memory of 2804	4288	72fa596bea9904exeexeexeex.exe	92
PID 4288 wrote to memory of 1116	4288	72fa596bea9904exeexeexeex.exe	94
PID 4288 wrote to memory of 1116	4288	72fa596bea9904exeexeexeex.exe	94
PID 4288 wrote to memory of 1116	4288	72fa596bea9904exeexeexeex.exe	94
PID 4984 wrote to memory of 1200	4984	cmd.exe	98
PID 4984 wrote to memory of 1200	4984	cmd.exe	98
PID 4984 wrote to memory of 1200	4984	cmd.exe	98
PID 1116 wrote to memory of 5080	1116	cmd.exe	100
PID 1116 wrote to memory of 5080	1116	cmd.exe	100
PID 1116 wrote to memory of 5080	1116	cmd.exe	100
PID 1200 wrote to memory of 2868	1200	72fa596bea9904exeexeexeex.exe	101
PID 1200 wrote to memory of 2868	1200	72fa596bea9904exeexeexeex.exe	101
PID 1200 wrote to memory of 2868	1200	72fa596bea9904exeexeexeex.exe	101
PID 1200 wrote to memory of 3168	1200	72fa596bea9904exeexeexeex.exe	108
PID 1200 wrote to memory of 3168	1200	72fa596bea9904exeexeexeex.exe	108
PID 1200 wrote to memory of 3168	1200	72fa596bea9904exeexeexeex.exe	108
PID 1200 wrote to memory of 1320	1200	72fa596bea9904exeexeexeex.exe	107
PID 1200 wrote to memory of 1320	1200	72fa596bea9904exeexeexeex.exe	107
PID 1200 wrote to memory of 1320	1200	72fa596bea9904exeexeexeex.exe	107
PID 1200 wrote to memory of 1160	1200	72fa596bea9904exeexeexeex.exe	106
PID 1200 wrote to memory of 1160	1200	72fa596bea9904exeexeexeex.exe	106
PID 1200 wrote to memory of 1160	1200	72fa596bea9904exeexeexeex.exe	106
PID 1200 wrote to memory of 3936	1200	72fa596bea9904exeexeexeex.exe	102
PID 1200 wrote to memory of 3936	1200	72fa596bea9904exeexeexeex.exe	102
PID 1200 wrote to memory of 3936	1200	72fa596bea9904exeexeexeex.exe	102
PID 2868 wrote to memory of 3964	2868	cmd.exe	111
PID 2868 wrote to memory of 3964	2868	cmd.exe	111
PID 2868 wrote to memory of 3964	2868	cmd.exe	111
PID 3936 wrote to memory of 4604	3936	cmd.exe	112
PID 3936 wrote to memory of 4604	3936	cmd.exe	112
PID 3936 wrote to memory of 4604	3936	cmd.exe	112
PID 3964 wrote to memory of 1276	3964	72fa596bea9904exeexeexeex.exe	113
PID 3964 wrote to memory of 1276	3964	72fa596bea9904exeexeexeex.exe	113
PID 3964 wrote to memory of 1276	3964	72fa596bea9904exeexeexeex.exe	113
PID 3964 wrote to memory of 5024	3964	72fa596bea9904exeexeexeex.exe	115
PID 3964 wrote to memory of 5024	3964	72fa596bea9904exeexeexeex.exe	115
PID 3964 wrote to memory of 5024	3964	72fa596bea9904exeexeexeex.exe	115
PID 3964 wrote to memory of 3792	3964	72fa596bea9904exeexeexeex.exe	118
PID 3964 wrote to memory of 3792	3964	72fa596bea9904exeexeexeex.exe	118
PID 3964 wrote to memory of 3792	3964	72fa596bea9904exeexeexeex.exe	118
PID 3964 wrote to memory of 3780	3964	72fa596bea9904exeexeexeex.exe	117
PID 3964 wrote to memory of 3780	3964	72fa596bea9904exeexeexeex.exe	117
PID 3964 wrote to memory of 3780	3964	72fa596bea9904exeexeexeex.exe	117
PID 3964 wrote to memory of 4424	3964	72fa596bea9904exeexeexeex.exe	116
PID 3964 wrote to memory of 4424	3964	72fa596bea9904exeexeexeex.exe	116
PID 3964 wrote to memory of 4424	3964	72fa596bea9904exeexeexeex.exe	116
PID 1276 wrote to memory of 4772	1276	cmd.exe	177

System policy modification 1 TTPs 8 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\bMUkEAQk\NAwEUEYU.exe
  "C:\Users\Admin\bMUkEAQk\NAwEUEYU.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:956
- C:\ProgramData\lIgUssUM\SyYAoAgU.exe
  "C:\ProgramData\lIgUssUM\SyYAoAgU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
    C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        7⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        8⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        9⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        10⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        11⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        12⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        14⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        16⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        18⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        20⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        22⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        23⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        24⤵
        
        PID:3320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        26⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        27⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        28⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        30⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        32⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        33⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        34⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        35⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        36⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        37⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        38⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        39⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        40⤵
        
        PID:3640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        UAC bypass
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        41⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        42⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        43⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        44⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        45⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        46⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        47⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        48⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        49⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        50⤵
        
        PID:1368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        51⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        52⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        53⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        54⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        55⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        56⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        57⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        58⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        59⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        60⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        61⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        62⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        63⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        64⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        65⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        66⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        67⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        68⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        69⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        70⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        71⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        72⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        73⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        74⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        75⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        76⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        77⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        78⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        79⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        80⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        81⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        82⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        83⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        84⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        85⤵
        Modifies visibility of file extensions in Explorer
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        86⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        87⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        88⤵
        
        PID:2272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        UAC bypass
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        89⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        90⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        91⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        92⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        93⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        94⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        95⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        96⤵
        
        PID:2724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        97⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        98⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        99⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        100⤵
        
        PID:2964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        UAC bypass
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        101⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        102⤵
        
        PID:3076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        103⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        104⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        105⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        106⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        107⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        108⤵
        
        PID:4420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        109⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        110⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        111⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        112⤵
        
        PID:3912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        UAC bypass
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        113⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        114⤵
        
        PID:2300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        115⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        117⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        118⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        119⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        120⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        121⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        122⤵
        
        PID:1520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        Modifies visibility of file extensions in Explorer
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        123⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        124⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex
        125⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex"
        126⤵
        
        PID:3320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEQMUMUc.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqkAocso.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        124⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:1628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        UAC bypass
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGAkMosI.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        122⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:3052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        Modifies registry key
        
        PID:3664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCoIoYIA.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        120⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUkAEwAw.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        118⤵
        
        PID:4200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMEocscg.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        116⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:1528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        UAC bypass
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        Modifies registry key
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEIAUoYo.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        114⤵
        
        PID:4052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgoMwMkA.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        112⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:3584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xowkYssg.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        110⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYogkwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        108⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIEYEYoo.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        106⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMcAcUwo.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        104⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQcYcEgY.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        102⤵
        
        PID:3552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwYsMQoc.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        100⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:2172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWkoEgks.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        98⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwYQEUoA.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        96⤵
        
        PID:4008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwwAYQwU.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        94⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        UAC bypass
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:4548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        UAC bypass
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKAggcII.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        92⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYMAIogM.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        90⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESocEcoo.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        88⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        Modifies registry key
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGoYoMws.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        86⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies registry key
        
        PID:1928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqAoYwYI.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        84⤵
        
        PID:2484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        UAC bypass
        
        PID:4644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAsgMEMw.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        82⤵
        
        PID:3820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        UAC bypass
        
        PID:4892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies registry key
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcQYgcsA.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        80⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        82⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEIUIMUY.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        78⤵
        
        PID:4160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies registry key
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEcUYAEc.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        76⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        Modifies visibility of file extensions in Explorer
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuAYMYMg.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        74⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        UAC bypass
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        Modifies registry key
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkYYgcUI.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        72⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMUcUUIM.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        70⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:3308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        UAC bypass
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROUYYAwo.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        68⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwQMwAYk.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        66⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMwMQYwg.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        64⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        UAC bypass
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKQMMIsA.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        62⤵
        
        PID:2392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qswUIIYs.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        60⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUIQAMsI.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        58⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwYIEccQ.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        56⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:2304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        Modifies visibility of file extensions in Explorer
        
        PID:908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:1276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USgIYQAI.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        54⤵
        
        PID:4548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        Modifies registry key
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYYosQMU.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        52⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGAssgEo.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        50⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQwEMIIo.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        48⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        UAC bypass
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuAgkYok.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        46⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWwEMYcY.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        44⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:3164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:3052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKocQQEA.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        42⤵
        
        PID:3848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:5104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        Modifies registry key
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yeEkgMMg.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        40⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:1268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCosQMQA.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        38⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyMUUoso.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        36⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mesIwUYY.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        34⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYgEwEYI.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        32⤵
        
        PID:2864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUQAgUcs.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        30⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:4892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        UAC bypass
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkkMkkoI.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        28⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEsYQUYA.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        26⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuoEEEkI.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        24⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugEgowAM.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        22⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWokAIYg.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        20⤵
        
        PID:2384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        Modifies registry key
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCYkgcos.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        18⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:3312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deIsIkww.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        16⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        Modifies registry key
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOAwQoIg.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        14⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKYcogsY.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        12⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMwcgYYg.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        10⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUsEQQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        8⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:876
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCQoEAAI.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
        6⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3624
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:3780
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:3792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqkMYMAk.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4604
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1160
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1320
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:3168
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1368
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xawQAIMc.bat" "C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5080
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:60

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv uGh3OG+LwUyyfHlwg5R5Fw.0.1
1⤵
PID:3352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3912

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
238KB

MD5
d11405efb52686630c8e1b367eca4bcf

SHA1
17bfbc7277073c3c7b365c0090e1f260de99988b

SHA256
29f52e7d0d394d70b975a5193a3eb05d2b9c09cd33344844ec1348744e745c6a

SHA512
21d7fc171ab7ef2114d536618dbad9a87e69d0b19f1c8754f6de39f059326b9eec3c7bc7deff25d94f60fcfc9c958e257fc83bf6fdcbb7986d29a112600a741c

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
232KB

MD5
7e3d695379d6ce65e137716efd762547

SHA1
4652bce686a65e2ad63d8306c25eb0f041b03ce2

SHA256
2a4f0fcfec7dcb492add3a8ba14c35472307f051bc797de4a221ed58ff5dd934

SHA512
c24bb4e77affa67d601e3591096114a6b2858f43cae89952f1c321e2769b0b5f6867d6880f5595dbff78c14b8d7a49fe5d4617bff8652226a6c276efcce728f2

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
306KB

MD5
3d0920b86bbe79e86bb131316f37c225

SHA1
6407b10ad782772c845079058da9c43a2065ff07

SHA256
b1742e0f44df3652a47a1a1651011be284cd6daa902a3b3345579907c3e0a0c2

SHA512
116c589e1a731e8850a4e772bdb65a92d909222df148f47c4aa9a2a706b30123e99715ab0838bf8d8b531dc5d9da5ca8495055f03fc01cce2b737a43d3886926

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
219KB

MD5
b24810720eee02290433b1e36a3f7b6b

SHA1
3d37a8c6536b06b1379484c3e8874b7a4af6d302

SHA256
5496d4c1b3d14db1c0aed6ceddae79d07fc0158f56012a9d805d9024640a648e

SHA512
129d13020cb4d6baff0328a07ec59adeb8f02c44b31a40d39c8da2e7b0d7eee915f5e77ea07d90df7e2584cff9aff9bf97350e924fe4447afe83f87cb7e262eb

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

Filesize
182KB

MD5
8d21fb417cda61e48fdfba155eea6b0a

SHA1
ca73b0ec154c17b0fc9853ba379d010a462517db

SHA256
ff2dadd37a15ccc1e6a0e323eb317abbc1dfd3d4f741b6147db5c2a87993b4ef

SHA512
bf746fcd8ee4dc5cb2cf1232da3d8f923c5120ee29f7082916c3b361d29cb22095f0b110b56e04ae032a179721bad8c12499830db79dc28600607bb868538892

Download Submit
C:\ProgramData\lIgUssUM\SyYAoAgU.exe

Filesize
199KB

MD5
1c651b5afad7bda57afacd5164a2eb9c

SHA1
1e9c72282127ec1f133f9d96da6061ac605b7e4d

SHA256
dbeb0e5df055df415bd831218f5b07ad30925c4b2850face23b7c800e8c5f1e4

SHA512
5b789e53bb86adad48044e2c10003b73d540c00d52193029ac328a4a162a11e8ee6fcb6221e434be9253d7040bffb600e7578222d24bdfe53b66aaa3a704f49f

Download Submit
C:\ProgramData\lIgUssUM\SyYAoAgU.exe

Filesize
199KB

MD5
1c651b5afad7bda57afacd5164a2eb9c

SHA1
1e9c72282127ec1f133f9d96da6061ac605b7e4d

SHA256
dbeb0e5df055df415bd831218f5b07ad30925c4b2850face23b7c800e8c5f1e4

SHA512
5b789e53bb86adad48044e2c10003b73d540c00d52193029ac328a4a162a11e8ee6fcb6221e434be9253d7040bffb600e7578222d24bdfe53b66aaa3a704f49f

Download Submit
C:\ProgramData\lIgUssUM\SyYAoAgU.inf

Filesize
4B

MD5
cb544a23ef08a0f5ec8e9311aed84a3d

SHA1
8a6d255dc4d3f19a1cca5f0ea4a4336b9e69dd6a

SHA256
a74e8fde2bba28eb411727c1a6f082b33190cc0413ead0a4185f6becde973e3b

SHA512
ccf9ddb90e79c41477c74243010efc083d59d975a4309c978a844d8a0abe06c9f3cfc2bd1908638db2acc3160be764d1c1640789b206cd50232e38bf868e195f

Download Submit
C:\ProgramData\lIgUssUM\SyYAoAgU.inf

Filesize
4B

MD5
a2761730189d8e343de9933a973cf1b6

SHA1
7c6c69a3c88388d329755faab48cdacdd5bf161c

SHA256
2c5dc083aa2766f3a4bb6c3fa206ef217d15343ecffa4f6dd5a744715b324d0b

SHA512
2ccb57a8bcee5d76360ff563692d618520b26e7aa2e64f73e21590ce8d19bac34e6a9700823e1993fd7a89f956ec24d08e22ed7de7676e389785dd077925686a

Download Submit
C:\ProgramData\lIgUssUM\SyYAoAgU.inf

Filesize
4B

MD5
9db07cebd736c710810b26d17c39f48f

SHA1
24b0991df003bb7e134b0e5573c4458dbc4cc2fc

SHA256
4d1d1a0cb08c5ad81611afc7c5c05ea00142adf306723cd74f4436febe7ac81f

SHA512
d6d7d704eadf83ba84db424ba1300cb06f9a8991329ba9cec79d3262c7b61046ced046b3cfa61308acc5fc52f08e25d0432773a1fa0fd1c9d8f46462178128a6

Download Submit
C:\ProgramData\lIgUssUM\SyYAoAgU.inf

Filesize
4B

MD5
1941079a2de9c1f5f868987fc9508b90

SHA1
f15c37e07252eaa21f37799dce3daa5277a703cd

SHA256
d84bc74552188196f766c28c9916d979e235943964cf868da25c55d05ee06e6a

SHA512
d0ef366c712a55b6a29c57f00cd05e3c51069e6afa71c2c93d62576f1d85ebad78889347014fdbe7154a8cb11a17cbc471e8bece0b9094e1cbf6838ed846a127

Download Submit
C:\ProgramData\lIgUssUM\SyYAoAgU.inf

Filesize
4B

MD5
06e55be79bdd6da03ba9df1b230b9d21

SHA1
66fcc44cc6f2b2257b836bfa5ea4f862d95540c0

SHA256
5b89a2b30f87911b965c971f548d1cb5d2c2e05aec90b2a33241f1c740f92e90

SHA512
06b02da14c0a76b4702a828746c2d5bd96bc73d1b8586f9414510adc8adace7fef5cded35b47f1aaef6ee8b4c223e7281f2a98219ee55e3f71a0bd5edcdbcb05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe

Filesize
196KB

MD5
b42982e1baea8e220d9ed51638ce0346

SHA1
6b8df81d3df6c94affcb368ea79604aefc90a8af

SHA256
22e8140b7123e265a9593b97583e521d880d2ac60977a2309ed21801545ce52e

SHA512
90433b8b3a911fcd748e75f93cf4e6cc0cc1d4789e6ea9f9aa644f28f1517846edfb9b8ab493809487546308956781c0eb2609582eb1c2bff7b90008d2d19662

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

Filesize
191KB

MD5
2cfdc493a6770d5746c7556c270aff3f

SHA1
364b2ee6022148cc2b4eb3a56bfa14d47fa5403d

SHA256
d40c6ec70c4f5394129552f9a1f6ece8879e90508f00b669d635c2f45eee7847

SHA512
3d6e2bccc68473c3275eca2720a4fcdecec0144c17cc3a546ec1c594555f67a1dbf6a4bee878309ca9e9190c6c9cd3aaa1c03c6e612ad965c1836c749036f366

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

Filesize
194KB

MD5
c9e977361ba5a5be4519ddc7a271110d

SHA1
2c300d8a35c7e7ad98c0aa887e09a77277613f85

SHA256
de1379b1b9fb7098c45b5795ad1de564f6990544da38855ac4562e25a516a5e5

SHA512
9d4dbfda4af26c0579f56b664ba73aa3f1e4db9f799ed05a33514c22f0f434d5d764738d0e5f2ace5eb6c721c28cb34b2a1a40bf2b629238d5cdc63abb198bea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe

Filesize
188KB

MD5
1f118607643cc82c579c833d982f80cc

SHA1
49d087b8742216d413932cf65e96ae5970b8c7ce

SHA256
ed4e292a3e4fe5e0449c166e35fd85acc4afc87bd6eed0b4cec991aff6149596

SHA512
cd47b251fd0d724f3429c6b892d0a471a7e72775a6685dad3d567bd3c650d721d9e5b70b47b6f91f62d370650b8d0d8ae1a15ec1204992e6518e1ac20453adbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

Filesize
201KB

MD5
ddbce421b3cea858a40360834361e722

SHA1
400ef908aaf5486d2a91b436fd7bc23da9e457f6

SHA256
3f4089f8fdaa8cf08aa7193ee74472e2569a80527e29362705b4a1960ada4260

SHA512
79cbfac715cf94e287dd0d8e1db07e713570807226f09ef299db65816ee0b2842822a60750142e9a12c009b6d719b9a6c06eb0608c47a0538c52705bc9417586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

Filesize
194KB

MD5
4365e86c85d31b63a4dc7dd352d9b36a

SHA1
8fbfb27ca8371025391e5c8270d49fc5e819bdd3

SHA256
2ffbc04ffdf0ede574436e40c3e7c33bdb3d53cbab6e71bce3a711a7a1b7c8b5

SHA512
20eb85ba7916c914e305636011a46c3cd447d40de940b0147e34b59329cbf43efe281b24659e53277d3489cca9e803f33133fedf7813b929af0cfdae4d1dfd48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

Filesize
193KB

MD5
d196b4565c26bfcc17257f0396458b2b

SHA1
5856da350232c01f7d6ee260ee6aae8e99327838

SHA256
ad36bb10a8376d4cd71a2088cee312a50ec62c147c6ec8ea0b1b61a521085b5e

SHA512
07796291281bf4d1efdb05f32081da768a4ff95759a313f1307b2891e84fd48ceb451ad9bbe8106e88c67afc79fa777c29106945912b76ccd97b02487349f6d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

Filesize
196KB

MD5
e83f824465f608c83ee7971024ed0442

SHA1
14382aae4f29e07d015ff17910308dc87ebc1c74

SHA256
f32d98e0210a5bd398a67185ad526d4d29943e0ba32e64ed910c46eea5284ec9

SHA512
25f62aa9b940f609128667211eb9276fe76037607098d0c8135bcee41182cfef2ccc1a0d379f81b6163330ff7233132468c2c29341cf31ee953d28ea0e7eb867

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
188KB

MD5
1e077335ff75770e8808fe2b9765019e

SHA1
059074c7cdc6e538d5c401bb1f08f9376921bdf4

SHA256
57eb3e2c8a52eaf9616dbc2898816d19b17c696b35359756ec4a2df68727c5e5

SHA512
9f1c2c659e8c218acde3a02cf38b494e48d3755702dd0f3016d75b5c9585527a4e4d74a9e8a5f47c529910280e7716bafe9b1a4c346d19a7c8c22c8350e105a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

Filesize
206KB

MD5
349fbdd381917d564b1bc7020be4fad4

SHA1
264effc5ff28c3b644d831814f8f602cd4e63dcb

SHA256
bf73ba594bf16ddb4cd229e847aa810c4104879911cbca68b41e48eb642cc59b

SHA512
205d40ffc2676f2b5ff6fcac4b5d732ba4e7e121cd09d561e4b6dfff634f8257d1962f84d5cf81b5ecd0a7e57248fb873a7cbff4f0c4072c725405ecb8200749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

Filesize
193KB

MD5
b5dc5d7ef7e816a94b2d34e76facbec9

SHA1
2dc453ad3529c9f858c7fefe3b9de9b321dbe489

SHA256
4251b963ca2843c4ad023dba26cb7108e8c0cc3ef9bbde835cbc9eed03290139

SHA512
922f246f9d81e3dcfdb33f6d940de1ed9d954ba5975cf1825831fc7aba96190da9400fd301a1d87670a3f1fda5666ec85e764d3cd35a6e557a862d4d8601b1c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

Filesize
197KB

MD5
b21e75b9a994dd816994970e6753e28b

SHA1
d35e14a44d922feb841e682e1b2684b7dc4fffb0

SHA256
212f319f2aa8fc3571aa90c8b3aa7368ef03252a7459711c8200f93429b64ec5

SHA512
55696807fd467b1a83eaf426c0309ca181733fabe6fc5d04bfac4f708419d7a808d91138c2af8b5033c8521e84f0e053b1d0280f5136e000e22c12c96f9eed88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
1.8MB

MD5
b8bbf2639778a34b8911bc09d1d728c7

SHA1
33744a06edcecda0452dbf4db580247afe49512f

SHA256
5cc2fd47246ce79ceeb4225458f838bfe9c3c1d090e61c3ddd8c3566274aecdb

SHA512
06e2fd400a57bf843e1df57dc37531d0c2e73f172096f8fdde8bdfec15157c9498691b50d4e4da288c05489a754116c2f3f0fed4b7dcb30cce07b0df55792687

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

Filesize
195KB

MD5
f7e7081263405d2e3d7da05925b6fece

SHA1
a730da9451d8b5d4d5056aa0d08699d581a5594b

SHA256
461627599dd9e0c1b0a60a2c95418ff208eb59a0fbad8d311e1bbad7b59aeba3

SHA512
7bd1a5decc781b5448f861c77f91caab35b9628778e16267750a80f172cbe52b78fe99c76d4e5d58e7ce4032cd6cf717a4b9f272e42d2d1d9a4ffb356110b734

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

Filesize
201KB

MD5
acc42a96a446b1fba6fa4dbe6489636e

SHA1
801db50b2eed1c5ca988474265e40b397f7f2746

SHA256
89f1e6259ba1ff4184bdce8cbae151f73c1df7aa4f674dd06155a7754412ebca

SHA512
4240e9a468243586e54a88d3c563edb38cb40ba28d91a4f407e49c443b0044f06cc0bb81d270fc80a355bcb6ef8d06ad56351d2b83bced7b7331f094156379fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex

Filesize
10KB

MD5
9586106e578a263cf24f4878b2f98851

SHA1
d1773a2fbcccadfd6b79f521759416eb691c8b66

SHA256
db223d088b0b41ea77614ec7fbfcde1132f68b2e1c3e40c7c1871a541df625ac

SHA512
ff7749b0b8b498fa0b9636fa8ceff17bd707939890d399c9c58045868e0ed7040bf915cd7bd8466a3834c7b4968fcbef9565b7b592ed84a6e9a2eeaf1c951e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex

Filesize
10KB

MD5
9586106e578a263cf24f4878b2f98851

SHA1
d1773a2fbcccadfd6b79f521759416eb691c8b66

SHA256
db223d088b0b41ea77614ec7fbfcde1132f68b2e1c3e40c7c1871a541df625ac

SHA512
ff7749b0b8b498fa0b9636fa8ceff17bd707939890d399c9c58045868e0ed7040bf915cd7bd8466a3834c7b4968fcbef9565b7b592ed84a6e9a2eeaf1c951e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex

Filesize
10KB

MD5
9586106e578a263cf24f4878b2f98851

SHA1
d1773a2fbcccadfd6b79f521759416eb691c8b66

SHA256
db223d088b0b41ea77614ec7fbfcde1132f68b2e1c3e40c7c1871a541df625ac

SHA512
ff7749b0b8b498fa0b9636fa8ceff17bd707939890d399c9c58045868e0ed7040bf915cd7bd8466a3834c7b4968fcbef9565b7b592ed84a6e9a2eeaf1c951e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex

Filesize
10KB

MD5
9586106e578a263cf24f4878b2f98851

SHA1
d1773a2fbcccadfd6b79f521759416eb691c8b66

SHA256
db223d088b0b41ea77614ec7fbfcde1132f68b2e1c3e40c7c1871a541df625ac

SHA512
ff7749b0b8b498fa0b9636fa8ceff17bd707939890d399c9c58045868e0ed7040bf915cd7bd8466a3834c7b4968fcbef9565b7b592ed84a6e9a2eeaf1c951e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex

Filesize
10KB

MD5
9586106e578a263cf24f4878b2f98851

SHA1
d1773a2fbcccadfd6b79f521759416eb691c8b66

SHA256
db223d088b0b41ea77614ec7fbfcde1132f68b2e1c3e40c7c1871a541df625ac

SHA512
ff7749b0b8b498fa0b9636fa8ceff17bd707939890d399c9c58045868e0ed7040bf915cd7bd8466a3834c7b4968fcbef9565b7b592ed84a6e9a2eeaf1c951e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex

Filesize
10KB

MD5
9586106e578a263cf24f4878b2f98851

SHA1
d1773a2fbcccadfd6b79f521759416eb691c8b66

SHA256
db223d088b0b41ea77614ec7fbfcde1132f68b2e1c3e40c7c1871a541df625ac

SHA512
ff7749b0b8b498fa0b9636fa8ceff17bd707939890d399c9c58045868e0ed7040bf915cd7bd8466a3834c7b4968fcbef9565b7b592ed84a6e9a2eeaf1c951e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex

Filesize
10KB

MD5
9586106e578a263cf24f4878b2f98851

SHA1
d1773a2fbcccadfd6b79f521759416eb691c8b66

SHA256
db223d088b0b41ea77614ec7fbfcde1132f68b2e1c3e40c7c1871a541df625ac

SHA512
ff7749b0b8b498fa0b9636fa8ceff17bd707939890d399c9c58045868e0ed7040bf915cd7bd8466a3834c7b4968fcbef9565b7b592ed84a6e9a2eeaf1c951e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex

Filesize
10KB

MD5
9586106e578a263cf24f4878b2f98851

SHA1
d1773a2fbcccadfd6b79f521759416eb691c8b66

SHA256
db223d088b0b41ea77614ec7fbfcde1132f68b2e1c3e40c7c1871a541df625ac

SHA512
ff7749b0b8b498fa0b9636fa8ceff17bd707939890d399c9c58045868e0ed7040bf915cd7bd8466a3834c7b4968fcbef9565b7b592ed84a6e9a2eeaf1c951e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex

Filesize
10KB

MD5
9586106e578a263cf24f4878b2f98851

SHA1
d1773a2fbcccadfd6b79f521759416eb691c8b66

SHA256
db223d088b0b41ea77614ec7fbfcde1132f68b2e1c3e40c7c1871a541df625ac

SHA512
ff7749b0b8b498fa0b9636fa8ceff17bd707939890d399c9c58045868e0ed7040bf915cd7bd8466a3834c7b4968fcbef9565b7b592ed84a6e9a2eeaf1c951e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex

Filesize
10KB

MD5
9586106e578a263cf24f4878b2f98851

SHA1
d1773a2fbcccadfd6b79f521759416eb691c8b66

SHA256
db223d088b0b41ea77614ec7fbfcde1132f68b2e1c3e40c7c1871a541df625ac

SHA512
ff7749b0b8b498fa0b9636fa8ceff17bd707939890d399c9c58045868e0ed7040bf915cd7bd8466a3834c7b4968fcbef9565b7b592ed84a6e9a2eeaf1c951e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex

Filesize
10KB

MD5
9586106e578a263cf24f4878b2f98851

SHA1
d1773a2fbcccadfd6b79f521759416eb691c8b66

SHA256
db223d088b0b41ea77614ec7fbfcde1132f68b2e1c3e40c7c1871a541df625ac

SHA512
ff7749b0b8b498fa0b9636fa8ceff17bd707939890d399c9c58045868e0ed7040bf915cd7bd8466a3834c7b4968fcbef9565b7b592ed84a6e9a2eeaf1c951e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex

Filesize
10KB

MD5
9586106e578a263cf24f4878b2f98851

SHA1
d1773a2fbcccadfd6b79f521759416eb691c8b66

SHA256
db223d088b0b41ea77614ec7fbfcde1132f68b2e1c3e40c7c1871a541df625ac

SHA512
ff7749b0b8b498fa0b9636fa8ceff17bd707939890d399c9c58045868e0ed7040bf915cd7bd8466a3834c7b4968fcbef9565b7b592ed84a6e9a2eeaf1c951e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex

Filesize
10KB

MD5
9586106e578a263cf24f4878b2f98851

SHA1
d1773a2fbcccadfd6b79f521759416eb691c8b66

SHA256
db223d088b0b41ea77614ec7fbfcde1132f68b2e1c3e40c7c1871a541df625ac

SHA512
ff7749b0b8b498fa0b9636fa8ceff17bd707939890d399c9c58045868e0ed7040bf915cd7bd8466a3834c7b4968fcbef9565b7b592ed84a6e9a2eeaf1c951e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex

Filesize
10KB

MD5
9586106e578a263cf24f4878b2f98851

SHA1
d1773a2fbcccadfd6b79f521759416eb691c8b66

SHA256
db223d088b0b41ea77614ec7fbfcde1132f68b2e1c3e40c7c1871a541df625ac

SHA512
ff7749b0b8b498fa0b9636fa8ceff17bd707939890d399c9c58045868e0ed7040bf915cd7bd8466a3834c7b4968fcbef9565b7b592ed84a6e9a2eeaf1c951e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex

Filesize
10KB

MD5
9586106e578a263cf24f4878b2f98851

SHA1
d1773a2fbcccadfd6b79f521759416eb691c8b66

SHA256
db223d088b0b41ea77614ec7fbfcde1132f68b2e1c3e40c7c1871a541df625ac

SHA512
ff7749b0b8b498fa0b9636fa8ceff17bd707939890d399c9c58045868e0ed7040bf915cd7bd8466a3834c7b4968fcbef9565b7b592ed84a6e9a2eeaf1c951e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex

Filesize
10KB

MD5
9586106e578a263cf24f4878b2f98851

SHA1
d1773a2fbcccadfd6b79f521759416eb691c8b66

SHA256
db223d088b0b41ea77614ec7fbfcde1132f68b2e1c3e40c7c1871a541df625ac

SHA512
ff7749b0b8b498fa0b9636fa8ceff17bd707939890d399c9c58045868e0ed7040bf915cd7bd8466a3834c7b4968fcbef9565b7b592ed84a6e9a2eeaf1c951e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\72fa596bea9904exeexeexeex

Filesize
10KB

MD5
9586106e578a263cf24f4878b2f98851

SHA1
d1773a2fbcccadfd6b79f521759416eb691c8b66

SHA256
db223d088b0b41ea77614ec7fbfcde1132f68b2e1c3e40c7c1871a541df625ac

SHA512
ff7749b0b8b498fa0b9636fa8ceff17bd707939890d399c9c58045868e0ed7040bf915cd7bd8466a3834c7b4968fcbef9565b7b592ed84a6e9a2eeaf1c951e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIUC.exe

Filesize
185KB

MD5
f851659c74a750259c68d475fd3a2704

SHA1
a55f851d99aa33fcc9f58d8726ed2d9a20578ecb

SHA256
07e9ef73746d01e3094a6bca717756765903e7d2cdd4f23210036767e86bf0bc

SHA512
9142890edf660ce06469b2056845488fa86e0dc6a2ceb2a50708710768ef59f8266440be6d247d9c418a9a90218b0c9c0bd9311842a30eab81833fe142e0bfcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQkc.exe

Filesize
833KB

MD5
56c3113b497efa75bdd2a63ed857270e

SHA1
9026ce23e23a0b289375c562442390b768f777f7

SHA256
33dfc299b2d6f116116395fc85e6558687c3a516ae1a1087ca5a56b512b9a9f8

SHA512
ee70b05c408f1359ada29daff372a39d85741f5323eff4d99733f7c9721cd9e74eabbe8b4695e97a1ced7ea77e139ee99119381da22c6cfe6f56bcae881721df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aoso.exe

Filesize
209KB

MD5
0f38ae7d287585f1594f42661f6072db

SHA1
c8257a3b83e5e0e297570edb74ae14f7d76e846f

SHA256
98aad0173f3113f6cf93c155d41fb9b38cca333b00ff61a3eb1a7719487d3eaf

SHA512
4689a2be727174894ee0e75d676cb631092d649c8fb9c7fe60da8453aa8be40079d6a1e5e098eacbd59a37891e443d1059937c6aae84ff77b794dfccc9134a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAoS.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCQoEAAI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCQoEAAI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEwm.exe

Filesize
643KB

MD5
bef4cbf0fcc6285ed563a1d450f31b6d

SHA1
70faf7a4ce85038fffcdce97b4622ad231713e94

SHA256
1176c319fd5d434cb639e1bd367a21c0863184ca2323650b6745648090c573b8

SHA512
f5783c219c36dd5021d234a0766242f9bbb06e77f53642ff527b90966d7633ed42a1a43e32238acd43ee42a8c9993599b049d28c3e096e7dc66c9068f83c5fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYca.exe

Filesize
5.9MB

MD5
bb62f8cf3c9e2fd0bb4abd64a5c16e40

SHA1
7421070630095b52df88143ce50d06d2ed5785e5

SHA256
6e61efa78b336d145c3d63b123440e14bf0a589128fa9320bdb6206625b26a3b

SHA512
6b247c3e6a19bd7cc3fd24cca2c7d13ca0e46c84828aae02dc4980bbc421ff9ac0c37bce0a3759200e5d87b32987191d3cbf767ad477a861426b342498adb439

Download Submit
C:\Users\Admin\AppData\Local\Temp\BsMa.exe

Filesize
199KB

MD5
1c31cac0cb3ff9d8ac0569657a3ec854

SHA1
289750aec3e90c2a91b177e1ab7295ccb2a527af

SHA256
ab5db6ea462924cea9e1519dbc5af10c213098ed60180dd76d0f568c6378162a

SHA512
2c55e62eef7778b02347a39c66a4821c8afafedd6873e12f3eff5e3bb7630ecd04f7678f4166f31170ab836a62717309d83a045047fc545305c29c48662ba42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYcC.exe

Filesize
5.2MB

MD5
6c196a3a7ba808deb28aeac69c36959f

SHA1
2f87405cb62eace229e589373d7ff1f61a186eee

SHA256
dc00773d4696929ab67946cf593f53256a9709a48cd8baf19d9cf7a56248eab7

SHA512
2b8b2d398717d200bbabac8dc8477fc8b9cbd5b6355cdd5aa38e85076950eb02c32fecdb09158c910d03ba6539424ba80b45141beb2a21535e2b47bb8986a59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dkwq.exe

Filesize
241KB

MD5
d5cebb5722d88b645e1ccd7981ab3c55

SHA1
8ea3354dcf3e7e3cd3003adc91783eb765349309

SHA256
db323f0e004923e9bb920e9883a6331c3693aa667a675fc0420fb7394610f4f7

SHA512
298580b1cb7053ae10fa360035d6918b489036092fcef37b9f5f551ef6a6ff5323ae7e40ec46559a8c3daa8f0bebbb44accd7bdbe80d170d70643b0110886aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\DwUu.exe

Filesize
640KB

MD5
863285de4a946eabe58ee6e089becfa9

SHA1
261ef024921d80128adcc12bbb5c482217d0d2fd

SHA256
36023b9316a52672e12058d6f444fab6b23379d0684eb3ffc2e65961286a3feb

SHA512
d7001b52e69c22c2c10549d6e730e59435b61a1e6d139cc6a58ec175f53c814c2205310067b7425484b8007e7041f48fefaf0ad567518ecfa75e7ae86dde7e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOAwQoIg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMwq.exe

Filesize
189KB

MD5
7321c296ae7dd1354ea77787f5ff50e1

SHA1
d3c2a15a8ac07b0fc38913520af96ab345c21ddd

SHA256
6a6affb783c8944a4c9f4926b62deff4a365e66823ef7e79c98d9d38c89a8a2c

SHA512
b848c96d8d3d6546225b0b92f9324a8f816ca138ecd0bbaaf574322ffcab2daaf559e778e759db3085aedcd56a6513988cfd45048c7cb896cf44b402ef336a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUUg.exe

Filesize
773KB

MD5
134a49fc2094b7bb466cdcac20539044

SHA1
90ef9510f0086de16c47addf2f00acd4bab5c427

SHA256
a81cff11c8682107a322c468c8b3a279226d3d5e4750ba017c3119c074c38ffa

SHA512
6545d31ab5478cffcc0bcffa4059b1dfb79d543a7e6d87fac003f3921208f77f5d2821b528d422f8f14c8fe1819cb7089a58535290fa689ed1d4198f5466e394

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYgI.exe

Filesize
202KB

MD5
c5a2d768d875dabdc4fecd1e2ffee414

SHA1
4db1f0e40bfa7199f2398ff620a1f27914501af6

SHA256
e6887fb37b7b2bf1b8bbd558868c8c78cd1782bf9b1579a8e3ccde0965712e20

SHA512
b18a95e2f13f568fd32305f9911c6ab8deb9150b649174747047911483ca51d26ee06cd584d0f1e92e0a55ac64bae79a4e5ce1c3c27bd544309005864c56c4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIgC.exe

Filesize
800KB

MD5
8f45f850ebffeb277b3a69a87d605ce2

SHA1
14d379beddf161e8490fda3b39777379b83ffee3

SHA256
d97435430f73514439baaa3c512cdb965628b587fe8368067aba23312d86a0b6

SHA512
3d996fb73a7e0c4ee8ba66ed029cf9780b26ae57b1fe3117a3052dce4d3d982aa187552328b8e825900392f811450615ce83a362d96a406ad88bcf6cd51f6d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYgEwEYI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwcK.exe

Filesize
206KB

MD5
e03ec72c95636aa37d79d047f18d7953

SHA1
3af75cb338d7839ef9d1bd779caa04408ce56263

SHA256
6d660845a440c5799f91caaf3d6b68637f1b7e89235a20db67bdafcb7a3e3d29

SHA512
7b0ea3d0144dd2ac9705291c64ef3ea0b16e4a0f69fc6d1cc075faef1e707ab2559f61b1e29ad2b1bbb7c92039d9e2d0ef2c1cfb8d465e09e94490275ec75bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMwcgYYg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgAe.exe

Filesize
333KB

MD5
175af809603db12ebde4b110ba4dcbcb

SHA1
b416d9f7f816dabda23f1edc7d0677d6976cb450

SHA256
90498eebcc64320b138d8d3890915b61fa1bfeebd18f60ea154e0b4deedecdde

SHA512
acb748cc10f1eb43681c35093fb514f79f002c925a8235c04f04a290ddae40f73f7d07a12a0653b7d7189086a51cc5136ea90c875adebae71c45d08afc4b0b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsAu.exe

Filesize
198KB

MD5
a7f131b83e14452a7eda148da66b42fc

SHA1
80cf0607f6bc310e7dc6cfaf4446b0cd78e64141

SHA256
ec7bb2ad6fc4750f932cb3743e10440816d43db429425d4eab9b31276b0289d4

SHA512
4208d582a1f456ecfa1bbac5f4f904aa7838ad7753def039c77dc35be8ce76aeb80ac8ae79809b466a010c64e460f1cefae41fbcc9344db3fc0372767bb87dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwYQ.exe

Filesize
189KB

MD5
f5c9a567fb304dbb1b759e5b9316ba25

SHA1
ca449a1cd2b4f0af8cc9dc6062ae04534d59f32f

SHA256
5286bdafd8968db1521bcd264ffe9c287c997f64349c0b8c6f1b48785e00650b

SHA512
63e83100a8280cbf78a0eed5c44d5fb107e6e99b9f8fa057037993044a19ed9080be07b615a41a8e2b2a2778de58d531bf5a073fccab0ef2178b4045a3af9a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAIM.exe

Filesize
191KB

MD5
7923c22deac9579f8ff06d57f3e5ce20

SHA1
aa97008ac814fc366fa66722ca465e0ed0266d45

SHA256
491f1b4808d8f1f78fa67c25d153a9f5e1e74cabc86b8961426050eb1bd22062

SHA512
1a1cfd06bee8ac5e372f8637e1675f093d32964b9afa92a108677e622617445572ec2d00e8de5d243d9f5c7b2917746746bb01f26df517e7fd21c73c6ee5b0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAsa.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEUK.exe

Filesize
186KB

MD5
ee1696e8f939eb0aa4ded2c27e5d2aab

SHA1
6c0fc850ae2f2b9f99fad587f935c5bc031c3fab

SHA256
a6ed52e41aa0eb2c36078d1b334854bfac8d1cb58cda7f955d7c5e66ee6310a8

SHA512
6ac3fe236fdef9523549e9ad56b0973817922a8ada087d62b6904c4ec1f90c30fe4d77fae3c91f41fcdd0dfa7609372e06e07b82a541bedec2bcdf46cc37cd1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgIG.exe

Filesize
563KB

MD5
9562cba9fac4295ae8ba43c56282bc2f

SHA1
578ba7a61769b4a5f08eeeb5c073a237365a11aa

SHA256
29b24c42e8c832da0d1b4db00ba4974cb61f7648fb7888bfdea71bc926755bb2

SHA512
fb81c99eb2b3c8bfc84597743f6708a15a9b16357ff25ceaa949ec6e0bbc5b9fe2d34dd304db82f3f0da3cf1aea60289e2183fd1cc6f9b6a67c4dcfa55f7c770

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAEc.exe

Filesize
186KB

MD5
26c5fc410654487c71d812986c2ea2f2

SHA1
4039b7b504ca43330900fdb1d74c9b6230da1f5f

SHA256
c901e623f06c188468f8ff643c962e50a0c079e2eb23bd892fe3b880f1b8dd41

SHA512
f72cf17aafe7855ccd84aa18ce5d8ea97fd7bc557a16c83dde07c68c6aabf28251618de9be52acf54abe47588cd623b05531811c3397406796c41b12aee42a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAgc.exe

Filesize
192KB

MD5
9ca654b0a7075558808ebb6a952f1073

SHA1
0b7e4bc6bbc505caf9dd118a40e3706e925f2b7c

SHA256
64c4145df57fdad4a0c2d822cdc05a9d277760e1c8e2c7678dbf7fa8c57e62d1

SHA512
8e5db172221d53e3c0e24163eac48e3262088ed7f36feec7e24844e69fd64ea5bd3f16e9820e1fdd55cf63000387a2fcd32139dbe401fbbc4e791eed40ce892b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OowI.exe

Filesize
180KB

MD5
55a28ce21cb175ee95a7ba3622a0c894

SHA1
ddfb76a8a7dd24e53f73ef99d9afacaed5d45d32

SHA256
2f7e598477636b19cbfeef64fa2067e1585d007b5122ec09ad851e10b9bfa722

SHA512
98073304862aa78b61f2b2ba0adaccece15d0a339c4c11fd44f088b448fe350565e4a557e47f9f78f0af78510143414483605206d1ffd20fc2aa5a44179d7cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAki.exe

Filesize
182KB

MD5
72e847cd7e80b4c6b165eb5e55f69dcc

SHA1
0593a6302e2dac95bd2e7a0687e04e0349e8c414

SHA256
f5b1bbe77a9f360900a9f0f9502f33e61fa0dffa82ab7a4fe32869b42b64415b

SHA512
f8701f13d8f8902698dc36574c3b3566786c134d7bcaed1e72b79a8733711e9e74505c85259500760d53e815a15b13e88ee1fd6c2ec4fafb12b3f12447654bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEoU.exe

Filesize
637KB

MD5
12565c08c4a8452840a1c2a408c545ef

SHA1
c3efb693e20d272865c1c0eafed520aed204d89a

SHA256
784662a67c1f99f81d9fb46f3b2771143897ac5952c076bb2111d2c6555b8460

SHA512
d57c6055dea4878d9ced5e9a95e7253c9c4cadbdc38fcd36fc47064e912ba9def3b4cf7ce5827fab85b9994d713feb182774b8a979c9efab0b54b9e51f35bdc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcIM.exe

Filesize
190KB

MD5
407589ddd9caf22ecee56cb4c8da2fc0

SHA1
7cac5dd4518ae87d59cd01d24c3bff8f48defac2

SHA256
da53d1da14397b5ad26877aaf3668cb9a23f983f071cdf202939e874a987c58f

SHA512
18154a9524a63fdd2d704d488041986e53cca353b83b8cb145e013374929c74485696c78a2b93f7d80fb27708abbc4822d234ea9f087892393f462ae56689946

Download Submit
C:\Users\Admin\AppData\Local\Temp\REgU.exe

Filesize
195KB

MD5
b9a2884455b5f288216094612c47b4ec

SHA1
fdb98fc8d22c94e6b370791979fad3bfef98eaf3

SHA256
830a6f4d0be0d95ceb185b835f9b8c5eca13c1f5266bca5fe54d22957bddf532

SHA512
c57cd31ac0e970b0d659501818550fb2396efee430669f2e4775bbcd75f6c584ceab179ab3bab0f908ce3d456f25053b6dfb5a503dc3c967a4ef08a41b7df409

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIYu.exe

Filesize
400KB

MD5
8cb1c451638889fcb666f4efdf5aa81b

SHA1
17bbae5e655c40d043049c4359a0a41a4272d066

SHA256
5a91e3e77ea8a7d6e0c1806780702f9e6533e23c171764ce7d66a9bbce130e3c

SHA512
c8b2df895f092ad23c0968469eab37627801c8dae398a074cf3780e02cdb1a3122552f51d5ea57726c7cf6f5720d9a342c0f4b76f31a0774d0bf7718eeb17918

Download Submit
C:\Users\Admin\AppData\Local\Temp\RcQm.exe

Filesize
198KB

MD5
51f94601a564300feddddd5786579af3

SHA1
d869ec8044b21a13ba56dfe9efe89aee52ac0e98

SHA256
17421871c3d3ea4d6a79ebdb51c967e09fa47a79bf5547ba8ab4b9839ab4cb07

SHA512
3ecf1d14ba8608d3fe3984bab5c33c1b8d6065b4fe372e56d477833e8939e6928ddb145091e906fbcba85f3c65b4f8b4dc143e6e0cc0c9538a1f96ba0955259d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKYcogsY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUUw.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\VuoEEEkI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wcce.exe

Filesize
708KB

MD5
7ed356a35d38b42c0b2c748bbf1a50bf

SHA1
8c1aa66ca4fa8ae60a46f2114fadb210186f6c08

SHA256
eec287446c14846c236451a64990c33b7184511b0cfb2af09e1f9a69e86b81e6

SHA512
01cc27fd569588961504c31b258737b5ab518ff65e6ab3ce03203c72005cbd1760996fba6df479436f71e14c89eb0fb4e5fbe346344bdd44a68f2f447d051c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMAW.exe

Filesize
232KB

MD5
e408f08e87ee4c43f7fcaaff15e1adcf

SHA1
23641e82afcdabc5f6db303d56bf5a32a601425e

SHA256
729d218a7ee03a24e9b57d5e41f2119fbfd367124ce2b9ddd6562d60bac36dd1

SHA512
d64bac5f6b147247b2e7c4a880ee036badaa0d94b1b3c1d945a9665620d35c375e3188214fec49617d2502c1db003e319e485b183cf327d9a0cb2521ae2f8e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIEk.exe

Filesize
654KB

MD5
0e960f85757bfefba876e0e5eb6c556a

SHA1
e8813a8896da3ed2870bc58ca5b241108cfe6d69

SHA256
a4490d3e1f3ae217495c57f45215963f400345cadf8ce9eb64483cb68d0160c3

SHA512
668cd2ab681e2857f13dbbf947e55847dcfe397fa188fbc2b525ca38c7a6c77a74cf9f38623a0c54addcff9152cb08c12e76e53c840bf329aa86457b9b54c23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUIq.exe

Filesize
202KB

MD5
068bd87a5a758d88370ac658691453e4

SHA1
2330cbee578b82546534fa7bafb087da839682ce

SHA256
f8e7d18f9701eebab33f5cca237667bcfcf0380b182424e86653b90e16d0e3a4

SHA512
8ff4cd85c282c0023ebd47ea4f6c7a69c237085c2cf2625a6feeb8ae53e6da6a7897b797fd31c23f9d2a97c56fce7a660e19f2e9b0123e5888d7bc97b222f466

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkMK.exe

Filesize
607KB

MD5
baec6aed43c89f9239af7404f69645c8

SHA1
1a5abc570d77dfc2d5ba1819569fe23d72fa1297

SHA256
d943bced109fe4a684a3ce34f2e6caab99ee8ac73fef26cd586fb86de250691b

SHA512
961a0f308e8f514ec7178f030705948d1ff759a09ac239e1193ebf22c731221096c7a716c26deea47ffe702445741e37a0e3d406a07d87dd5ad45083f68358ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoAe.exe

Filesize
517KB

MD5
5fbb13fc2893363f3bbcbe8f386fc8a4

SHA1
5aa7966f0a927d9bd7c79cd74f56c363c92fc3c2

SHA256
f3b5c97a7abf021f4d6601c3e838ba13e5708630bae4995a2f665309d63b860d

SHA512
a28e2eb621072b0a162bae842979b472cca89dc105e0a9432fec1fdd7b81647de74e5bd6c4923923958df22cbd1949b8e1e798787b8f31e65ff8c5e0148d472e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YscC.exe

Filesize
196KB

MD5
9f6a1d61af80f0afb4829223485d883d

SHA1
e3ed462b71cbc077363301dda33215ee76daddb5

SHA256
412f39590607627148e5bcff61e225b1dba7833ea064b2bd19dcb36432c42c3f

SHA512
f9cc150a9ee24c208b0336429fae454eb052ee390783cdab6f35335bffa07488bc20ad02926af0344f955a6783bba3607c4eda101475c3c4f167d67047ad63c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAMI.exe

Filesize
436KB

MD5
5c92123f37e6bb6dfe7fbcb073868e58

SHA1
f10a246722da0f91bb6538782ad5d8a674c6cfe5

SHA256
7b09849920de95957fe4fa819303fecf703a52aa88ffe601e7c646af66b2b791

SHA512
0a410d9550f4fbbed8410bb42a348cfcd1e91864b36f8987fbc99b3abfa7c531e5822d81cebca8dde6aba06d026cd9176cf2ad29a5a906e88c83e61b4311f07e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQMA.exe

Filesize
310KB

MD5
26da7243a9ff6b7ce7373da8807a26ab

SHA1
5323ec6e9ed51d5585959c0cbbcd3b730e20cfaf

SHA256
cf5bd0aa477c01dda194320b902b233ed8e906a8fb08a274cacc1192879e697e

SHA512
d42f2356abf3912c28cebd094a306d0ce8293d742162e208aca9abec0d73f7c5537e30cd47ae262fb5d103d596917704deb21501174a2a29e9aa563fc8b55381

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAMu.exe

Filesize
644KB

MD5
d216b26bfff3d90574d287382285e679

SHA1
b85dedd797f24c6e4e947f6a98b780f21bf43b54

SHA256
b1df60b54df4252de598a016eb024f57c6c1d7cc821ee3007a031817e18f109f

SHA512
c10fb917b01e52bf230713d84409a59522604ddeb283b90e35307824be350df840b2f38cd8d9935c01f352a52a4698e0b275a7aa6e8268ea59c5d0f07a742aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIAc.exe

Filesize
231KB

MD5
d147eb2ea4001e4ae4c99f4ee840d8be

SHA1
f8976d27d410a11c432c4b94639cff87649fe638

SHA256
70d906b72bd161669692a8d24697d622655abcea6ed46bec03ef144e25b6bc12

SHA512
19aeb7fd36dd4228928dc156ef92cd16b0669b6b515268518d25ed7cf682a328ccb2b07aeb91915972d9b9b72fac6dc5f316e28bf001652dc4a2df06681d9d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMgy.exe

Filesize
202KB

MD5
0391b557436b9d2004574c60c927b520

SHA1
95f98fd521f7285a27713735836db36cba904158

SHA256
cc28d6c41e335a5248652f7f754817f84e5e0cb2aaa03aa884187b1996eb58ce

SHA512
bfa9ce3dad9a5577cce24ff008eaff412f188acd496edd756ea8296f6fbf9dac5993446691b92e490b5a2c80bb707aa22ba86335f08ef81cd12166899d576c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\bUsEQQUQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEoa.exe

Filesize
648KB

MD5
73762342535d06c8102c453465f68ae0

SHA1
5e761f3f94c0e9eecc5a92d8d1b52b378601b0d5

SHA256
44b35b7e9abc788a72f471ce6135fe30877a3dc6459985c012052b26859aff01

SHA512
27f0e52186ff63271d9ffb13c6110556880f16e86c06eacd9555290c54dcce8bc955caa48b4a2e9380d7de56005b588c487932fd751db5a0d244e3f72e1a3d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUgs.exe

Filesize
212KB

MD5
9490913efc19db0d0a2d3099c8d94081

SHA1
6ba6495fd9231b57f7e5836c8d71b585e895ff83

SHA256
809134672d0b1f57807cfece28b65532ea63778d31edb72718a674f79f6a7b98

SHA512
7f5235d56147ba54464494cbb96c630219825a6282dffb5376c75c6d1ac231a5c3106ef76564988c0e3614abd94ff66e523a31307ffff1407f5aff5698f0b2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccEa.exe

Filesize
200KB

MD5
c005dc6443ad0da72b08fd77da694305

SHA1
1533d82efabc66637af6de477c6c94c848c51053

SHA256
90c3ca6ea4d0d9eecc6d88e2f6c6ced5f7b98a99f8c5c2c94f521cfec1b44355

SHA512
218cfca7b089ea04d6ee763e10a65f905acea7578442c0263e849b651cc9a9f9e675e4eca32f28fcfb89e0b78066a151056e310e9dcf21c6d723319f5e298ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dEse.exe

Filesize
188KB

MD5
ba594c545de393a49e13b471e8c5752e

SHA1
555271aad347f6bf23a1f297880c26e9f181f03d

SHA256
73f19b3df2ac74a32196e774afcb5f369df2195ddf2c247dd58ecaae5b2373e8

SHA512
4871adf55195da594904981404f11c9a9ee71e722021d65b074a3bfda7b4c748fbe9a699bcc2330333411a8dac2058343be29ac0a6ba96ad62f9166c4b6ac6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dMMa.exe

Filesize
208KB

MD5
6fda8901b7857e46b3b8cabdd824bfb3

SHA1
6d5fefade000e11b2c3653b32d2d519e06089281

SHA256
69d25fa3ca052fbe146bc4dedc6af90903ed80def1d5d92b79eb1a3b48b97b4b

SHA512
cec801367fcb30886cefd1a027aa307130fff7ad5f19e81edfec8b5931b19020bdec22144183cf3a3a7fcc520ca35d9219714b70d7edf98462c24b9e1cae820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\deIsIkww.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYkS.exe

Filesize
188KB

MD5
cc9f7f2dad570c6ea086734bb54a9512

SHA1
be1a8014e6b6b8fbe21be3b0d0fb494017900cbf

SHA256
147821e4ab9f90d8c606868d366b4190e894f5fa6dd8ff1f37217e5f15ffd188

SHA512
7cc781d4d2b84041d74cb42077386f549770183b03d9e02dbdce2c5b756064a454f5000e6bdf8762c4e8c4ec999e14c4c5b2798ccec6a8a756eade806ee51ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fEsYQUYA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\fIkY.exe

Filesize
237KB

MD5
b51d18a8c070c5052cefc4253c28896a

SHA1
307a4952dd0acfe779533483a97a957df62c5064

SHA256
7398aa7855e6e9ef9dbfe33db8030cf613acd484da25dd4944f7e07e96317b61

SHA512
20d3547474d1bd12423b1d5bde5ab16d3fcc9a17409d32034a510b769a722998632fd9fae04fea28f0d701c70bb5ec98214260aefce3194169443ff3f182e16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqkMYMAk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgAy.exe

Filesize
197KB

MD5
75a7ecfbd8d2b72a39c212e8c1c2a013

SHA1
019e4e381038d70a23a1c0ece308e6c58e5d965d

SHA256
90bd473225764980371ee127aee8f95f80fd921f78e750204cb766d93d353c42

SHA512
6fd6656c9673d4fab64349f54394c1612e42a08c45a22697cf5885bedbc0c41a46f982910ebbd9e2ed3d4d4bb1e1b5f425646a7d4749f8cc918d2f7743b7bb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkcE.exe

Filesize
207KB

MD5
3a259f5ed49b8b7853f224f6c424a575

SHA1
1575393899b90d0608a456ee2ae1562c1e3a6195

SHA256
ada7c85830af3853aa6a68dc03aef12de4287f9b2ee4845530734a781cfc4241

SHA512
5162a91131e460a807236d2819b1454561adf9d94caf42e6fbf1b3c29182ecac5c3e7e94c2fe239ad7b27e2c765e9205cfb4776169033548eef49260aaa0146d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEgA.exe

Filesize
184KB

MD5
df7df5e03b8405364670b0120d36b6f9

SHA1
6c6a8cab8a94d29cd91a424b7a9d16238e35f08b

SHA256
ca65a6f3e18672a102556bf8f3010988c629b0b0b7ba964e1b6bb9355237b88e

SHA512
4949fd8d30080c82625c06049bbe1debf69cda2955d8605fb64ca6443746430634d79a5c12e05c72647c556831051976be9418d6a2705dde2040199cef8f87ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAca.exe

Filesize
197KB

MD5
e141ace6789d6c8f777b8641adf73b98

SHA1
5881fe3ae21e0384f5e96b76e2ab66565e1e4493

SHA256
152cb5b2fe4c3f48bd1a4c7021dd31136fad2e0811674cc1f0ff0aeed6dfa128

SHA512
03e5150e8b93ada2b8a5038e1d85d12cc7cbd238734159d8b670a369e3d41b4169cb7c636dad297feac280355da6f89cbbfdcdf7b515e369ab79235941f3a564

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEsm.exe

Filesize
774KB

MD5
d608b16acdfa71c880c24ccf0891946a

SHA1
e634a57232471863cc78a52bb40efa769b3901b1

SHA256
6283dfee22b445d94ecfee8209f193985fb1758557774284330712b9f189ab03

SHA512
fdfc13b1437ce266798d99434df340529960a41119ff4f6edaad13d05aa8ecf60e1f6af037306a928d17d3b18d40ae2199bfcb148e1428d885edbe06a78f96f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mesIwUYY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mscM.exe

Filesize
224KB

MD5
f9f19745b56e9c242a65c947468243e6

SHA1
28cf638ec626060ae6e6fef1295b5a07e5c11380

SHA256
16f977f474a626a4567e0376ac5adb34b4998f2be3775d1a9a810489b8a184ca

SHA512
3d43fdebece885e4e994ac0fe230143807c5e26e1b911e00a5770aa9079cc14e5c6370639ec3184f85380699df83c0748c22a5537c0407a877e4553a5c2cb106

Download Submit
C:\Users\Admin\AppData\Local\Temp\nEkS.exe

Filesize
792KB

MD5
232f2e7864659783f73e0362edd5bf7d

SHA1
135ecdd6d538fe4c77b3e6f9ba985b7c23f2d892

SHA256
c989844280c9d3addcdc6c61bc4ca476ea8c9de04decd8559461cdfe70ac2758

SHA512
7828416d828ffa377369b77273cca5aa9b342daa98669a5981b4230dd425662cfcbb5d4a061facce9b109d04b5d51bf3c27f6a030996e45618e19e630a222ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nUQAgUcs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAIO.exe

Filesize
187KB

MD5
5a05a5ab63d8dab5bd3891a4d1721573

SHA1
553b2f70ec8007f8ef6be50c9bc0818ddde992a7

SHA256
af00e689111fbbddd6aae0397d9f80c96c4cb1f10abb99d94d915121de82d2a3

SHA512
dbfab12dd83c71a7e87d1bc47d0ddd92eef2ab46ed46d6f1e1bca1b1ec6b0491002a7df3f5c1fbcd9189eabd71f2516622067c0b4ae893505a7361b7b153e170

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUIQ.exe

Filesize
189KB

MD5
f20ac59ede61697fbedac378bb9c434f

SHA1
1872a739f48370267132daec35a52b4a242a08fa

SHA256
d2bf6ae43428ccbe9b662ef8363923b11cd69be015c41f1962cc25c8e7bc9dfe

SHA512
ceb1f0d3d8a8834c9beccb41e7a970f82f267015292cfb7ca2218b7ac58fe1153ac65713902787354a955e017a83dd1635ac8b384716600ef5400408af0a3301

Download Submit
C:\Users\Admin\AppData\Local\Temp\pIEa.exe

Filesize
216KB

MD5
75b9ad1acbd5fe1da1904d1e1f3c735f

SHA1
e478dcba4240e135d45628e7069fd40856e10d02

SHA256
b9cfc256358c0d4832922101d7cbaff1aadf68ef2d5bdcfaf756b8629b56c96c

SHA512
7a0e2748ad0e6d3f8badff7586de0be44137591dc0c16bde848147bf38d18109927e3cc76a9e7a3ffc659f2ced1dabf43730b890c38c80a0fa55e0e7126edf6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQcE.exe

Filesize
218KB

MD5
a274533105ddaefa4b71270bc79fcc8e

SHA1
bd38ca75c24161d2efaf7d5bfaec6337eaa01394

SHA256
b9d313222c3d50464ebfb0b833c933667845f12406418ff6e081446759d3eef8

SHA512
0065a7c5d679296fc23a724463869c2a2ac3e0e7f40954885526291c3b4d8845cacc3af8b3474b1056c6b113c27f5127e9c4e1307c4cdea01522adae690d4dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkoU.exe

Filesize
203KB

MD5
0d6298f7dc4e85d39a75b5656b1b33d2

SHA1
f9ca7163eb22d3cd053295a8210a8cfd3ec3a808

SHA256
535f812c77fd249644da91e0d3d83db63bd56989d142d0da9174c680ec972ca5

SHA512
7e13e7ed3c771b8253af01319b105e662fea0a790f6fa23ec867461e1d04dd7db29e85c2e28209c847306fed4091f9bf62c34946672c6760054d40e490faaeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIcA.exe

Filesize
488KB

MD5
ef640aed1a3ea277c71dc95deabe9e36

SHA1
58e14527fb6b2006da6484cb462fb99dd6e6016f

SHA256
a76262814b5088441d5a4b135387aec22c4ab9c82a76cb05269c7cabc3f41785

SHA512
4d67fe807b63adbcf5b1d4ebbf4073130603114bd30edf1514f2472991540c1f2622fea3db8387e7a8676e976287e6099ee1848803fc1ab2c3bcaf3643c3d388

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkIK.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAEu.exe

Filesize
393KB

MD5
501defc768141b42d1434e9d24c24d9a

SHA1
e8623c293117d6ad1cc78ba7d1b0efb0a3c946b4

SHA256
1ae6d15fe8987a5243a1679d0124b91b0f6245ee57c9c265058f97565bf9976e

SHA512
03af968c5c587a515d6942d5b52463295b6847a7b483865a900398464e300f1ce4735fc094d1bd9877f29f139023ff1fa0343279445de7850b4cb85d08f65bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgAI.exe

Filesize
784KB

MD5
b5b244369ef9e19ad6819020004edd4a

SHA1
1175d214e7199babe9c474f620fd5c721229ca28

SHA256
87e6e87ac82386c2334397d4c4455fe566b302beb63514bc6ce9ad35b5f9657e

SHA512
246c41180330728742f2ae8f207822e9b58872078eaf4989b519668f1b3e0b7b2ab83657e7a4146e92b8362ee26500a973d252f26796ba5a4ec2d2da84fa65af

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgMA.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\skAu.exe

Filesize
183KB

MD5
5362c4d18e6fdbf2bcee98e757940799

SHA1
479aeaeadc59493d11bb96455b63e379e77a4be3

SHA256
8bc41d6bcfd256787323e4781a88691b6b0026f39b9498671325178bd9743364

SHA512
bb63edb2ea180099665c836bdf8eb8592c60c23ad8d7c723a89fc1817ee1206e3c6e8759c162c6804ee7d04f0e4fd9eeb7edc780e9bfb4b5e60a7da225dc3525

Download Submit
C:\Users\Admin\AppData\Local\Temp\skQk.exe

Filesize
197KB

MD5
a2723c4c02af4687cd922fa8bebcdd28

SHA1
af8b22eb5d1bf3456c61b9322ff867c3ba07399f

SHA256
9b5f2fce7b91473a6c0a0ed9b864d853329518d4677a97b1c95df18661db398a

SHA512
0c46a18be899900a5db8de3a3e46a698679255ceaa04256e347430542eecd4b81e731f453447d4d90afe2461852c84dcf85d6e4ef45a29dcec1c6073c0e63d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\sswM.exe

Filesize
192KB

MD5
94e9563ce162562ef87dbf71728efd9d

SHA1
e8ee6ceafc8099e69a099cea9f1563b3a06673ca

SHA256
a04da982f2a5e7df13334420150482d643db40c86802305640aad1ed4e9f835e

SHA512
3f46ffba167167ae6c4344d41d7443a15892d3abb2dc7c9ac19a2dca67ed94eb17b764a60c1f7418a0dc3e7ffdd8d0b3d8e3f04dfee3ae4dbd7eac525940baf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEwm.exe

Filesize
325KB

MD5
94dd3b15844e36795f46d5bef9e139c7

SHA1
ece6a3f2a87eb41d7b334702527d46e9cc707cc4

SHA256
d5e89b10b0b67f95d56990f51cb25c19ada322b4b435c4fafb27061b8375993a

SHA512
6fc7630768d0896a268e706b1fa866ee24d4bf72a59a44ac35bb1ef0ee2e15b6c889037409322f8cd666d2e0b4c1dbc6fc9459f629258bae2275f8dbc2218cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tQou.exe

Filesize
814KB

MD5
a5e1adea00892c69352d772e2792643f

SHA1
c48525ab08a9c8c3b695f8ed326ddb632562d83b

SHA256
bb008230486551fd44bb78544c6f62147a3cbb47b6b73946ac460b096a63e336

SHA512
c6c7194c3b2c1fedcb50ec87462ccc1f86b73c4403f68a4a4f8f59bd6d0cc556daf747dfe31235ca05ab9c12fdc78ebdef50e1507999d9e23cd6b32ca61dc0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsYO.exe

Filesize
202KB

MD5
8ad055f7494ef229d4a003c7c7b1b06c

SHA1
f27725c8fa61b0ed5281054251a231dda469c68d

SHA256
117b9e798afa650fd8f65227e7391ff3ae7b52c98773d4dc00c6d61b3e7ab558

SHA512
607e50ef084e543657bd60833d52f1fd3a802418d1c95373666e98e2f2f9540ec4db2977c1154ffedcb5c7da127601834e7863156188c71b80f3fbe94de263b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMcu.exe

Filesize
191KB

MD5
94408eba30b9e3d68f0821772c32bb49

SHA1
13fe9adee43713ca85c316fe867fa4b0972b5079

SHA256
d5d7773076a80279ba91560fe1c165fc040979e728f66f6816050fb8089c2a7c

SHA512
4863e04bede7258ea0db2cdf968a9d40db9440cdb79d1435271ec4ee4a4a35b7aba8e74d1ede6d7e98aae7f482f0e2df56d3eed235db1e6d8cf77f1c516fbb1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucgK.exe

Filesize
204KB

MD5
09895a0d88a814f5f3687228b6c09331

SHA1
657e10daf0423477d7f2f83537e1281ffb2d2cb3

SHA256
b1320630f6201a6d8de69b91a1142c679ecf82b1efb0ed4fbd785cd92c96a86f

SHA512
253932b67a4d8b8fdb70ac9e491821aeb5a8578663c1e9130138cd8d6b88b0efebfe89d6509e801dedd65eeff07fb9efcb1ac64f0c075f21cc6d1ac264310ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugEgowAM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uskS.exe

Filesize
201KB

MD5
7e949996d4119a8c1a7fbfde1aa149ce

SHA1
ebc85235019d6391a8e1a1c512e29861051ea075

SHA256
56fcf4c43ee57ee0cfcb3d1264186d83da9701bce5744d5ca30c4df7615bef20

SHA512
2f4d464e6e9805a401af44a76e18935408aa9d6988c8c9c526d9022bae10466adb96331b45eaa8fe05817a664f4dad903bc0185f28ab600af2b55d1e3b0423af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkkMkkoI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsAc.exe

Filesize
687KB

MD5
42884cc3725b03740883d25bd4d837d2

SHA1
a8a0094b7e070f016062e9afee283f2d812b3f03

SHA256
49d619fb321224ced04dfcc5d61fee0cabad0b46d90c4b04ebf8e4f3fbfadf83

SHA512
d75cf786865ff8a096a2e5fe15a5cfb581c0b8ec5108b1fdd7e7bd1d1e1858913e1f5c2528eece9d08b4891e36ff57015e22f774822e3f907011b6bd226dca40

Download Submit
C:\Users\Admin\AppData\Local\Temp\xQUi.exe

Filesize
205KB

MD5
1c6b88383f71f4db3df1f3bcfc5e3ae9

SHA1
b4420dffcd139fc79a39e812d9998a56ca30a70c

SHA256
4169774f12dfce8d54788a91e16ca58c26fc82778760e9ae47b3a0a6b62715b3

SHA512
4c980a218e41205ce204aa12c90831e49355043acdefef3ad0695379682d1b4f0053f459d8b5b78fb4f0b34e765b6c552b9a63a3edb405a2d9f09cee27a2b35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xWokAIYg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xawQAIMc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgME.exe

Filesize
318KB

MD5
0a613f00bcebffbc4085c72a3ee74f0b

SHA1
2fd701b2f19d8c3d5395e9bb2c3ee942d7a0ce38

SHA256
a472f4f984c79b1c22851c518c30a9a45f44e6eed964845931193fb2ceda5a4f

SHA512
487d260bec0d931e536a1d6f44c0ed2a7531b9ffb574ad3ab6662a9f841c717d905dd23ea791fcc872eae84460f1903957b30102cb36615dc087ea0799307176

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgsQ.exe

Filesize
972KB

MD5
ec7157151694535d5d7ef97b8fb363b0

SHA1
4a39892cf6b4fd8a9bd6c984994798c9da93037f

SHA256
7089f1d67e8cb6fe936a5009de3eadbb87a3327423e369da977d15166eb99d8b

SHA512
4dc338d21dbf3b9464f603a574f902b2d516675df237d00c0f5af69592553e1a21e17f91767fb7e69a79e86cb6ffe05be312529fe41cd015d0eb3a4ef3e54598

Download Submit
C:\Users\Admin\AppData\Local\Temp\yCYkgcos.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\Documents\WaitUninstall.pdf.exe

Filesize
927KB

MD5
c9928726e5d9ca203f0a2cc117bb7e1b

SHA1
3cab3839bb789c277c766644596abb036ab55b14

SHA256
1cd2fa86a10ac2986aeaa4a25edbe132ee23907bc668bb22cc8c0e6e66386347

SHA512
bbded19abb2169a6725c72b2109755f93b0a1a095130f46c17f17a9ae74f3b050e53d7b0e6026c59ad03692eb57d717f812d5be9f741be9048d46416dd3503c0

Download Submit
C:\Users\Admin\Downloads\ConvertFromStop.mpg.exe

Filesize
1.0MB

MD5
f5cfc79283ce035d0dffd3adf68dd5e1

SHA1
9da6ca545c8c1c03d0e4c8e5384a55e6ccade8c2

SHA256
b22b343e4ff03d1a826ed41f80476a701e50d8eb2b47e1a74819bd0c60e206c5

SHA512
6fe7c5c7164b1d743cfc405ded439a388584ec8faa0a468b91f0bfcc917b7006bf5c286864e16d2750d43089fb271ad743fef71fcd69413d3916ccec25738616

Download Submit
C:\Users\Admin\Downloads\HideBlock.wma.exe

Filesize
544KB

MD5
3602b64a0694af16dd02658bfdc976fd

SHA1
c5c45350740b3136ab0a5985df748f120a30b8f9

SHA256
0f22e0f1a0bd676386a3c08a8b1c465e43e7e54a537ed6d3b5cec86cfbd59c14

SHA512
f603f471b99eea992873236f10facfa7986eb47828f52434fb22a35bacf70c358e4139933cd888eb1c0631d3d356f6f2c665b300dd1225e8fccefafd6b96078d

Download Submit
C:\Users\Admin\Music\ProtectResume.pdf.exe

Filesize
1.0MB

MD5
c93c9438134ecd4108a96a5cd29490b9

SHA1
34b4b358e48c06bd428c1b598cd6234db190cbae

SHA256
e6dda37021e36884a0006739134ac501f7bb75fd9df875cb96a20d8320377524

SHA512
3553aa21701239470f6253808b048a3925d1a71d9b0f4d390248b7e1e5043040814336a3fad9d6ed4452f725ebd9d40b51dfc563bbab2dbed494be06af14bcc1

Download Submit
C:\Users\Admin\Music\SetSwitch.gif.exe

Filesize
688KB

MD5
34ef545a67536c78806ff8a4c223abad

SHA1
57737221bf542d201d5f63de25d78a1853275464

SHA256
99a7b92672b153e2f6c3b639cca8797f084180c7ffa0bd695b907b4e25842779

SHA512
1be61868273e84b127a32d55e5cd010cdb27f3cf5bd16525322a79a49fb0701728bcaf6f69b16eaa41cec0e76ff027bda44dfe1c26714e693832fbdaaa24d361

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

Filesize
218KB

MD5
1600eb40ec51e636835a30c6ba97e711

SHA1
f4c57d20b873482a739237d5154e8e9f082d1aa6

SHA256
c65c642dbdc876be72a483977dcf941490da3bf9a1a76aa0154962b5b63962b3

SHA512
5ea5eff7a03dd5685790297ac9bddf228f45e103093c90952741a10f8c6d93c835046b167a8963f15d4a754deeebc1cd6ff32d5bcbb6b02fde48d59ae48f52ed

Download Submit
C:\Users\Admin\Pictures\TraceApprove.jpg.exe

Filesize
468KB

MD5
867b29000efad69637025833a8ecfe4e

SHA1
2f936adf3525f3c7a86344b0c7357a9d0048af98

SHA256
b6538776545fdac2923523b5abd6bb90b0ce41c7e42b7ec8622eb0e87d7bc9ee

SHA512
c1f6992ab2db289d89303e28e3fab0b0b1d0254edbc6580e583f8223e1ac9b4e9519fcad43f68c32df2b3bb475f1640e1481b2d7f2aef171be0cfdbdaff1b28d

Download Submit
C:\Users\Admin\bMUkEAQk\NAwEUEYU.exe

Filesize
200KB

MD5
be4ab1991cf92f7c95692b457039c742

SHA1
56a95192c83452269160da2ce92881605bce033c

SHA256
54534e6e5f215ab52af704dd151a5b679c6f8a956c8d1e755cfa1f80ae90166e

SHA512
cc4b1f4bb26acb77d64f2356711354e2fac45be65897291712cb2e7b25fdaf6cd2af487c61973f8853116ad2be319890d0158eb94a2b2ebd2ff054d107ec7c5b

Download Submit
C:\Users\Admin\bMUkEAQk\NAwEUEYU.exe

Filesize
200KB

MD5
be4ab1991cf92f7c95692b457039c742

SHA1
56a95192c83452269160da2ce92881605bce033c

SHA256
54534e6e5f215ab52af704dd151a5b679c6f8a956c8d1e755cfa1f80ae90166e

SHA512
cc4b1f4bb26acb77d64f2356711354e2fac45be65897291712cb2e7b25fdaf6cd2af487c61973f8853116ad2be319890d0158eb94a2b2ebd2ff054d107ec7c5b

Download Submit
C:\Users\Admin\bMUkEAQk\NAwEUEYU.inf

Filesize
4B

MD5
a2761730189d8e343de9933a973cf1b6

SHA1
7c6c69a3c88388d329755faab48cdacdd5bf161c

SHA256
2c5dc083aa2766f3a4bb6c3fa206ef217d15343ecffa4f6dd5a744715b324d0b

SHA512
2ccb57a8bcee5d76360ff563692d618520b26e7aa2e64f73e21590ce8d19bac34e6a9700823e1993fd7a89f956ec24d08e22ed7de7676e389785dd077925686a

Download Submit
C:\Users\Admin\bMUkEAQk\NAwEUEYU.inf

Filesize
4B

MD5
9db07cebd736c710810b26d17c39f48f

SHA1
24b0991df003bb7e134b0e5573c4458dbc4cc2fc

SHA256
4d1d1a0cb08c5ad81611afc7c5c05ea00142adf306723cd74f4436febe7ac81f

SHA512
d6d7d704eadf83ba84db424ba1300cb06f9a8991329ba9cec79d3262c7b61046ced046b3cfa61308acc5fc52f08e25d0432773a1fa0fd1c9d8f46462178128a6

Download Submit
C:\Users\Admin\bMUkEAQk\NAwEUEYU.inf

Filesize
4B

MD5
1941079a2de9c1f5f868987fc9508b90

SHA1
f15c37e07252eaa21f37799dce3daa5277a703cd

SHA256
d84bc74552188196f766c28c9916d979e235943964cf868da25c55d05ee06e6a

SHA512
d0ef366c712a55b6a29c57f00cd05e3c51069e6afa71c2c93d62576f1d85ebad78889347014fdbe7154a8cb11a17cbc471e8bece0b9094e1cbf6838ed846a127

Download Submit
C:\Users\Admin\bMUkEAQk\NAwEUEYU.inf

Filesize
4B

MD5
06e55be79bdd6da03ba9df1b230b9d21

SHA1
66fcc44cc6f2b2257b836bfa5ea4f862d95540c0

SHA256
5b89a2b30f87911b965c971f548d1cb5d2c2e05aec90b2a33241f1c740f92e90

SHA512
06b02da14c0a76b4702a828746c2d5bd96bc73d1b8586f9414510adc8adace7fef5cded35b47f1aaef6ee8b4c223e7281f2a98219ee55e3f71a0bd5edcdbcb05

Download Submit
C:\Users\Admin\bMUkEAQk\NAwEUEYU.inf

Filesize
4B

MD5
c2590748212e3ae5aec94b35a78712e3

SHA1
27d81621a0a8e2195ea2255ac543840529bc44c9

SHA256
ea64eccd7c8981117d78986e5e7209bffd20040ed6fe009edeea86fcc05d7448

SHA512
d3e371abe7b4cce33545de6ec7c21ea6766db04ef056098e678abea49e19f111b4d837c1d845578bc9c22926fb2c01f8db5d3cb7c74a32c1f576d9ec9ba1ddca

Download Submit
memory/376-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/892-616-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/892-623-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/956-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/992-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-595-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-529-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3352-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-649-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-646-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-604-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-596-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-614-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download