d51005566d6f266222b5a045a6501ae14a08c025289f9d35b84ac78075dc627b

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
23/07/2023, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NA_NA_2d34622b6cb901exeexe_JC.exe
Size

188KB
MD5

2d34622b6cb901fb6d8e7962013fa7ce
SHA1

dbd00f27701b7562c35f95c9406fcfb2478c5689
SHA256

d51005566d6f266222b5a045a6501ae14a08c025289f9d35b84ac78075dc627b
SHA512

fd2de669d44c4fd9bb87ca7a82131cc4881b0eb42f2b69d433aafa6d013da6412e95835ba19e0921d9f72ce88804be7337cac87938003b5fa85083ba550818c5
SSDEEP

3072:sZ5Hia/55Kj67/rTnpv6tmWipWGcxK28r9KXvwFQVu1tJe0LchFD9O:25Ca2m7/fnpyCI0G2QsBIhFDM

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NA_NA_2d34622b6cb901exeexe_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NA_NA_2d34622b6cb901exeexe_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NA_NA_2d34622b6cb901exeexe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NA_NA_2d34622b6cb901exeexe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NA_NA_2d34622b6cb901exeexe_JC.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\International\Geo\Nation	DWgEAQUs.exe

Executes dropped EXE 2 IoCs

pid	Process
1604	vewMYckw.exe
1832	DWgEAQUs.exe

Loads dropped DLL 20 IoCs

pid	Process
2148	NA_NA_2d34622b6cb901exeexe_JC.exe
2148	NA_NA_2d34622b6cb901exeexe_JC.exe
2148	NA_NA_2d34622b6cb901exeexe_JC.exe
2148	NA_NA_2d34622b6cb901exeexe_JC.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\vewMYckw.exe = "C:\\Users\\Admin\\PcIgcwoo\\vewMYckw.exe"	vewMYckw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DWgEAQUs.exe = "C:\\ProgramData\\zKEEQswk\\DWgEAQUs.exe"	DWgEAQUs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\vewMYckw.exe = "C:\\Users\\Admin\\PcIgcwoo\\vewMYckw.exe"	NA_NA_2d34622b6cb901exeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DWgEAQUs.exe = "C:\\ProgramData\\zKEEQswk\\DWgEAQUs.exe"	NA_NA_2d34622b6cb901exeexe_JC.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NA_NA_2d34622b6cb901exeexe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NA_NA_2d34622b6cb901exeexe_JC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NA_NA_2d34622b6cb901exeexe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NA_NA_2d34622b6cb901exeexe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NA_NA_2d34622b6cb901exeexe_JC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NA_NA_2d34622b6cb901exeexe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2788	reg.exe
1172	reg.exe
3024	reg.exe
1296	reg.exe
2528	reg.exe
2772	reg.exe
2008	reg.exe
580	reg.exe
1592	reg.exe
2460	reg.exe
2976	reg.exe
1244	reg.exe
3060	reg.exe
1924	reg.exe
948	reg.exe
2836	reg.exe
2876	reg.exe
2856	reg.exe
1588	reg.exe
3004	reg.exe
2820	reg.exe
1496	reg.exe
2440	reg.exe
2120	reg.exe
2720	reg.exe
1172	reg.exe
1140	reg.exe
2840	reg.exe
1768	reg.exe
2920	reg.exe
268	reg.exe
1448	reg.exe
1272	reg.exe
2564	reg.exe
1572	reg.exe
1648	reg.exe
2908	reg.exe
2080	reg.exe
3040	reg.exe
2440	reg.exe
1008	reg.exe
1804	reg.exe
3048	reg.exe
2132	reg.exe
2192	reg.exe
2240	reg.exe
2372	reg.exe
2268	reg.exe
888	reg.exe
2872	reg.exe
752	reg.exe
2756	reg.exe
472	reg.exe
1848	reg.exe
2784	reg.exe
2144	reg.exe
1520	reg.exe
1916	reg.exe
2600	reg.exe
1520	reg.exe
1572	reg.exe
2132	reg.exe
2236	reg.exe
748	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2148	NA_NA_2d34622b6cb901exeexe_JC.exe
2148	NA_NA_2d34622b6cb901exeexe_JC.exe
2892	NA_NA_2d34622b6cb901exeexe_JC.exe
2892	NA_NA_2d34622b6cb901exeexe_JC.exe
1624	NA_NA_2d34622b6cb901exeexe_JC.exe
1624	NA_NA_2d34622b6cb901exeexe_JC.exe
1772	NA_NA_2d34622b6cb901exeexe_JC.exe
1772	NA_NA_2d34622b6cb901exeexe_JC.exe
1936	NA_NA_2d34622b6cb901exeexe_JC.exe
1936	NA_NA_2d34622b6cb901exeexe_JC.exe
868	NA_NA_2d34622b6cb901exeexe_JC.exe
868	NA_NA_2d34622b6cb901exeexe_JC.exe
1612	cscript.exe
1612	cscript.exe
2768	NA_NA_2d34622b6cb901exeexe_JC.exe
2768	NA_NA_2d34622b6cb901exeexe_JC.exe
856	NA_NA_2d34622b6cb901exeexe_JC.exe
856	NA_NA_2d34622b6cb901exeexe_JC.exe
2908	Process not Found
2908	Process not Found
1772	NA_NA_2d34622b6cb901exeexe_JC.exe
1772	NA_NA_2d34622b6cb901exeexe_JC.exe
3068	conhost.exe
3068	conhost.exe
788	NA_NA_2d34622b6cb901exeexe_JC.exe
788	NA_NA_2d34622b6cb901exeexe_JC.exe
484	NA_NA_2d34622b6cb901exeexe_JC.exe
484	NA_NA_2d34622b6cb901exeexe_JC.exe
2960	NA_NA_2d34622b6cb901exeexe_JC.exe
2960	NA_NA_2d34622b6cb901exeexe_JC.exe
1636	NA_NA_2d34622b6cb901exeexe_JC.exe
1636	NA_NA_2d34622b6cb901exeexe_JC.exe
624	NA_NA_2d34622b6cb901exeexe_JC.exe
624	NA_NA_2d34622b6cb901exeexe_JC.exe
768	conhost.exe
768	conhost.exe
1976	NA_NA_2d34622b6cb901exeexe_JC.exe
1976	NA_NA_2d34622b6cb901exeexe_JC.exe
2936	reg.exe
2936	reg.exe
1784	reg.exe
1784	reg.exe
300	conhost.exe
300	conhost.exe
2164	conhost.exe
2164	conhost.exe
1532	reg.exe
1532	reg.exe
2728	NA_NA_2d34622b6cb901exeexe_JC.exe
2728	NA_NA_2d34622b6cb901exeexe_JC.exe
1992	cscript.exe
1992	cscript.exe
1848	cmd.exe
1848	cmd.exe
1692	cmd.exe
1692	cmd.exe
2272	NA_NA_2d34622b6cb901exeexe_JC.exe
2272	NA_NA_2d34622b6cb901exeexe_JC.exe
1792	conhost.exe
1792	conhost.exe
2504	cscript.exe
2504	cscript.exe
2772	reg.exe
2772	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1832	DWgEAQUs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe
1832	DWgEAQUs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 1604	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	28
PID 2148 wrote to memory of 1604	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	28
PID 2148 wrote to memory of 1604	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	28
PID 2148 wrote to memory of 1604	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	28
PID 2148 wrote to memory of 1832	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	29
PID 2148 wrote to memory of 1832	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	29
PID 2148 wrote to memory of 1832	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	29
PID 2148 wrote to memory of 1832	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	29
PID 2148 wrote to memory of 2840	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	30
PID 2148 wrote to memory of 2840	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	30
PID 2148 wrote to memory of 2840	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	30
PID 2148 wrote to memory of 2840	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	30
PID 2840 wrote to memory of 2892	2840	cmd.exe	33
PID 2840 wrote to memory of 2892	2840	cmd.exe	33
PID 2840 wrote to memory of 2892	2840	cmd.exe	33
PID 2840 wrote to memory of 2892	2840	cmd.exe	33
PID 2148 wrote to memory of 2772	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	32
PID 2148 wrote to memory of 2772	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	32
PID 2148 wrote to memory of 2772	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	32
PID 2148 wrote to memory of 2772	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	32
PID 2148 wrote to memory of 2156	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	35
PID 2148 wrote to memory of 2156	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	35
PID 2148 wrote to memory of 2156	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	35
PID 2148 wrote to memory of 2156	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	35
PID 2148 wrote to memory of 2704	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	36
PID 2148 wrote to memory of 2704	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	36
PID 2148 wrote to memory of 2704	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	36
PID 2148 wrote to memory of 2704	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	36
PID 2148 wrote to memory of 2700	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	40
PID 2148 wrote to memory of 2700	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	40
PID 2148 wrote to memory of 2700	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	40
PID 2148 wrote to memory of 2700	2148	NA_NA_2d34622b6cb901exeexe_JC.exe	40
PID 2700 wrote to memory of 2204	2700	cmd.exe	41
PID 2700 wrote to memory of 2204	2700	cmd.exe	41
PID 2700 wrote to memory of 2204	2700	cmd.exe	41
PID 2700 wrote to memory of 2204	2700	cmd.exe	41
PID 2892 wrote to memory of 1672	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	42
PID 2892 wrote to memory of 1672	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	42
PID 2892 wrote to memory of 1672	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	42
PID 2892 wrote to memory of 1672	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	42
PID 1672 wrote to memory of 1624	1672	cmd.exe	44
PID 1672 wrote to memory of 1624	1672	cmd.exe	44
PID 1672 wrote to memory of 1624	1672	cmd.exe	44
PID 1672 wrote to memory of 1624	1672	cmd.exe	44
PID 2892 wrote to memory of 800	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	45
PID 2892 wrote to memory of 800	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	45
PID 2892 wrote to memory of 800	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	45
PID 2892 wrote to memory of 800	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	45
PID 2892 wrote to memory of 1652	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	46
PID 2892 wrote to memory of 1652	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	46
PID 2892 wrote to memory of 1652	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	46
PID 2892 wrote to memory of 1652	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	46
PID 2892 wrote to memory of 2976	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	48
PID 2892 wrote to memory of 2976	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	48
PID 2892 wrote to memory of 2976	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	48
PID 2892 wrote to memory of 2976	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	48
PID 2892 wrote to memory of 2688	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	50
PID 2892 wrote to memory of 2688	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	50
PID 2892 wrote to memory of 2688	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	50
PID 2892 wrote to memory of 2688	2892	NA_NA_2d34622b6cb901exeexe_JC.exe	50
PID 2688 wrote to memory of 2736	2688	cmd.exe	53
PID 2688 wrote to memory of 2736	2688	cmd.exe	53
PID 2688 wrote to memory of 2736	2688	cmd.exe	53
PID 2688 wrote to memory of 2736	2688	cmd.exe	53

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NA_NA_2d34622b6cb901exeexe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NA_NA_2d34622b6cb901exeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NA_NA_2d34622b6cb901exeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NA_NA_2d34622b6cb901exeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NA_NA_2d34622b6cb901exeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NA_NA_2d34622b6cb901exeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\PcIgcwoo\vewMYckw.exe
  "C:\Users\Admin\PcIgcwoo\vewMYckw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1604
- C:\ProgramData\zKEEQswk\DWgEAQUs.exe
  "C:\ProgramData\zKEEQswk\DWgEAQUs.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
    C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        6⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        7⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        8⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        10⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        12⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        13⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        14⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        16⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        18⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        19⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        20⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        22⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        23⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        24⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        26⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        28⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        30⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        32⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        34⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        35⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        36⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        38⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        39⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        40⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        41⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        42⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        43⤵
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        44⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        45⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        46⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        47⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        48⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        50⤵
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        51⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        52⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        53⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        54⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        55⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        56⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        58⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        59⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        60⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        61⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        62⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        63⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        64⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        65⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        66⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        67⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        68⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        69⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        70⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        71⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        72⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        73⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        74⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        75⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        76⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        77⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        78⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        79⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        80⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        81⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        82⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        83⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        84⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        85⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        86⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        87⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        88⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        89⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        90⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        91⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        92⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        93⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        94⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        95⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        96⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        97⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        98⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        99⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        100⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        101⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        102⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        103⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        104⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        105⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        106⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        107⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        108⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        109⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        110⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        111⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        112⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        113⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        114⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        115⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        116⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        117⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        118⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        119⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        120⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        121⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        122⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        123⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        124⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        125⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        126⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        127⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        128⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        129⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        130⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        131⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        132⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        133⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        134⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        135⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        136⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        137⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        138⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        139⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        140⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        141⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        142⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        143⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        144⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        145⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        146⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        147⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        148⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        149⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        150⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        151⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        152⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        153⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        154⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        155⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        156⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        157⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        158⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        159⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        160⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        161⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        162⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        163⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        164⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        165⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        166⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        167⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        168⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        169⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        170⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        171⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        172⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        173⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        174⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        175⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        176⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        177⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        178⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        179⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies registry key
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tiokgUgc.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        180⤵
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies registry key
        
        PID:580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        Modifies registry key
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ryEUkUEY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        178⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKIAEssU.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        176⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sOsYAwko.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        174⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kGwAcswY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        172⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        Modifies registry key
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yqAsYEsM.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        170⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        169⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        170⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CkMIkkgk.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iywMIMQw.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        166⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BoosoAEU.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        164⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\joQEoYIE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        162⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IiUkscQI.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        160⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        Modifies registry key
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AucwkoQI.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        158⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        UAC bypass
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies registry key
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        UAC bypass
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lesgcQwo.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        156⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        Modifies registry key
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TwMwgIIU.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        154⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        Modifies registry key
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gmUwkoQE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        152⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LiEgUggg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        150⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FwcQQUMk.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        148⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        147⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYIAgoEg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        Modifies registry key
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bWoQcUwI.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        146⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wogIsgUw.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        144⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        Modifies registry key
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pMkocMwM.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        142⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        Modifies registry key
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lKMEsYwI.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        140⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MSIgEsAo.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        138⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        Modifies registry key
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        UAC bypass
        Modifies registry key
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DOcQkQYk.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        136⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NmcEEggg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        134⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies registry key
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AMAUwQEs.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        132⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        Modifies registry key
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        Modifies registry key
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MOkIoUws.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        130⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KMQkcUIs.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        128⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UAIcAAIk.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        126⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tWYMQcIQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        124⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\acwAgUcw.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        122⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies registry key
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WuoEYUUU.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        120⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies registry key
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MekookMo.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        118⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jiYQsEUA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        116⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies registry key
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zUIgcUgU.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        114⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        Modifies registry key
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CgwUsAMM.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        112⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ISgIwows.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        110⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies registry key
        Suspicious behavior: EnumeratesProcesses
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qawYUcoQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        108⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cQocEcQA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        106⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PeQIkcsY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        104⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UiscYYQg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        102⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iOQcEIQQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        100⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uWkwcYcM.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        98⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JgAMIYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        96⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uCIcEAIA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        94⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        Modifies registry key
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wqQAYkIQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        92⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        Modifies registry key
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cAwggUgs.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        90⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HIUcsoco.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        88⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies registry key
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dEIYkEUw.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        86⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eaksEYYY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        84⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sUkswcks.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        82⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        Modifies registry key
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jKwcgYIE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        80⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CcUUYUIA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        78⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        78⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        UAC bypass
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xAswAUQk.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        76⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AwkcksEw.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        74⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YswgoMUg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        72⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lqQIcIQc.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        70⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        Modifies registry key
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pmIoMYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        68⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies registry key
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XywoEIUM.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        66⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HiQYokEs.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        64⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies registry key
        
        PID:472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rqYAIcIA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        62⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OUsUYUAM.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        60⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Modifies registry key
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies registry key
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HcYEYUgs.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        58⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wSIEYIYg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        56⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bwMkIMEU.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        54⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pwUMoAYk.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        52⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYwsMsMs.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies registry key
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies registry key
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RusoEcIw.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        48⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NyYMAIkg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        46⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gGQcAQUs.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        44⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tIkQkQAs.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        42⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\csgkcgQI.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        40⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GSAsIIYM.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        38⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies registry key
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UqAMYcAQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        36⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SGkgwAII.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        34⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KWwcUAcI.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        32⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OukwcAUw.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        30⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eoswYsoE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        28⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\raMwEIMI.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        26⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zgAoYoUE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        24⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HGQQsEQE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        22⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGwwIEYU.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        20⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oMkUQsEw.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        18⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eiQcUoMk.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        16⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TuUMsEIs.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        14⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LMEsgYEw.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        12⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AmkQEoMc.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        10⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DgIcsIUQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        8⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2196
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SQAUUEgE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        6⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1640
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1228
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1172
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2020
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:800
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2976
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\EaUkQMUA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2736
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2772
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2156
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\fscYogsY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "265756332-898526806-1906067035-778553807417101235-1656345072696570870-1505086445"
1⤵
PID:1908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "746779536-1543735824-933546020-171792389015979469721196693945-12735915461993702765"
1⤵
PID:2344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9387983882009060877-1984872960-1123321053-15248397281823365645378849917-1168972028"
1⤵
PID:1132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-60873141110151834-154048507112131248241972683022-1170774565196960429-1614671345"
1⤵
PID:1528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1943098071-19739222716995107683149689261080860876-1544428213-1332777102-1653513780"
1⤵
PID:1460

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17029535468371021701161223742-17570156531840013371750885886234264525-2091278946"
1⤵
PID:876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1827424585-17217147891429159050-800160274-185610911-1451063159464018074659508304"
1⤵
PID:2828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "59969074520220428036862771892040520264-2102358054-5546646523236569351847142985"
1⤵
PID:1668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1520747040483773497129871044-1261366959-1158542829608318261-1993357700-1492860847"
1⤵
PID:2268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1257647561180216799-1677825870-20268452841312741354630623322-20016437991010839474"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2138957935577449461295460858-13552984999537203891981560898-1215930540-1660414828"
1⤵
PID:436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1398677911124411827-2084004349107711600216014579512045841364-10753908461132837509"
1⤵
- UAC bypass
PID:1620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1722975944942174662447612616-1751450897-14476477272086181738778095165-876061105"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11950750202090701092-1384868170-8182965141922777353-428437834-725076956-342749891"
1⤵
PID:2840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10649667241801523354-50550092593475744-1011646297-716801172-20198048351893648834"
1⤵
PID:1768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "190843867-571480270-2423466721990273567835318273-752920331-5386340540126314"
1⤵
PID:2260

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1316370397-222703271-4513781661071581032-8716755231663577672-16212719642063822195"
1⤵
- UAC bypass
PID:1908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-608717775-1574257924164041343-584672180-1591169907-1390659182-1526202490-1433015867"
1⤵
PID:2116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1758529283-1842765920-1318114026508363411869310351124066161-833304246-93639458"
1⤵
PID:2012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-545259130-19522840431729515414-705905937-489524928-20573687481447553189-870178739"
1⤵
PID:1784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2001479973-1342556152-13454979971792552087-1082616270-179545382219287081171967207452"
1⤵
PID:1684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "741207542143159199735619628144585025319082421332145141901653485629-1123365435"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1154220961631813429-5971503381955167666201551526120264461541863959498-236056836"
1⤵
PID:2756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1024435490-4852153371684868517-107236906119798305391672086419-1341800630521090465"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-83275793199978486-4311910211106089607-1251549923-1114562342-1714973628-1873988309"
1⤵
PID:1440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1202225771014703750-5289519296741502001460069041-544973221-47472540-1730862336"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2817909411117007931-1019562999-17161150671909691103622090645469571101238859543"
1⤵
PID:768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-216781777-1841794318786081950-1366132097571190863-11326317282188974592531944"
1⤵
PID:840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "318924858-59430296519145608351585901923183470938917146612831084905581-1566586677"
1⤵
PID:2644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "524703915-1698204542-1451795792-1431151852-367309860339161307-505120522-510452032"
1⤵
PID:2944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "62334904910395895374925559932112424089-586226220-49517170812690378041630720239"
1⤵
PID:2588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-641957309-1594723325478563567-1476400022825543867-12131985424281601992054091341"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "36466910212350840641449463247-615758007-1092655269-1138718443-588253211-26659742"
1⤵
PID:2572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-169767407234782726-156352829-19908820751435325843152280496210813624891239668320"
1⤵
- UAC bypass
PID:1804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5231317881510398016-1287877699-915123562121732355-88659522569490393256241307"
1⤵
PID:2368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-642264094165969942-11403419301427236908517671657-326960464-84962345-1839790465"
1⤵
PID:2016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1134435028-322144983161559689812332584211630949820-2068113017-2380389481253617301"
1⤵
PID:1248

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1035937618-706366004-188398629655986511-851451172-1468394057116278441421235963"
1⤵
PID:2564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9404484111246367536-151389629517336546-2103624312-1068300930-950318362-205577873"
1⤵
PID:2692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13650035049604435691905973957-20777443481510512583-2884438211943081747731507929"
1⤵
PID:1540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "414619499-1218313099-4761710878883691935951774347894921431188862486-296241916"
1⤵
PID:1916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4465176851709222325125014562090475718-1534894773377159615-21349332341988467463"
1⤵
PID:924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "206366091-2033816282-1093389866-1390009920206158378118797554051650233623-1686436837"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1616

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1164480045-13164824191154978726488536-149351051041849621-773024257-1737140410"
1⤵
- UAC bypass
PID:2256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17462527071083494418-2056313143569624691-1488477896-906372149-15366582111343264355"
1⤵
- Modifies visibility of file extensions in Explorer
PID:696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-859476268-731017354-16536197361620238654-1972157645111939861419686945551612711836"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18079104741775450833-1071296354-953547131435209635-794107281-209351943-1262559108"
1⤵
PID:2660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1540372262671208270-1771047589-1018432276-417301247641927296239703754-67794636"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1622349330-1679386885976474597-1474122859-729767585-996886969-1194593065-698867594"
1⤵
PID:2004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1862971523-497372813-878017490-1557390675204766303-681089157-394144048-1595521779"
1⤵
PID:1480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "854080443-1426692103720096197-5814337032752023261878318781-48300519525206136"
1⤵
PID:3016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13411214941037344-1324291319-100999022720306431412003353033780453012-759149607"
1⤵
PID:2636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1519764216-16632843171300701415-1475329916760710339-760290738545983982-958129905"
1⤵
PID:2984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1598935853655072643-1404059147-1383643913-721302082-6024362284563094031791695405"
1⤵
PID:1632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-429774669-509249956-696508036-1882404640-13992697761775097373-17968829681655314830"
1⤵
PID:2148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "218866189-107780913-1947772172-374943895-1643760586784134410-5503215201625678405"
1⤵
PID:2316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2002973010196017295210250685122031976547-1152635634-663299526633822114-2056172771"
1⤵
- UAC bypass
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2032716426-4224082011201160847229848164-855860861302893732-1561998374-1852342469"
1⤵
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1845744569-164806470-15554325-1092981596-202841250904694767-318702804-168077315"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2063251596-162217832179684556272950621337135113-12944091262094794149-1082935289"
1⤵
PID:820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-953384721-2746355611398082212-17657075151604200663-1661596934-55998438240042743"
1⤵
PID:2776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-163429160-9210082331128932075-11366446981827697078-1674804994-15538794841778214725"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1205777129-155980943565674015613335363778631946641191297850739419105-501165501"
1⤵
- UAC bypass
PID:2680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-717216764-2002375292-1950355570338040009-1306085523-439452321-404160661-238127984"
1⤵
PID:1044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1215129705-163555335-282537159910859500-1543920630574983722-1245845101758895510"
1⤵
PID:1704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-420999680-1696640272-1400440014387227310455494882-747577921-1498167124-1317991998"
1⤵
- UAC bypass
PID:1920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "267184765-1155736791-369186229-386879019-1309266231-16670706951677551212-300904893"
1⤵
- UAC bypass
PID:2552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1688976570875479460-50684544143371953212451364871467469500-325460640-1233814649"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1496

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2105078231-1074197594-543306285-1279533000-1407449189-1207308878-16047559681181977354"
1⤵
- UAC bypass
PID:1136

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1182676589-90937500617618141451033766375-162545534414238391815766914851923568988"
1⤵
PID:2164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "437270063-6838879431366030381508073737-366412255-13935940721270512255-907486078"
1⤵
PID:944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5483134691273879828-33009172017432166001859550709-533510687145935405-1040177388"
1⤵
PID:2356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-34828776984724067812094781921521481734-625033877930990657467327110-651927263"
1⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
1⤵
PID:1936
- C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
  C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
  2⤵
  PID:828
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
    3⤵
    PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
      C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
      4⤵
      PID:2472
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        5⤵
        
        PID:2668
      - C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        6⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        7⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        9⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        10⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        11⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        12⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        13⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        14⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        15⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        16⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        17⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        18⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        19⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        20⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        21⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        22⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        23⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        24⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        25⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        26⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
        27⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
        28⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hAQQUwAc.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        27⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lisIgUYw.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        25⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        UAC bypass
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VcIcEkEE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        23⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        UAC bypass
        Modifies registry key
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sGQMosss.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        21⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        Modifies registry key
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WEYAEwEg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        19⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sMYQkwMI.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        17⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        UAC bypass
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yUoIEooA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        15⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UWsQcUUY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        13⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JggEkkAs.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        11⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZQUMgsMs.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        9⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\usocIUwc.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        7⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        Modifies registry key
        
        PID:1804
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:2020
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CsUYAgQk.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
        5⤵
        
        PID:2800
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:2124
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:1248
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:2792
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\nYoQAIUk.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1716
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2720
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:904
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "927217398-1113945828-891501919-942889685768775782-465823807-1188021107713912019"
1⤵
PID:1528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9178614451996684365-925443660-827920670-186354876114468386918113782431656861101"
1⤵
PID:2996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1085973543-1349790274-20383102881279029121770626317-1475242540831222971105333454"
1⤵
- UAC bypass
PID:1572

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uUcYUQIc.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
1⤵
PID:2540
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1376

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:3024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1183200872-21463959731067884883-123514965-1188297402-337928611-403142501-1828873720"
1⤵
PID:2388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "446295044172457609650911323-659988313119247947213895341771991727603-806781892"
1⤵
PID:2192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1274855921-2143865437-456559546741896000-15697315611586514846-408643685-519445162"
1⤵
PID:2740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-122820421745289680930888207-1990510745-88332264416136638647298674781991196639"
1⤵
PID:548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10833888031709854638488322553161000988-663024035-521721217-628743679-1998515059"
1⤵
PID:2476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4035044801982741770845996205-22728200-69011625912423837167890025291380156399"
1⤵
PID:2712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "476465420-495722851915379593-1143028912-1149538200-269891858-180106047466066027"
1⤵
PID:2968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1648021995-1543321614-1247371429-406854744846503604-17101651411177492501204321962"
1⤵
- UAC bypass
PID:2340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1207115663508013483-12465822701839015017-12253523291468118984-1483362816-2092672878"
1⤵
PID:1960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20936739331855453143139513057017795609781760990606867457706-634337621512030048"
1⤵
PID:2416

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7269745167167512571801759118-1891768378-707370807-1740318628297322137-516909538"
1⤵
PID:1616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10763764215343904912010733126-446568091654983636641680156-13807742021888244812"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1494776825-182104602893038426222939843913048670193887795136277762291796687490"
1⤵
PID:1684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-905577071153094928417244376071562030350-512774705-817887194-5669901331010216601"
1⤵
PID:2560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1131912987-6328401301801256604-819887428-2145456221-1206797588-573248083-618569074"
1⤵
PID:436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "195092570397336588-927714012068695216325962086-1238729250-971411721-1850166026"
1⤵
- UAC bypass
PID:2528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "394654998-1072686211-543275103-17353903681013854456-292413812-978648200-1213552973"
1⤵
PID:2860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "451860011-12883332111307800916-2210723201628630042017631651-1715600086-1846190477"
1⤵
PID:3020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1079824928250569822946447233183851935-232553351-378121822-1945547251907086775"
1⤵
PID:1776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1981890638-1571797825-761582234-1434925065-9998063501026436321-472429058-27205650"
1⤵
- UAC bypass
PID:2300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1195613670687232526-1087753888174100211220146047773476171911141690118-2011179870"
1⤵
PID:2728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1739131585970679116-1816414964-630130188-1741633102116248008-18833041782090514630"
1⤵
PID:2540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-654660077-1458418001-5807535181706725672-192388962413711581491045972984307098851"
1⤵
- UAC bypass
PID:1168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1908891935-21096274744734808731910106653-1531344354-7962893711677396195595919392"
1⤵
PID:2504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1650666783-857566157719162451-242625180-6551769291081320118738972580-552124618"
1⤵
PID:2472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2080617691219973342-1365723077171413606-2100975374-15358301771098266657-1774157272"
1⤵
- UAC bypass
PID:2600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14052796122099503869834564424-47806539712203352401872773740-1181223686834718744"
1⤵
PID:1580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2063387195-1748860155836954812-97035900-790117741-1226524510-1333823920523229720"
1⤵
PID:880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19519321239640483771383350939-20943521161577163622486370880-1549990652-1162245076"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "319352613-250749352-1223459393-334737583874651389-79491602216002120931866518787"
1⤵
PID:1316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1212409143-17727564971675489420-1105477242-389633968-9757662703440042551477858140"
1⤵
PID:676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20247967811843742222-13678726901226021204-14579915401778510642-14141561881021183052"
1⤵
PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20679973771437417093-3320841-2015372230-1274742062-10012278421070642641-734339589"
1⤵
PID:1036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1029173934728220518-1098735345548775364147781297711298342250511054-310044385"
1⤵
- Modifies visibility of file extensions in Explorer
PID:908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10270323883819274412062931904953481448-2082676456-13172494322437981-118413077"
1⤵
- UAC bypass
PID:1952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2124027106-2088673964792839011-6291276422735858791277371297-245053916-1617008991"
1⤵
PID:3052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "133900951815651582931781277353-428416753-66893242317685822862088698441491360666"
1⤵
PID:2912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1286007212-1145929572278008434119848115220057988891046952881159198679973141974"
1⤵
- UAC bypass
PID:3048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1528928125-199023313-992724336-1006336424-135062650-1016546222-14969938532082236522"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1358260279-2046789676-1720555605-143986762714821582951463448371-397498946-411429409"
1⤵
PID:1932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-443435746-397403664-12874666181108935047-14781240-9345754831531792131979985353"
1⤵
PID:1308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15409046481843977517-18042166591853661833206037374915103310381387337920406409887"
1⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
1⤵
PID:1980
- C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
  C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\hKwEIsAw.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:760
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
    3⤵
    PID:2208

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1213860779-2057890764-1357558102-14779752471939756393821954874-678991100-1341933820"
1⤵
PID:1648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1498292142-136472365-16366471551357095712142370675-135079869781140090431430655"
1⤵
PID:2796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1389981082-518492052-34913803011269463321180057993-6733504982026155415-1853310783"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19613301671752231737109732942-834890951510274809659523626991606056-232404223"
1⤵
- Modifies visibility of file extensions in Explorer
PID:3060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1236453860-800559206-143788510559561383-628651318-2874041091169088971322231344"
1⤵
- UAC bypass
PID:2788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1068358998-582527858145530127218043249901952411533-773852175-1954512929-219779987"
1⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC"
1⤵
PID:2000
- C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe
  C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC
  2⤵
  PID:2860
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Modifies registry key
PID:888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- Checks whether UAC is enabled
- System policy modification
PID:1140

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "813139046159758521848211215-196681688416168940922616351331036780870-950615031"
1⤵
PID:2064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-672485035-305582367-2019424810-363431801-1836770846279128810-1007146078595086169"
1⤵
PID:1768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "38040246013580372676079487431079664786-18358030681786183546-161308858-1625450041"
1⤵
- UAC bypass
PID:2784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-470171450142577625-390731018-869535925-382713035-972294106-1676198481927391991"
1⤵
PID:864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-982411038-6589085181269568028-57808148253198324-201977885-1205237672-318258121"
1⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YCksggoY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC.exe""
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2460

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19662205881341047252-202123318914935731991652568-1412711722271666093763582765"
1⤵
PID:2336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1961502579-647962849-153033253273044495803209425-49070571512541443381857003883"
1⤵
PID:2484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9579964506241410071782673952-1394014313-1198430861-1728007926-978322505-676051352"
1⤵
PID:2828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "42948002114782905502073733911-863923057306773647-173762252685136708-147237123"
1⤵
PID:1816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1387111015973643704966330853-746700874-72563586456540516-12457968871731656596"
1⤵
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "687142235-646211011-29090191052225976267689404817474226921230645276-2145485805"
1⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

Filesize
252KB

MD5
3e9e294a34aee0f93fbac8fe380d6ae3

SHA1
f7f2b9490ed4c594e02798788cca062365fc8de6

SHA256
fbda210d9f5b2964c46a1b58653b6d9e6f2f2881db7504c915e090af1f9655b1

SHA512
8b674cc05ee52fddcb36aa5766ecfd542a5986085a0377a1b268ddd52ef7504fbb5224ef3372e4395426c63c856ace2d3efaa8c414e6ecf38e169a99e2571bdd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
242KB

MD5
6048ab0ad9fac777424d1e650377cdc6

SHA1
bd533733906afe6ad66e086948874ab94e6b2cf1

SHA256
837b7ae02ab6210f3030e842b5c60a97d337c8b0bcae5086abe308d864599076

SHA512
95a6c3778c204ac921b518cf4151e77f909dbfc7d74977517f3836cebd34ca35df5067f5a609b2d5fb7fdd69ddac10aecc07c529139e4a191cdb8e2d945a6398

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

Filesize
234KB

MD5
4da0b5cae6a0e29d7cbb4d5b014d0789

SHA1
effb4156f41d5fd64e3d31c2ac6f77eb5f6ca277

SHA256
db2bb500047a5fe923aefb776a6d9c88fc5b666d23fba9ae8b2b542cb55ed3d0

SHA512
8fef6b3ac21b1538422e948d6528c0b2362aa8fda16b6eacf438f63d28f3ce3c4b6d273f1ebcc04faea0c531a2f5364f7ed197d8e6397388193ed24b29b33933

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
248KB

MD5
c3a73f3a624d9d486886c112a9880aef

SHA1
15e861c188edae493353d2d4281393b3559a2499

SHA256
083bfd6d266ab119c36ad23c7d8854cd59d9403086d19aa914eb12a7a341e371

SHA512
6e0a03e0df129fb653cd37eff8d5184a102889153cb7ed03f959ea630b75dd18f52567ec9f31a9fdd801d33e9aad4b1ba5b855ee7739d175aa4a4d4cb71236c1

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
650KB

MD5
8d0ade94ad7aa6049a12b80cafafe3b3

SHA1
dc006a7060c366bbde7cd9453838007f9f193382

SHA256
d6bad10799190b661ae8257b4e4218d7d7cbaa567c637aba96221ea9bb15b723

SHA512
8ce0257d5fdfcaa5d1f9e219e092be5f20f1e062801f9bac307135566964763d63800aab84f22c8c6ee97cc596e96f3e813b2e66110966cad7e51bd5989cc8be

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
636KB

MD5
85e6e2ff006787d9d40f3b5758639f42

SHA1
a71d917c91db2e30847115e8ded93aafebc1ebbf

SHA256
04428dbfc258f3ec8bffb973d151c5d6855df13933d03ff8c879ba32cddda0f8

SHA512
bde51144d595efcc7ee04d2bfb7538c79eaa62c3381109cc5f7488b364cd0334df9c44501b1d07f07585f2a96e43b028fe3c92882c4e4c7b121b65ad1592a5ab

Download Submit
C:\ProgramData\zKEEQswk\DWgEAQUs.exe

Filesize
198KB

MD5
0a45d933944629850744edb7d093cbdd

SHA1
d5690f8c591ea0baff9211891f182f1555c1697f

SHA256
03ec66bacb124ca4c58e6c72380c7ba00a92b2615980a49e5b086a5b03fc1dd9

SHA512
4c78d0d6c06608dfad6dec0350fb92df1e3f9034a0815732688e78093175df899b496fa963698adb294ab2fda8c4e48fcdec9981668c8a4374828431198e7526

Download Submit
C:\ProgramData\zKEEQswk\DWgEAQUs.exe

Filesize
198KB

MD5
0a45d933944629850744edb7d093cbdd

SHA1
d5690f8c591ea0baff9211891f182f1555c1697f

SHA256
03ec66bacb124ca4c58e6c72380c7ba00a92b2615980a49e5b086a5b03fc1dd9

SHA512
4c78d0d6c06608dfad6dec0350fb92df1e3f9034a0815732688e78093175df899b496fa963698adb294ab2fda8c4e48fcdec9981668c8a4374828431198e7526

Download Submit
C:\ProgramData\zKEEQswk\DWgEAQUs.inf

Filesize
4B

MD5
ca34f8dfafd812b25de88ed1b8ee51ed

SHA1
3dbbf5624e977c4d6d3b6ae693be623fbd5d1474

SHA256
39259142cfa97bd959ccb1357352dfaa38e868861cee0a4e56a8f9ca8885653a

SHA512
707e263613ca5d65187a6da8b7e2c3e0fe085edf1d6f2b7b63ff3eb7191e7b6e689225706b0ef23fd2033019e007c3db8d76d71b5dd86f3dbb4efe5ba23d46d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQMggUAA.bat

Filesize
4B

MD5
da7109574e4296689f05a944108926b1

SHA1
629dbfdc3570e96f544cec3bc3414b0723d0104c

SHA256
30f28879a553580a793cfc69942be23bbb85d4e95e9f357b636f1714b4830d9f

SHA512
e4c2eb2716ea8c30750f3d3f0de426ee006ab902768d5c49b6d044ae3d2e9c470526e4133e8965587be887c6deeac48d1cd1e12027b87a727ed1fb76ebe8afca

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmkQEoMc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\AqwQoAcU.bat

Filesize
4B

MD5
e6dde8b991d1a13f08ac77ee68f4ec8a

SHA1
4b2155f8d743be92c8b224bed287d95952df81b0

SHA256
62eccb0906a24a5137468971f5db679a06cc2a67f4b15e5589f51888baecd7b8

SHA512
228d72df9b26d201be67bc616c6abb88524270c0ff4294324f55481ce82e79ce8660cf04fce2a7d1c23dddb75acdb3c94398c79f52ebab820e961cd80356f7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AuEQYQwI.bat

Filesize
4B

MD5
6853d1af899624b207903a2bf79147c7

SHA1
e223f61f2d8ed90786e9c7ec5a462bd84a45e07f

SHA256
8d68044c6731695f5299c496ffc5bd573ca526be61027f41eafd13e2bb74f14b

SHA512
177533c31e464abb1d8f4e57ae1715c44650ec3ef56563f57fb73a2d2f6a259225df19f6a7d45a998a6c727dc1f25e499a7fcc405ea52a81487781b1422f469f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQYc.exe

Filesize
638KB

MD5
ccfea5aa61b433fe6d0f3c8a624a638d

SHA1
a50d6a0d6cf145d2f555b47606195b59cf8222c9

SHA256
ed181593175e3bdb52976da769bb3c4fd8026fc726d853fdded5e7c768146e08

SHA512
cad638b58420e2a13a1c4f4f45689a5b54992e24d67b88f5a94677b7f99e0333a2c66137eecb490d6b148d45fbc6c879a1049f517fc61abee92454457212bddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEkG.exe

Filesize
236KB

MD5
dec6139d8360c4275e7e66cdb3fb5373

SHA1
3a7099e6932f5cdfc403be4553cd6c422f94a4a2

SHA256
ce11e7d067c124be45a5b401b787e4e726eff4110b31303e461d90f34db81ae9

SHA512
37645897e77c062ba0109260e1070704262c886b4afc775c1c541a6570ba8a44a103a4bd7c3c9a2356c805949f0b771cc9c9bdb6b0968e101ceeae3847b9e8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSIEsUkU.bat

Filesize
4B

MD5
fd8de50710ae837f4fba08d6bde11cae

SHA1
04d18a7c0983a4f4bfd3a6d74501a8e25fd762ef

SHA256
3aa9e21ad7ecda029793822b386f527ce5fdbcee69c9b90a96a121f11328e05c

SHA512
2c1c11e915f3ae68e988cc845d91095f9dfee10c5992c5d7c18fb74daf3e61c9ac0563ce8bbc4d9a9c94956eb908297915a19556f055924315a37fd739d4b861

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUUUskIE.bat

Filesize
4B

MD5
18b2d69f62dfb0f73cc808e5e7124069

SHA1
58981a46f36e8ea530e0424f5bdfb5c9a7a3f37a

SHA256
02c85258b847816811a4bfd7c4227ce679b7bee6dab3a60645a5b25e1f3d092a

SHA512
38b4ada3523ba8e623dc868c9a8c05b0848dd2402c2cae9c34c0a96d408ea009b19023046e517932a84886f88a7167f6366b43ee65ecf3448b482e2a7548f8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcgU.exe

Filesize
248KB

MD5
6d1e103ad03743eb82abb95b933901c0

SHA1
38493a8121c57eb96a90d94c8463ffaf5a4aad28

SHA256
2ea6ac287757326ec4a7a2fed0397a53343c75ec7cd5bed6162a25d9fda6568b

SHA512
0ae1f15f71e34ceb7ec1235c8849f65bb437eb161c23d527b111798138c129dd76ad1417794b63cf6263371865bbc2f3d61c629e66bb8ab243ff7b99da764074

Download Submit
C:\Users\Admin\AppData\Local\Temp\CokW.exe

Filesize
248KB

MD5
cacdb1d26cad1b09ea1aba69935e1fe6

SHA1
4901e115db9419d17d4529f46f15ca46b5984e2b

SHA256
6af2e55d726bab74d96b1a29d2df6834ca6892dbeda01f265ebbc8f0a7c564a0

SHA512
05ce77f113e31a0f9ab08925e2ad6990275b3ca7eed9d21e78a2e75e5fdca798a7a7a798568c700ece5430ee1f22ea5b99958b5b1fe022ce38fc9fb3da82a92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cosa.exe

Filesize
582KB

MD5
d7173e415109435ed807ce09d0578f51

SHA1
34ff79a28b61d6ef0eeac7da90f5605411664f06

SHA256
a957af14532e26f00ec986c5b7ef6ab25fc809bc6714ab262132a58e8108b1a4

SHA512
43f12866be8c3f7620cec37b4c37a73af2b3a57c80b0383525da2cc5e78e1a889a20c6b5602180ac3ff832d44683365c798f0d645bd967099c0c321409e2a293

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsscYEYg.bat

Filesize
4B

MD5
10ad5c0b9f18bb437ec66b783f62e1fd

SHA1
abbb78cc043747dcbe09581e29e430dca1b4da09

SHA256
f502dbdea6c8e9598ef55428ed84b8db2eebc03c49166a5e5dcde5a9db16f4ac

SHA512
69d11282d781d5760b2cc5ae0afaac69f31e740f6df4d2968bc0518131d06c41875df606a7f4c2a5066c69b0f7291d149d1fdd6c7c801d18ecc0e7a412762d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYAckwck.bat

Filesize
4B

MD5
05b47cee825dc414659030e8578a4249

SHA1
c0e2a72bc8241599719a81c051730ec509abd6c0

SHA256
73535648e76b1e7a57952d111ba089dafb1e26c802e8bef0ca3e435b8d94e3cd

SHA512
efac5f191b6e4fbc5b706a3b910f352c171fb447a08b9bc23dc511fa3631ca8c46992f8c02cc366321091cbb88c9b7d759a58b94f36e1fd37f21bef8c5086805

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYco.exe

Filesize
240KB

MD5
e383cdaa90df526ed32a0a151aba5ff5

SHA1
aae1da2d6cb5d4bca765f90530c6859e1f6512db

SHA256
acfa35196f4f2e31940d1e8c995e222cb85ecf6ee9043edad04c43403a1f41e6

SHA512
660e579203192cd2c86fb2969c4a8f353d33e5215d318d22bbdca4e0f66a9f9465c30285be50659a4d4cf4c8b96289e51032d5c8ce9ddb923df13df42dd636a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DcMc.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgIcsIUQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\DyIEcAAE.bat

Filesize
4B

MD5
b1415ef0aeb5f198fe08eb0b4a15d72a

SHA1
6bd578f4aeb0f141193ff1824b334bf3cd849b27

SHA256
7480e66aaef7819f40069076cb35b8758583209d9f488c83d427d612736414a2

SHA512
b509d65819fecf77f3160b66229f232250bff64f312e6be570cd7c279e7a16eecc79637aabdb1e631ef49b96661159a8043590ccb6f4f95cf8c0f98e3a063d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAoA.exe

Filesize
789KB

MD5
8c248b5c26f41413b824458608bc988e

SHA1
da93b1ce288c838b039daa415de27f1eb4b4ad8e

SHA256
6c43062ec72d810ed2ffbedca7a990f41408a2f1772aeb8b01dc12356ed47a4a

SHA512
e994aa304e01aa266d1ff0599a2898ab8cae6f5ed1d9ab0940663812d2de5f6cac0cfbbc94e3949d7a301dc9a3572f7266939a2f1d5490b8c7c6a13950db198d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECoAIAEM.bat

Filesize
4B

MD5
d363307bbd877bcb6612200882d22005

SHA1
75d61c0268bb67871426ed03fdcd082e9331c5cb

SHA256
6e6e7aad42c8281e7f493a14a347a7c3b2b8c73a15ddb003a7eed28823b87a70

SHA512
d42f66d61428a89405754341916cf6f059b6808e124e98a7992a78fe8fa8e73c2f51ecabf4ed92ed6b9a4094d449201da1c582e997af2f6e524de21245f33427

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEYy.exe

Filesize
251KB

MD5
0c7746eef36a9b0674fec91ab07f995b

SHA1
d316d0d6db2d41a06092df546e3559a979b33cdf

SHA256
4d0a33e2823e6989b05df8be8dcaab3afa3a7ae950a2074554644ec8cda3e60e

SHA512
4e727fa666b1aa40deff1aef36044b8b735ba34ad12d7b9f3ab4a18340df7c25079657b60024b8587d70c625be2bc30d4f6485e7ec26040e70805afa61a51457

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUwAcAkk.bat

Filesize
4B

MD5
68aa90cb18170c25120711570aad922e

SHA1
a31663e26772e545ae44148f0efee335ed744b51

SHA256
6a4bd94ed678a136eac681b36393dbae34e31ee5f2ce113e59b9d60de2c737ac

SHA512
b9825371f26e30a0eb6e4405d12ac623fd015b6ab904dac739778ad63d471e1366e1bc9fe265ee05e09992d5c58e044fad5f13d71e8a19deefe8a8a3950936c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EaUkQMUA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcsI.exe

Filesize
246KB

MD5
b809d9dedebff550afa72d1878cd6af5

SHA1
b2257a1c4099525a1d1a6277b29442dbeba73c91

SHA256
27513a2d1f5296eb3c71ca5ccdd61673e7bbb3d50b765598838c52a897917c02

SHA512
999f99b4d66a517ad37a62d2a3c6886391b00fec40a1ba26da0687c393d82b3c6809b0e39b8ca0ac6e54f635882ef4c89de6d22d5b712764c39ca63d279f78b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoAi.exe

Filesize
764KB

MD5
4aaedfb06a28f98325c48d79acc9c543

SHA1
f0cc9cdd0c69b8908eb3eacdfe7daa37e277aec6

SHA256
e95d6a1e36431849637778c90528f84e25101da440fa04893795c2b5791bccaf

SHA512
a5371dd03ecc26d8d2ed5089c21b43341ad1e0d2fb16b81e02d4af821584a62ad9abef8a5add007d911a2f0f301921b635a0e28de5e70ad6e2842560779907ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoQS.exe

Filesize
241KB

MD5
c8ef09ac855409c1f3d1a926ae4679a0

SHA1
3638b055cfd6530d2fe2934e2b7bdd20b9da3af9

SHA256
8f9b0154456db8a57f6d8c462bdd80e1226bac84dc090b913cf1cc27b404433c

SHA512
9ee3655cfb5274141c0dae047d21af5312dee17d34dcfe3e7920d78b04a63546bcc5362f620d044bca76916e1b7758a023a48d2a7bada8a15891b73adcfd26cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIgK.exe

Filesize
238KB

MD5
79887720067619872fb1dca0aae52099

SHA1
5886b3d1327c9009a6db3ec7b49b25a9fed2ad75

SHA256
cfe7b4d02c0e55d2d067f947e17e82291c9fce2679ed94819357422c0d3a3bb0

SHA512
8beef8bd55d27e514cebdd3d59a7c70f048b098174f3ab68539671ddecdfb6c093c25fb3c5f8544cbd7fe8768ec945b427d887ea9aa0dc2357a0ead4780d037a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMQM.exe

Filesize
240KB

MD5
891f943b38e0902df7a2e5007c6fb7e6

SHA1
6a1226157f405165ffab7394d6fa6261676daed3

SHA256
0aef36972d737b6e5e9be88192badda4528ac2beff931204837cd8606fa4188b

SHA512
8c79cb8cf1486f8cba7b49bf6e82053027fb79c1f317e1e1341c55d8bd2eef1d7f9f26dbdad90f45cb9d25f848d071b23839ee844676cf812ff455181f7b4b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fgwy.exe

Filesize
241KB

MD5
be8fccdbee665361de2c6671a0f8fdb6

SHA1
d0db394e2ac212d9dccd2baf71de6bbcd7ddf004

SHA256
95115200a75c5efc13b86e8fd94162727b21215f107bb387ab40b05e8f023447

SHA512
b300966e9889b73294076a7ed1edce2bc40153ebb37d38db72c176125a694bdee9110a9407c500dd8e6b5dd5908a8f08dc000678826ff960db8a85693cd5db5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FmIEwAQc.bat

Filesize
4B

MD5
62ee0daba12b334b0326b264adf808fc

SHA1
46a433f19997fe2c5228aa063a7a635492f173c7

SHA256
7ad8315d7d03d128d62f7fea895e0f609b23d60965b383d96da8a7d7979e2841

SHA512
3129899d718660b2fac74981423eb1c026b9e454ab3570c1918eaba782147d4b3e1fbe1c641f776918cc15d988edc973449640126fdad1213f98f9318e28116e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOcYMQcA.bat

Filesize
4B

MD5
57ab4bafc1102c3008bb25a1c768af38

SHA1
b3f43302ce1cd69d52c1c0ac1a938d69193e5d9b

SHA256
f0b158aa9c3602c506f5ba4cd64aec0f90d7e00525a9163de66f5291d85cee77

SHA512
bd10231dec8a9afa83608cf6de79b07c7c48836c08fdf8ded195f8eba046963fa6aad4fb4a6823db69593a8816b14c076a36346dee349a64f7fb28540a6ad5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GSAsIIYM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUYQ.exe

Filesize
725KB

MD5
2ca5ece70d1dad191ce73b9261b1ee20

SHA1
c7874f42522869ad30109315a76c27761066b129

SHA256
9d304ecdda5dbbf849aa9611719fb19c4d2b22da21c4cee5611401db3dbd8895

SHA512
b99607d3d20f929a823a7038e0e1dc06444b870dbb74b1ec9082b275c4a870db534c437d8444d6cf0a1c6328b8a85c1572f659a40d598799d8c8c2dab437fabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYMs.exe

Filesize
236KB

MD5
e83cfa045add628ff28948a91ee9baf8

SHA1
5a19c4ac0b96f5c7dd33d8ac65e36ccd0fcec959

SHA256
fb910d94c5a2803bd4fba73588aea1e2e8324f1f69d97a04a9d96fded01e975d

SHA512
aa468bd086a8b229719068fb4a513110ca229a2ba1153328ab01929faf74878a9edfb92c214e786c2d66db788a025cade97c0b4c52d69c390150a4d643d322d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYwcMwcg.bat

Filesize
4B

MD5
f7820c047a0728f1c7ae97f35c88d31e

SHA1
868031b856102c5315bed27acdc20f2b4d307280

SHA256
e61cab119fe348fefe71889ff45ebe2966dbe38b14eaae1869f05f3943957383

SHA512
6e33bc6f63b26b52037c6245379b214e176252481c0ca38ba4afa9251b1006669819ef726895f464f8b231c55af68fe9a8e511e7d51fe24f15238524f0707aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\GmoAEwMw.bat

Filesize
4B

MD5
18c124c698b14b7e6e9f4d0cacc027d4

SHA1
63b37d370e0c35e803a6d5ebb6077ef315e5fc64

SHA256
184640d7b96d776ffe136c000b5b35db4a403823eaa4b1f35bef842d30c50fa0

SHA512
c07740a06ada4b6f0dd35f0591e409583ffe3063f25796ccfddeff0a0bc3ef09497226fd2eafd21b82f87ff5f8f2a0c6d6baa6ecc1acc561745658f935873054

Download Submit
C:\Users\Admin\AppData\Local\Temp\GssUIEwg.bat

Filesize
4B

MD5
b10c49e1bd2bd30497e6a495f10cc849

SHA1
d7bb699b03d80de81ef6f2fcf749e6ecdfc8db36

SHA256
1f574b62d341057bbb146eb2d6cc49ba768ecb001aed991a7a516e2674d05378

SHA512
7276c62ed7c9a90ef651bf7f26f6453037b085d7b030d30df2fe417a422641a7d425270d02851fe086c7f2b6884fdcd1c9c4b6e68ee0ad0e72fadc3c018490d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAwe.exe

Filesize
225KB

MD5
9aaaea6ecafbfc278a6931ee040c6760

SHA1
e5555abb4764a0b2dc5686097ad383353e9f36b9

SHA256
46c1f5a5cd2891ce850ef532a3e7061327cb52ba5daaf540be0c4cde5103cf86

SHA512
178b1522bc4380a712d3062e9087bb06394238cd29b1506cabe68f10cab665938b683febf3c7b3080e057f894bd930f35560975dd8e03b735127187b90130f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEQu.exe

Filesize
232KB

MD5
0c8005810d9e8c825f208da1a057f95d

SHA1
19d5b27af4e93dda4a9ce9067626675573ba42ff

SHA256
8e0b5bfeae1624df0a8a76355a83d897fde7eb54006cb62e9c18841ae0ab3731

SHA512
24e266cae79e61ac3028d59fe8798983383e49e4f5d99feaf884123246221b904af6bd03e70475fddc5939b84b50a13654cb27a9032e264d0c9820c6e65bd1bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGQQsEQE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIMU.exe

Filesize
796KB

MD5
3705bd0f3939751b927c1ab7e7954c88

SHA1
ac9637f0d8765f131d1c7a1896ef1579a69f591b

SHA256
9d610680199d5520a77012a69e535ff8d2d955042a64b235ba33f87762e31a1e

SHA512
d18820388974efc558e6887b3e0c56951de050a166ee5bbfd212fcf5ae0a2cc1e7667635362d864bbe121c8d0bdbf027813d167eecb74c2ab4393cb8b21b5657

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcoU.exe

Filesize
308KB

MD5
cf3400f08a8373d37d301e63a7926430

SHA1
b2606c452972b5d2aafdbe1e5b620edabaa12774

SHA256
0d4bcce147e4e03dea5d5ddf47abe9692f87487a857c298329d33a0872cff418

SHA512
0f01ac6609eacad3c62eeda7b26e9f52e416b814848fb1e0bc0b411e137b90a10453a2f8751350378650d8c4f1ed1741497baf0b868937c4e653bea9088814ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hgom.exe

Filesize
235KB

MD5
1683a62edfa184f5b42b25e9b5f77cb2

SHA1
e5b4474ba71126905ec041ce4c3b0a79e39f0a30

SHA256
cf133ae50b278a7f0b6d9567532b254ba5f6a714990bb8abae34006b99c74a3e

SHA512
ed661c2688b0a1889ecd0331dd28520a24898ecbec6ce229117e8645778eec34a31e6fce9de887842215f1aa67fa4090c9382f53340c4381051858adaacce744

Download Submit
C:\Users\Admin\AppData\Local\Temp\HwIA.exe

Filesize
1.7MB

MD5
dbe952015d159c6585c38f41f01aead6

SHA1
de1cccbb86206849645dd2759507368afd0da573

SHA256
ef164519d5b504f6a34deda1145d3fe9da38188138b61b6b3b3e8f335f76523a

SHA512
39ea5a6ac68e8e87586acd6e07ac4cbaa377d4d34fc851642ece7389a048140fbdda2e29b2f0464506746ac7354ba6d330b163885024429043a6338a3ffd6078

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAAs.exe

Filesize
948KB

MD5
17f413d52418b5da2ef003bc1415ebbe

SHA1
40ac62b544fb0e682b92fcbda6e7541281accbf2

SHA256
6cb4804788fa65a159a75de1db6ff6131df4ffea4c3fad89b38a19096162499e

SHA512
d5bbcb6cc6aff8783f901f5012615b42fd1cd5964eb6579bab4586638201a1d019f7e03a53347a1d5662eb606f899a4637bff511b0e9294f410093cd14f27a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUokgUYs.bat

Filesize
4B

MD5
ef2832f51842f5ac5bb7bf4bbda9015d

SHA1
1422b1d517910207ea6485b8a9c81eaea743bd8f

SHA256
c4713d413580c83565bf20833b24b7c2103f9037c0c9656c634d6960da117397

SHA512
d84941425a79523a1f89cb4c6a641cc63277220160907ff412a42a61ab2302f2524249adf8ea526978b6fa29ae63d7842494fc580ccbb9befaca649694529a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IycQgIgE.bat

Filesize
4B

MD5
cd18b33624366a34714a3f9eefc43f90

SHA1
96a145acccff3994fc352ffd1f075d1f97130945

SHA256
444b759a29e654b633f7cabb0a574deda4c461582f82939bd35ed7a856e1a82c

SHA512
89cb15e8a03aafbbecb8838fde0f42ac1dc21c25f2f2b92a3aafbad9febe1e86e8c84e587e735f6e7fd6462aac881fb5ecf454d3ab35b73a3e32fc9a2b1b69e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JccG.exe

Filesize
235KB

MD5
15dab6c64599dcedd7a66697125927c8

SHA1
8cf882a39c87b63fc04b68c6fc8f1de39b5558ea

SHA256
b244f50f56e0a68354ab1a539c660bcca21d7c27188c04fe704846807d31ec19

SHA512
f2a9cfe8f77d9aa37442dd384a431d209a1bdc277d226f0156915b8bfdad6c08959c5412e1b3f21c4364c3387725c5ec3ce0cbe1e198fe7ef6bf9db01c11ead4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEYEAMgc.bat

Filesize
4B

MD5
d40a3b868098d636bdad293d1beefbcf

SHA1
f8b479fbb42c41935ac3eb0bc7c6099f45541bee

SHA256
c697e5af8f3cc57fde2ef847c3da5ffcdd0ed2e41d86b58a88664a2b5e880580

SHA512
76fe2b8466ba61e2edc678b1de1892941d9d9370657ad0390a72aa96a0e7250051886b636398f93e73239b228d40d586d2d58835f1fe1dac7bc393400f642fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEkI.exe

Filesize
236KB

MD5
3cd4bed0e692deaf67751ce4cfb8457c

SHA1
d066b52eb3642f0126b8ab934e8f56f38acaeba0

SHA256
f9d5094fc833cf8fe181a47ae3d37997d97d73b5010a53878e66270d48ca466e

SHA512
414c735827c97460de5b07570e956de4d51b0819ac667450ae075890aa58d94b7cdb792259bb3adfbcffb7ec4c1a6bd092c3d85a37bf7b1f113f69f53cc876ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIAg.exe

Filesize
247KB

MD5
5af592dd1a827d2f1d01fca658af0c28

SHA1
ab304ad46c6de26e21a067706e698c56ded6151f

SHA256
8eac0b942c44dcdc9bb35be4075b143008a49b99399b6d22be3c05d3eca6afe2

SHA512
c47c4613bf3c828d67379ff0e0800cffe4802487186b573e8832cf2fdccc7480b4ee62e264e66929b1445ad062705a90b6502d75b97fc71ef577db02ed37f170

Download Submit
C:\Users\Admin\AppData\Local\Temp\KKEkgMQM.bat

Filesize
4B

MD5
1e6c82dca355d75a8e0c771d28b2ad63

SHA1
9b19d7661a3c565850f98e7fca4d883185f761be

SHA256
c197aa3ca9f3acb28c9a61342d52f2f12eabce494fb122c5f56b6bbea5ba3e9c

SHA512
35a0aa43a79555fe614f0b545d640a03a92ad649e211bee5a16e3cc5966beb52b4d1f8cc3829125aa5296d6021aad74b9172185ee221c494642e8e33259d1be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMAi.exe

Filesize
236KB

MD5
e56bbecfe09ed8f4db7fd67b98c5acaf

SHA1
6868b4ef76da1db7dfe656313ee5b5783c952793

SHA256
e1a664e51660ac44a200589456138176e59000662fddb4861c30fb54b8a889dc

SHA512
1cfde43eb8e94f590335dc2878570d5a3ab3b0cd4d817ebf8d1aa9709ecd93f6d910f669d878a320f7c8d9afb1918d79203c21cc49d55547500f119aa84ff44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KWwcUAcI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYEe.exe

Filesize
311KB

MD5
5a42b0068bf9c1e2c19b3068e39ac9fc

SHA1
3d3092476bdddcdcc9b5ef41d82977f2ccc8bec1

SHA256
d8a2fdddc58e1a0e1fd861ec50356ae621cdd4c8d47de34eafac4073b11bd422

SHA512
3e59b8a8fe751335e0495296a4ec10606d838500a04a159447fb19733fd8aef68b6de9c27437e2dc63a11fdcc2b2290d1cc0130cfb22ae1091a5526dded06b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwokAQkA.bat

Filesize
4B

MD5
7bb1594eee4f2cae828e58db7bc88ef7

SHA1
6112d8bbcce360bc60b2b46c91153afd92c3a0dd

SHA256
63278ac55820d3ab2160db0a3ae6377e9b94322ff4702c7823b7ef247a25e158

SHA512
e55f4f73760e701815c6596f749386d5bc70af5164e172f2a112977c9c2f9327e51166b2321b3bbee62cb14773a30ff6e07af0193f4616fcfeebcd67362d6cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEIM.exe

Filesize
4.8MB

MD5
4b5f9bc2492771f7a6927c7bd828361e

SHA1
ed12fc3032ae3c3a2ae81ccb7c31ee06faccef6e

SHA256
330b5815d783feedfaa9fb3805774391c3799ed4ef2f5191af2ba2db99ee851a

SHA512
fb118164f6dc7d03a05178dc37755af5043fe7e542f67eaad7ba9a071a360d122605d3fa9fac00ede51dd9610fed3f9cd301ad5f8c949fc6fb88e1ff544a685c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LKwUsAks.bat

Filesize
4B

MD5
708095c29a1bfaf2d96fe555495b3c29

SHA1
fd9a2dc9a5927b9a8d16904c0f297355f602b157

SHA256
7fdddffd6be1ea66ad80d9af8b3d5a8630ad95dded529fe012c58359431faedd

SHA512
5fd2324aada69502dbf4248c1317da9a61b2de8b3c6c6a20b414317f702160693face5406358984751dbae8de974fb0725144b139ff2863f69f63f7fa4fc6cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMEsgYEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMQq.exe

Filesize
237KB

MD5
ac572f50f7e41ba890659282637059f7

SHA1
6e116ad190e109d88804f5d7d7cd6737bc81c7e3

SHA256
9d42314afa18a936f3a53d685642e9b73bdec331946345b01118297aa51f4b14

SHA512
25aa9348903d5c6bcfbace3078de05be683a5b8f64194837c24bcb64ae083e5e737dfe20c3533fef24e9fbf1c5cd83b26c4ae8ae1035edb541c96b8b84fcd7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MOcgAQAE.bat

Filesize
4B

MD5
341dcbdc22d0e52e01b40712cc7cc644

SHA1
c636b2fd87c9be6acc5fba9019f6d55df23ea1fb

SHA256
879461e9be0144a37ec8ba25f7eaa2c366f0e0400b2b0e9442151a1c99587a50

SHA512
6a7248cfbad18cf52113487ce4b9a861723bdc493f4aa797e5f6a10c230d17f528a21702e3c6dc69c83ff38841076e6d7dbe369fda708eb28e2702fc15f2ffc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUMQ.exe

Filesize
231KB

MD5
51b33da370a75f5af1e3e5a8e56656f6

SHA1
c6f88334a7e373491817b11bb3848164a8e5a26b

SHA256
605bd7a1f948097a3156d5cf9c8f6acae78ea3649f93ed87185ad7c80b5db3a3

SHA512
50610e8069170884cbdea01d6080ade2c60986f10f383bc3dad451ceb8e8fa9d6cfb8a8e01c94e61d9b2ea61364494c030bdf4a6977ae2d856f53a39ea49acef

Download Submit
C:\Users\Admin\AppData\Local\Temp\MaQYgYkE.bat

Filesize
4B

MD5
ae3b3db0f9594fba9459e99166ccc6cc

SHA1
6c7501af861b5c4f64980b2da9650eef3396d4d4

SHA256
218e13eeb95dcf2aef3f748dce32c42a3e0b96162c19e1a0ae59f65ff2f375fb

SHA512
0cf8751b07b6a175a7dfc1bb20546e86230e2336b2e861e2695149e90dbf02960edbcce12caca8ebbdd8a6cc0d90ca64e1549377a6e4cbda231097e075433570

Download Submit
C:\Users\Admin\AppData\Local\Temp\McYoIcok.bat

Filesize
4B

MD5
0175e3a0e63a586059224567b0781aa5

SHA1
c9a7d162d82043afbab8b95da03522003a3e8107

SHA256
a08a65d945a5c86081728a04e61bb1aef3d40f3706ca51985387b9928935d4f4

SHA512
630c39412ed1edc8df1bbad8a8b234f05a698a76bda71373b474ba1a0573cc3a110506095f0106e6165ea8166b9cb0f1c78d803a743b9619d360585451802fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoIo.exe

Filesize
710KB

MD5
bcc857fc7a63ac42694c791bb3da0cec

SHA1
851a0693a05acce182423b069f8008e761c8f745

SHA256
69d9906ccf5f1c86b27de3a72e0c456a243fd287a8a8e87eac2bc626a79860ca

SHA512
2eb589ab5b8a5ef4e7b574def39191b67ba9ae70e616133f397dec840acf621c7d81b1217f02da5dc13c74f837e6c6027f5bcf2876af31dd0a6776292a20143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_2d34622b6cb901exeexe_JC

Filesize
2KB

MD5
2658dcb8661069b542bb147dac157b5e

SHA1
b31e5765cc21c5de3fba92f8fc8a339e8871f57c

SHA256
3677bce3b21432028eca08c3c9aa30fd7d49f3f19aab81904153458b003683ab

SHA512
ae5c9ff03f3949faf8b774c04bd48f1bd15986b4fcfecdca63fdcbaf7c97e63cb6231619f4a8b11f685d975782d7eef714cf50e3018847249db23ce4158dc8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIAUsYQY.bat

Filesize
4B

MD5
5dff3385b46d244041d1a8719f3c8c8f

SHA1
9904ae4c65696be7b18057d15f79b7216db703d6

SHA256
baeccaf0004a352d45d1f8ef240fe46eec32a08ca885ed4c473d723e14ddcb07

SHA512
7980b409d76722cabb430642204c5b1f9b9f625bbc8136777074d20f401d885ff99b19a61f731933b13bc18ab07c92ed5fe41574348aebf55dfce41f16070040

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiwgcUQY.bat

Filesize
4B

MD5
85f1bede507211b876d0b11b7a6bfaa2

SHA1
ab6a71445e15d78457c3a5d9ab47be500fbee2bc

SHA256
b91f57c82c027efd6246276dffb64f6ee982256db8e98f4b78c924733fa80486

SHA512
4ca0ef5ecbf7111ba65f4da31629deb5da8f579436f844e143507a40f1bc352c77e6196ae718fc4187b19db6bbf2a8e7c3b117f6f236f6b1ebdc0dfe22e8aa3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NoMm.exe

Filesize
250KB

MD5
fa30c9f992b975fd0969831d98b6233d

SHA1
2a52bf297ec0d80a456c6efab5c96b43ad30fbed

SHA256
e578ce25dd99dfc1b249c6dc112de46454f0f22e6d5ee289d2dfe00f64db287f

SHA512
09a2bbabe44a9a18f312722683f49712dde1ba9f24c3af64f329fadce422d22540434ef58b527b81726e43edba139fe3ef7a33225ba01d36070cb119aeee84d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NoYe.exe

Filesize
230KB

MD5
8219f2817b4e68d9d77fb87910853fcc

SHA1
c198fea71e10841c420090d32837fcbb39aecf76

SHA256
d540033d7476a9a4b3179c60d127c32599b52b74ebb1398c7a9775b4370ecd7e

SHA512
78937bf68dcbf4bf0f7f74596bc65391840841aecd0b2503f9bceaa727788729d8884002a61d7499f9077312a28281d4eeb4184fbdc7b21cb49c2a49df3956b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQoo.exe

Filesize
1.2MB

MD5
b95b6f0398bdcb87786af54dd0af6578

SHA1
e98efdf20fd725959fc7272fce790eaa87db3d82

SHA256
aa3d5e224585a7d248da4b5b9bd892743b1b8e10a5b0c20a1df711a53ff675f6

SHA512
12e6bd3960c458e19cdf07bad9948897309142667630a1e3c1beb901e8c446b2f738fda51ddd9d11c03194518244d8c2d370d62e4ecf8ee077fe28d3048d394e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcMckAsI.bat

Filesize
4B

MD5
168d4f8795ea675ab67f3eb1dbd35147

SHA1
32b05b8d58575a4c0c9404aefae071cc1c9c7921

SHA256
45698f2317d35895c2ad30c951a5a096235ed3412c4503650d7a7c4dbd9c69f8

SHA512
1e915e82e1d9241d5922c31f6b5f9b0868931a1290e97ffedb4a623a564ff534ea7441775644ad98a860a63c64455a22628633efa3a0a07532bf7348d31a1b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgQG.exe

Filesize
240KB

MD5
1e45e5d82bbb3b2179ce35f20f819e95

SHA1
0894038645313b3e8ed45c14edea2aa7e1cb3269

SHA256
38de69cb7e5eb64147fbffd0ddc2ebfbe932875b8ff847a97c53172bd49e8742

SHA512
e1703b91d0690c287db7e7860e8909cc588aa35f4ba851a97d00b386023a31ef751406b6e0e464d0e5c769cd16c789f75b42b8a939c109d2783c0474df356bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OmgwwkIY.bat

Filesize
4B

MD5
a139d2b387a03359e8da7f94d4ef4456

SHA1
c6f03b3bdc8cc9c1710a864acff5c7d4d96a2b67

SHA256
7086a215cb97e53da8958a4f067b981e03faeaaf7dd11148512de3ce8c576e33

SHA512
c3ca3957d090ddb01898edd47a6a799fc898f3ff70dad8b29f2e3c942e1a9bc81bef49e5703ada57a6f9c60a404a3710de1b7aa9625e948ca85ff02ca458eefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsYEoYMY.bat

Filesize
4B

MD5
870a0731d0ddd8192d1160fc41c3e57b

SHA1
d0eaab3f17d137354a421b7e4e606324a3a0d2e5

SHA256
1866bec36f8f57ca80cbb2110ae01eaec4b6b72fc85139b7002ef0b42877ba23

SHA512
31befec2f9cd8521d73e93254131677ee68c7a0fe073215294c2c8e271332b9e679ca6e2fbdcadf0573224b690737fcf22a55eb7c2d3ca7f3301f761ad4f53a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsYUAIsQ.bat

Filesize
4B

MD5
b23198651b19ab64a12b0990ea0507f4

SHA1
8a9185739c48968d1a35b91a70ecca737cf4dde3

SHA256
fed98f82428882e66f372928c95e51b6356e4b46a1eb90f8846ffd22aa33e949

SHA512
8a0615a3667caea9a32155599c023113cba38fa98fd9bd833d8c1c035653532d121437b85805e08fa7b14c88bdf2f62eb938c2291083f022835aa9daf91e167f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OukwcAUw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMAQMgMo.bat

Filesize
4B

MD5
746c781b8acb7e3e2ba72ed2c55f1c10

SHA1
af63a7ba396a54928b6997195cc895a9406a5703

SHA256
a7644ca5708b2f59b2246e5223d27754d1220e4b671fab855ccb687245c1dc40

SHA512
9f84116eafa3d96401e9671e1021a1fb826bbc900c11eb76f7471ed893c697737deba82d6d67aca081fff50d21d070de759a1f512fb1af5823a04f6bde2bda41

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMEQgIUI.bat

Filesize
4B

MD5
8cd97fafeb8c0a39812380cc287c9696

SHA1
2081512a42053d4ecace160f3d86bd323566a248

SHA256
3161e3c8200bbd35b9ee61fa938f15bdd49e6ed18d64035d80ee0d5358790c96

SHA512
c687961e435394d31bde278b434d8b06e9632516468f0332983425da6451ed2d031d909073a08fac883fc97b9545b0db781c071ed25cd14a9441dc5090383858

Download Submit
C:\Users\Admin\AppData\Local\Temp\POskMEEU.bat

Filesize
4B

MD5
7198afcf7f05232f51bd044e4b32859f

SHA1
ca9c2c525e9fce0ffc3d22dba1b6356775f8c116

SHA256
6898b0182d316fd118d884631e49337497aeb411699ccceefb0b122bd19670a4

SHA512
56c03603045b621a56e6920517b30c3546bfdc6337c6ccd106bf0c10b4abbc6b7207938879b4ec373eb80e5edac9bbc2b41c05e705be760d792bbe5353ddff84

Download Submit
C:\Users\Admin\AppData\Local\Temp\PWUsQUMc.bat

Filesize
4B

MD5
0707406297a2f3a3af496569210203d9

SHA1
215273b0e3a3237e2b22810e70f3f68d0fc29f65

SHA256
be211410ef6f4acc8077d78e4b11efd70b8700db914c99f1f26e6b40dd323c6a

SHA512
d81b78feaa9b99a61491041fc750957f1842c6652c78bfbd7761b9a4104357ec1b2cd58b8939a183634d61d7da78d17a24fd989e76cff966f885037f58662ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYEi.exe

Filesize
251KB

MD5
d352ba69e84ff4fe60bfc562d62871db

SHA1
f063cd68bb3c073664993e31665a7c09ba1d917c

SHA256
7497e74c05be689ad7bfe835eafd7200688bb0f1405de81c09a05ad99afe1085

SHA512
59cb096bb3efeeee41003d724c8a9bbd843e4f57a61babab39ca15fdd195e67dd47113e0aa395c41ea8600540841ff096d090d532775474390f111c4be8c13b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkMI.exe

Filesize
244KB

MD5
4fbda289f86f525e8d930c7278f6e33e

SHA1
7e804762d9ddb5cc929a678233eb6f5601f160e2

SHA256
696a1461f56177d4e5e52b0ac2c035b0a9c06bf06f12683eff040fdf3edadd91

SHA512
56c30ff3a099c6674c105152cae4b192881bde498ee2cad6fcf719cf856914c5aa343a048c6c8e5780cd4bacd2dc4a10d9bf53659843cb41f1f12ffd69e91af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAwu.exe

Filesize
250KB

MD5
adc77694b625fc20d0c4a67d57795a7e

SHA1
991eaf426828cae73b5e81cb9f88faaaa919a063

SHA256
334b10f58314e9b1743c912fd40e0734c7e5b0541cb8ca548a88ed75eaef9bd8

SHA512
edc85638f813db20ea76703b54e17654ffc33518c8f2002f5620b1b7dc71c5d635eb429f7fb32c13cb85549b69611ff129b7c190d567692a96d64c85960e0736

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUME.exe

Filesize
1.0MB

MD5
2bfcec4d119bec75ecb684567685d1ff

SHA1
8df11cdca9e32a668956c7168810fe317f94a833

SHA256
4e192a45d022c4e20d663ec4200a7071c92922215478175c8ee71dc27f362cfe

SHA512
3c0bcf5cff3fee56dabb917d0a705eac7825f1740614a2bef6ac1df5f2a8ba26e0a020e6af1c7df6a4e6a72e28e1a4cd5f0016cc679d538073c16540e75aa656

Download Submit
C:\Users\Admin\AppData\Local\Temp\RWwwsUIY.bat

Filesize
4B

MD5
5b35b18e862c6dd803981bc3fa4d07de

SHA1
044981651e94b60df6e0ce4a96dd5113efa3f093

SHA256
0b0f5ea5d42c4643436fd8e351a688cf4467993e496699415d2a2339ba678b32

SHA512
294331d3f6a457387bfa4acb77f6e399302ebf9f7d0a7f3453d6d7ccc6005b579c5b8301457a8cea5a10042e7d159a931ec7864072ef057d6ee405819bc041e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaEUIIsA.bat

Filesize
4B

MD5
6603cbc986698130d5608f395b2188f3

SHA1
0fa1ba7ee36e85b60c98001d32cd7a5f89d9d081

SHA256
5a538d79d38992d28627954afea2478e93ab18ece4622d60290337dc740e0e1b

SHA512
5fa884bc4e37f9ff9a66cded82e86b9af9fe390df2a2ac4341569f7951578b1e177401b652d927c99da7bc2d238f58842589fe49f69e8b0442024b80059a83e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAoEggYo.bat

Filesize
4B

MD5
97be3dc74809c0449b88604090b74447

SHA1
f4794836a77bd50b7433f670749146d66c1d24b3

SHA256
77b62d288cb61c0f27f12ef7b3e28b17249b860c6a37f40f6225693df09af09c

SHA512
fce294ba86a73fdadfbe3ef70760bef48ae4530cabd58e7ca5969fb10b217fd4dc43d04463de31c0a991b53ce2aa5023a627cefdd0ca3cd2443dd20e7329da51

Download Submit
C:\Users\Admin\AppData\Local\Temp\SGkgwAII.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIkEsYEc.bat

Filesize
4B

MD5
6782648dae5f5d65a858351d7c6508b1

SHA1
02c9e53ba9df712fb8991a1569bd243b29ce7f22

SHA256
9cb188bb1c37cc50d737a05090662da65176f9706d8a785914ba9316c98c0871

SHA512
d53fded54aa253d121613674e09ae2a1cbe1b19a7104e5ab6678db5600e360f146868bf6bc555851d5d8f3d1a88ad34f64496649ad97e4337b49ad9b4ab9538b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMgYgowc.bat

Filesize
4B

MD5
f429b9f8949b22afb305aea246771967

SHA1
f55b1e9ebca8d55570285b9c1040b9d09e139c36

SHA256
3ddac5a382eabbe9ff9f4827be6d19d5c6912ae14ed018a168f2ee5511b7482d

SHA512
fdae6ce864d3dee36a874d0e417c652395af434f1e312b3ff34c6db90cb4557660c8f04088caffeece475aa9eb0acd6cdaa89dc3d4b162e2d0aaf144ea9700a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQAUUEgE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQUgQcMU.bat

Filesize
4B

MD5
ba45d10b332d1f2b121cfee4d6143c84

SHA1
3ff5c8778f0abf733db6fd9b1cff83dc30708be2

SHA256
9bbd81dba76d29c7c35e40e7543261b57d39e96ee5924878f1746f8a1d981d65

SHA512
e10fc4e60fe49f8d7ad6dbbb301ffd11cefa03262bc170852d386841680b7ba3cbbae00a9363307c5b9503513a893bbd3afe72043fe6521eb9c9707151cfaed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQoy.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUYa.exe

Filesize
245KB

MD5
ca1bc577e8edfd9268a5f64a80d6d1c1

SHA1
178a2925400f107f9b499c2677b1031c68e4430c

SHA256
7a1130f3850a0a4f065d0232b5166ea94caaca9ba518a81fb6545c65e604a4de

SHA512
721602687a3794a46ee81f5438e0df15c91d82445109b57141064ef2cf79d745e2ad83132d4890fe422964a7fce699d9475769e3d33becbbf30650eb899c57e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TKUIosck.bat

Filesize
4B

MD5
79c45e0ad79ce79cf5df3fe40c22d2e9

SHA1
8e8cc8d46550cbe24aeb506f43b6180a585f9548

SHA256
aca8e0540e2ae250e4301fcf5d89997c6e40f1498f9938a776f669ffffc1521b

SHA512
fd4474bdd285548c2ab24561ec89045226f2f2cb3929a00b8b29382cbea6f36c9aa22161bef12508c7f44ff049379f7fea79c07cae399a9bf357737881b91adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOIccsYQ.bat

Filesize
4B

MD5
82237d25ced18bd295e9931a46015952

SHA1
10c4d89da19f0b91791b4460f731d2eeb0e4163d

SHA256
5cdfa243a3334428d2bb2f1cbc8174352b939beb8abccc9f3d2b7fc9ef0efc03

SHA512
3c23764540b1673c7a0b2f135f7aa2a5ea40f6c44312cec64ad678d27715255a93ce6d0fe5bbd9024686896825a6c5709ba3c447cb2db91f8b78879a9c605530

Download Submit
C:\Users\Admin\AppData\Local\Temp\TcQC.exe

Filesize
234KB

MD5
2b763e18a72756c330eab20e3002e7a9

SHA1
8857b94d3db8e6c35ccfc168f16a83440ce3f220

SHA256
b54784adfeb14d17b961f21a1d7758c1cabdd950b794f57ce0f61a73ccbc5148

SHA512
9d578625e538940634983c41e8fabb82e5fe3e753790ba018510651f90e06a4dfa6fc400be2a60f2b18c7d18d2392b9e49a43f4ac57a47f3356db0406fc3e332

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeUIsEcA.bat

Filesize
4B

MD5
3481e00ce8582e35bb9810700bfdc76d

SHA1
06e623f26b89349873257e89c64a8492bf731feb

SHA256
b1d06595411e95520ca1146e581572594d2fcf8aba5a5bdaf6eb3d5350676c09

SHA512
7aa909511f08d4f39a519a2f05673e702b7ef3c9ba1ce4cd2b1fa63c09f07e50590eebf1654958933a58938eefe2283ce6e8b92b4e0ee28941b5faa16bdfb0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TgAk.exe

Filesize
239KB

MD5
d6914873f2023e45a9ab649f6a9331d8

SHA1
05263e67155ad3e28311a000126fa6c91f92de72

SHA256
9f92710cb4df0afd21f257bdb647331fef7f95b6bd8c01c672be32f7e57dda7e

SHA512
decf67bac6213570dedf75d10194cdeff5d601e9ad99ffddbb4c7983362863c3724802f571db7eab9cae626fdcfd41103f15309caeae66b8d72e0cb00ded6453

Download Submit
C:\Users\Admin\AppData\Local\Temp\TuUMsEIs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TwAY.exe

Filesize
249KB

MD5
c62e5a440166448f1713d2d6a3d5c4f6

SHA1
f167127680e533e0edb7684097b302e6047495d2

SHA256
faca2e3fa22888281af7176fc9482b89db4f6567ba3a4daec650cf07bcd63ed9

SHA512
00bdf48b0429d9a30e24d430368b4b845b94f7bcf52987ac3a6b2cf210e627d754f12cf568ac1f3a11842d16515e6be77b719f7b84505fccbb70eb7700194f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TwwQ.exe

Filesize
239KB

MD5
e29e2b6d4544b123c3f15ebe1a9d5c48

SHA1
724c11b1bef7fce55a923508ec956920c9785c3f

SHA256
c127d01b0b0ad87e47bcf3fc1d1464daff36f6a8c201519d504ae9bd84ff772a

SHA512
949727dcf0fa1742f38d566167db2455ddac51d89ef69e5a93b0150333af4fa4e787fd0df410f7e516bee1cf57bc6915b3cb65362eea6377ccf3b44d10f66811

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAQk.exe

Filesize
243KB

MD5
7174ad4966ffee99e8706b224ff89ac0

SHA1
b1dd6b8c161ff18543794187d66bb0618e1ff543

SHA256
a54dd8588991d86121e119035f422f53fcdf60bf3c17f11cf228c603b2c2e1b4

SHA512
74d6ab990e5d34356bb11b96ec239d3063cebcb208774dbc9d1c6eec9ce5ce1aff9bded386957854e21bbed52bee1bb4e311ad2d6fb30657a0d4b4f511c6c5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAwc.exe

Filesize
307KB

MD5
cf6407107042be35756b082e93fa0633

SHA1
c438afa2dadc9a0a7c088488bc137e59dc9d3d85

SHA256
4d6114f8bfa1a988f223b8989f0825b8a7ae0e62c32af5e18aa197814b36d269

SHA512
1cf1736ae71f783955891e8c4228be8a6edc20d59ad4f1b35d1d521a56534f2465b121272c7351b5eb6c20f62a60690de33a7a90bfb3271a462caffd977c5704

Download Submit
C:\Users\Admin\AppData\Local\Temp\UCgEYIIA.bat

Filesize
4B

MD5
2af2a69b38c426fe023a56480480a38b

SHA1
24b924e40dc5e54fbc9c9eaef3b7d1ea71293d01

SHA256
1f3ac2ec245dde93fedb8be3c3d674f2ccd66397eb2f4ba6a21e75187cf02e24

SHA512
9d7831d92de381c0e2a03aa17dccade1450c504c53311e8db43a9a669aef87bf45cf5ec2edbeaa1c2b18213d0eb5583efd07dd9c0959cc87382c7e1ac024f1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEoM.exe

Filesize
961KB

MD5
54cfd53ec8ae619cefbcfb82e091726c

SHA1
304fe7deabc16ba010bb347b773c9be6fd8f06f2

SHA256
f6a3ace4cf393cf14908aa5fe8aaf35351ec20a518fd3826da38c2fb2a9f0bd9

SHA512
22b96f8496124591f63ee100690cfc210b20bb8c4a2e1587329e9208eaebdc07b08e11e9356ccdd9eb3ae49afc5bc620eec8f429769a7013eb8fcbbded2cb461

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIgK.exe

Filesize
1.3MB

MD5
dc047be38ad70b689c315e494f22476d

SHA1
6bb23189a45b68c8ee48eb31bf7bb44f3503df36

SHA256
35c5ca6730c25122c1cb3817dcaa48638a499ed1848eca2f9da6737a4659d78f

SHA512
e069b1bf83e49ca03c86796647f2ebb270267ca0b20e9ef5c7cf9da3a0fe71c3e3a24fe09b388b52f9fc81ad0da216755478b6364a1b0ccc5f0f700f14c5c1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQYE.exe

Filesize
236KB

MD5
0cce34e282365acb89ee97e413dff733

SHA1
2d5d0fd735ef006237b67c9c156dd968d77fb036

SHA256
995c8a1afcb7848a71b733dc0defb29aaf0701b6a30f9a76e16e16b5d128d4af

SHA512
dd482c697d4d21acba700b57a7a4cb3101e6dd5a010bc14332097582a976c6cef4382a790b9df5d04fb47c0c4d5d14a87a5b40c66e1af1aaeab4d0e5e6eae7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UqAMYcAQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCAcYwko.bat

Filesize
4B

MD5
5199b9d58f8d1889b8e7b47a67ad269e

SHA1
087a81fd155fb47634457ebbe9f209a4d4195138

SHA256
e086d1890da05a9220a33565a1cdd5832f3646defe5e12c9d791feda6c9bd58e

SHA512
a3c1ddd6d43804b52ef74492549b15e8b691cecb52efdaccace7bdfd877bef498330d5f1f72cc626f1eab514c0833f30d7983000e9d70ec76c1abe604a571747

Download Submit
C:\Users\Admin\AppData\Local\Temp\VGwwIEYU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMQcgsIo.bat

Filesize
4B

MD5
5436229bb0c98bbdcf6b7d55061b3a3a

SHA1
8da5c50797b52b67247b8ff24bcd86771e4a5829

SHA256
9cb9b1013611023582eb9c5b8fcd88301247b0c2d4adc3cb13993ba1221130f6

SHA512
9905f88fd6ec7fcf1d1499c984059f31541c2ee258545306232e55927b6b7ab43431bce5dfa3a011bb60bef3600a4ffc9695db1372117e96e493bc9b6e7df399

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQoA.exe

Filesize
572KB

MD5
52f8754a0b98a9f4924e28a6d54dd4bd

SHA1
8f3d3f0e0e75336bcbf81615d6e84487f3437d35

SHA256
14354ffe395985cb2b909a490cd19e33ab4e5588bcaae84a3a87b34efc5e4a64

SHA512
9903945dd9e3023909a4c608091da0d9eb4e2e2344475eeb17dd9dd7d745ef60f16c1a1aa6d58c499624868e597863bfbda5736a128e530d3b818edc5095b1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUEG.exe

Filesize
837KB

MD5
846d90fa5b392ab274ba616296df8304

SHA1
45babb0ae7a52e51cc271d1e20cd938529909d7a

SHA256
14496c42f1fad0d5b7479052b371bb4964f25b893d715814bc8f2763e9c71c2f

SHA512
e868f3b3996befeaa5472cdc65edc1e60035f76ffcf7bd3d1a8c29db4fbeb2f610ce190e456e28576bb13daf32c9b20913ec5f1988367caa91a4162e68c9133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWUwAkMU.bat

Filesize
4B

MD5
7095d2d2631ab8844b740e96d29f5255

SHA1
aae1f4e86bd1a786cd617cecc580220ecf497439

SHA256
a1f6536a66b4bb32c8e317cf404d51009fa62ad12da978de5cefdf0e04b4818a

SHA512
6d98a54f4b28011e1174c98f77595740a793d258459d55686712fb5063f09f2efdf775c90eb36032679b7fa3e6673240ec9c3e8805c5243795a166edb85b0f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYQkwEAs.bat

Filesize
4B

MD5
c1e14ea3914259f8c0d5215accc629f6

SHA1
c83899b7768968a8754097f35516bce3f8071258

SHA256
6882a4ab594a6cf5e579fd1766ac104cb0e7406bc4daa98036513b873f823f82

SHA512
6e2065405979672165809a6e472d5e16088a21096497db6592506e50ac9d54237bea16371b919c065e95d5e37b845841eaa8550b1999dc9a41e67186ef69d478

Download Submit
C:\Users\Admin\AppData\Local\Temp\VcMW.exe

Filesize
214KB

MD5
5c14506135588fd1ecdd7cf39e0409f0

SHA1
b1d7c413cb89a987a0cff86a5e87c685cf77eddc

SHA256
49b801b6f75a56451171cce7b3e5442bb9ee2ff83d77f19d82e20c964efc8f31

SHA512
06393974a4622bd9737ec64d8907e182922d4aa77e0a4c70f4143a65f11f19640e2bd1768ac18b7df419aba6afeec20ac1faf8c999edaad8cde799a69f4f16e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\VcwI.exe

Filesize
1.0MB

MD5
f06a94d8512b27f270b81c60f9bd7c0e

SHA1
cbd69f3252b6cd9245eef9f2d3571716736a4f17

SHA256
b8999c3bc5d98534bf8ad582994566d83096efdaa33f376ec15e03141a978368

SHA512
d99725d7088a40fea5ba6d0c512c88cbaf370b034fc1e4f8d33a97a4fd6cfc3314e875d21a591931ddfa9527764e4e3642c54a9395fae51b1862351cb727cb78

Download Submit
C:\Users\Admin\AppData\Local\Temp\VgoQwgEw.bat

Filesize
4B

MD5
8b256b24fd80c59b533e16913f91b099

SHA1
aeb786848565735e46b896b084361325d8130baf

SHA256
e4847242559ade48ab75fca1a214538b9f8c491012f7dacfbc1f9d9dbe7afca3

SHA512
11c702ce9d73cfb0cfd057cc1c19083489d8429d4e1dd5b1295a76319e605b1f5821aaff7bb34b47761e40578826de1c3258023682abde62b6ffc2bf9e8fd537

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEMcQAwA.bat

Filesize
4B

MD5
5e5fdd953eb112d5313c6fd8cf62df98

SHA1
fe30391962c4ad05a7b54e1ff51356375b94cd2d

SHA256
752a4da2f7f0d41f2c47e633fc4ccadecb0c68778796c567a187fc860365458c

SHA512
cf19a78e8f245e0eb8d977e9f0bc71aa24e950af2897eaf9007ef2825b3763ba7e8795d3c738afc85a5456c5d7fc8bc3d9c621a120bafec11e9af1e402463c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYcE.exe

Filesize
234KB

MD5
55d1baf562fd66b4e88917ebe84887dc

SHA1
ef32d84e92f5fb8b342857b1f523b18066efeb95

SHA256
23ee0544ab2fe1d7c848c330387465e0bbe2a80706070eb9b86ca245dc007449

SHA512
7e46145836999e887bc015abbd129682461e54d166466da443f9fe9d02c8a2d37cba89e65acb743f3f335406f790af1704412e0953c434af3e2e192ef1656d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WaYcYkUo.bat

Filesize
4B

MD5
31fa91672fe4f2bbebbdfd0f283c8940

SHA1
3fc177c58464a526ecc875fdca65db4ef3efafb0

SHA256
1bd252a481e1f540e02179fe95a4e59ce207c6ab2a4e8e41edf46ba1dfcd7ec8

SHA512
33f5593ef7cc8702586e1e38d246cd9f77f659b47ed4de22d014a542cfdfc8e5d0785052ec647975aea5832c4a1cfdfedaa051ca01c3989b49d4234c24c5bf89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wkca.exe

Filesize
922KB

MD5
3cfef99bf896c5fb25e7af9ae6e67a2d

SHA1
f310b06370396cb27cd47853bb328366dc1eecca

SHA256
6ef99795c5be7e88d1c77c26cac9933892810965a008e6d1f3feba54fb3df678

SHA512
2e09d089c49299423eb1fd8d0859bf6f73bdc178b61a97fabfe02a87dc5946553ee894d0b173636aa97ac1d77a74248f9fb46a783f61d043c7d07feee350c56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsoI.exe

Filesize
508KB

MD5
b282852006e33dfa6d645ad702505240

SHA1
0ec76724bca7a29f1263133a46509683a95ecdee

SHA256
5c7a102d57785677e8f9931eabd91d2d5d0fccf8c919a6f9d4dcd922b86b894f

SHA512
254f13d84cee51513030c2c3e7c8abfa29888a27c32a6748f2c0dca306ea6953639705bdd614d0c65e5b9904fd6ca52cb8784002a8c71cc5688fadca36e92f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUIs.exe

Filesize
251KB

MD5
b0232a1e193285aba713592470d7c84d

SHA1
732b027258ee4d50ef81ce36cb31ad37d7675526

SHA256
902bf80626d476d9d00d6ddb9b4aa02c411e9771824f52d5888751d342dc4d36

SHA512
73641db51bc281532327f6e58d3b480bb0e1c547e581dfc82d0aa4afaa2c0b62539a72b56b9d12eb610b6d6ca5a3510c1e3bfcff0fa0780e538fff2eb193c607

Download Submit
C:\Users\Admin\AppData\Local\Temp\XswS.exe

Filesize
227KB

MD5
f03363a9a66540419aec6883f8495995

SHA1
b7f39026ab225791c9a4f9b04646d0e508b40192

SHA256
f2a00e0db1d0f90ab1d7ab17f8aab6aa5612e9c8ba113bdf89ca5863b5d46a07

SHA512
b3cf2dfa4fecd2c1fef779dfacad728bc6df73e937c3fdf40a4defd09fbaf08817ae6972bec9def481ff850298a9ffb1687cc8564e0cd3f39015ea7fee75dac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoEMUksA.bat

Filesize
4B

MD5
c9974ef7d476cde17e3fe1648064af5d

SHA1
4dfe24923eaee30fa5936747207017005ffef1f5

SHA256
06528dd5c7d39b722c936ac1589d39ce25547d8342de6f4e4cdece9fd342c7c6

SHA512
61b8d5fbb95aee132e5e84ef5677482ce2e3496989982966a3c70a595a30c56da931e0acce06b9b29ea1d973ece9677b0b19f6c0a44a7d7329b8254e7f314a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsQooIUY.bat

Filesize
4B

MD5
570d0bc2499aa0793360617cab2744b6

SHA1
cfd485f7819f548c4fb4d6df30cd653f163f18a6

SHA256
51dfe76f39eb4744725aa90123fb9f72ae2e50dab415a4e53e02b7e24fd0d6d6

SHA512
69df3f18e71fc3cf3c4a694d1f9d930500315a4f886c74a14a6cb86953b834b9be39812ce3029f6e464e74426d08deebf0f491a716e0b5ffd0e74aee7e2aa2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZUYM.exe

Filesize
654KB

MD5
2608cfb91708ac67da23656fcaeac9c5

SHA1
43a3a5e8175f5fd6186e7899f972825591a43696

SHA256
ba5a4f847cdab1eb54fbe3d282ba09b63724c4aadd4cdc180e34ec55c8dae083

SHA512
657c3fb5a48da911f28139c1dd8c64fa3110463426b99c0073bea22e6d437a1ff8ca6a06df2a143cd6d15ac7c42e0ae4baed74762da92af70f7bc5fd8cd900fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZkUoAYsg.bat

Filesize
4B

MD5
09d8003dafc012764f2192128e2d54cf

SHA1
5390bcfccdfcd295ef2518e2e23ff6a8ff36ecd7

SHA256
853f681b12ca313e48b4356febc871fa5f81db503d0ec2c5612fc1a419266d2e

SHA512
c9a6c4a3688410e270fc382256cdb55b92aa4c2a1432e2999e249551328a0959f17c5738f7a2f507c757b91618735fd25d6f6f7c876416a0288da5e4cac2cff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZscMEIIU.bat

Filesize
4B

MD5
943627525a7373b69138447a94b8684d

SHA1
0f2bd96bd9cbf8e1125f15c123f6771fb04c25f3

SHA256
4d6e12e2e531b388bdf10259a84b617160edd0558c63cd8dde33383720b6a106

SHA512
8057a85ac582ec15f4ae6c29f86d9f950177c50fd497c2a1db4e1816bc329b17954861a7018db52297444758421e47e0c42035b8c1fa5e06db2a35cd6a43e3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEgs.exe

Filesize
251KB

MD5
6b6fd06d9c9336af374bdcde9c320174

SHA1
4391bbcaa51f2b96985ff36ae7233e4bd8a270bf

SHA256
043b2eeaf82e4b811a3c98ebcd36a240bccd4c8bb5cc459a9924234d1f00b6df

SHA512
704fbf3e2ba68702de65ff15ce41a67f8fb8335cd4985ef3aaf467e20a9615c784d2862c67b8975108828de00d182fee949a56acc703e66f4331ff344613e940

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUQo.exe

Filesize
238KB

MD5
657948e971f5f42afbed9ca036ae8556

SHA1
04245b3b7cd0e703f12c8bf34e18e8fe555ca4ff

SHA256
8e51255178381822a5d38073bcb67b60301305252c9ec5279a7fe753b5dc9d94

SHA512
76f6c34fa17e50b0896857021ceaac1bec9221ab111ef6d57f8ae7cc2ba0b7d68a9df98a89291729ba916d1b49bd873e3c453a8e4ecefe62fa1ae7c224525acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoIW.exe

Filesize
236KB

MD5
454aaf0f3c5a8b35f15faa442207da6f

SHA1
8b105148d4ab5d485d30ca4b81080db929281343

SHA256
bbabb9317fb7728a3ff2018d34d16c4b173317de92b852b81ef6654e9f4f5f2c

SHA512
bd6d4a7225ae2434b6bb5edcd91472d2fde44f3d13a91672e41916d87e4a4e0a89786ab03e1156d9e9bff9c4e0155edf5cbcfff137f29396c0f95e6d48aeeb34

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEIe.exe

Filesize
582KB

MD5
b47b3ea1d90e2f169759da04eee639ee

SHA1
7728f7ffb267d448a9a94f4ec22b6bdc4ffe981f

SHA256
4215406a79de954dd4331db6b11d49e5aef72fe3e8cbefcbad65838906b17580

SHA512
4a66ee98abcd81a95b0f5a7da4bef79be6f6d147d0883813fb6ae763f219b4c3e387db0cb9a6e55a59c857e919bf6c8aa4725319ddd3559cb251f95177d1c971

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEcW.exe

Filesize
250KB

MD5
3859aa3c8fdfc8b10c0c3145fd988105

SHA1
88e46aa1d3d9743f9a59ba0066174939428ec21c

SHA256
17ec92db51e70246ec5b7f1383ef79024165ea4ff2503538a2bb6f4da3c5439f

SHA512
c0863f3c778aa6278b0dfacc848085ac826413d88b981f5efa1b94120bc518d12c60e48809edea4c1ef2b7499917d68bacc6d44f449f7481eb608af8455b6ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEowEMkE.bat

Filesize
4B

MD5
fab673480d06deeca106e1f3eea135ab

SHA1
bc7487ad43bb29a62a1fa043de51b4d1664ddc87

SHA256
40d4e892a66d69d0515a455cab71d8e6e2a6b288a4d57dfd374cbdd3dd24f7ff

SHA512
c7e695e9d9465d60a61ad19ebd22d93053ce7b6d402f14aa1e6d5901b33cd60c1917a4b8f874d276de36a71aa49afc1a4cc7adabb00fe7362e14c5782b29758c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkQsockI.bat

Filesize
4B

MD5
e6296ba60c4a0117c0ee3a2652748186

SHA1
0e52b6b3c661813eee5458590aa99dcff1e8a3a0

SHA256
12d963ba4aca0d51469823d79fcc14522cc03ad616a0c8783e106e021b214362

SHA512
229050e6665e6175fb3aab5526595c43dc5b87abdae7d1fe34fb2dacfc8738be534077c323c81b4ec57d4050fd6c18b38bf53adca9b343fedd03bf66465702c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsga.exe

Filesize
245KB

MD5
28330a789c55800677770f55c46d4b56

SHA1
efa9e716756ec6034fdee2578b696ab93f2b4360

SHA256
cacb8689d9c0de7a5cd8f370e389e346f59f802cc2466b273ecedf5da94145f3

SHA512
c39d846ee39ba011a872236e22f0cb53a92fb1fe8adb532ea33d424e123f10460c5c4ebbc9fcc9d01332cded1a646e1b8d130d0a67690171c0e45f089bb3c135

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwAm.exe

Filesize
235KB

MD5
c0a442a1c3033284f6cd7071eb856d03

SHA1
806ef2e2f45666d9b94dbf229196de497ecf82a0

SHA256
cbf46fbd7ab58dd6fc3c09d3d3ce82814957c666e9a37356295b3b787372d097

SHA512
1bea8d51110219fd007dc81175f42e2f301f7dc283ea2cc93f7f7ead9cd76fd3c3894ab1d9f3832992084983259804c17133274e053da66a9caa21bd3dacd08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cCEcQQAE.bat

Filesize
4B

MD5
233148758666ff5577390261d771b6e6

SHA1
0bb1327174d3ade5c9688c189d5faf0ba0b722f1

SHA256
25a4a08cd864753b49a415e23dc38e85917f260655c9acad108bc1d8a87addc5

SHA512
06947c2ddbc682c70fcb09dd19f32b08de6674bfdb0d60e2623b15936c33f65e32b84d4ce84b65bfa5b842aa1f66deab8e7869938df1ccca952c29e4bdee05cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEwEAssU.bat

Filesize
4B

MD5
8ddecae0cfaa223619ce50edc1d4b79b

SHA1
7602d1822b4357396b7bf66d26573dca7dfbe3b7

SHA256
13fa4319a8253cef9783f2434c4496b417686ca17c18965318c6b271a8347606

SHA512
99091aa8b0c740b34678cae84a2a77d59fe328ab315cba5ba67b6d1e7300ca77a3fd6132f14f4ff92a0ae16dcb6299b5ad174fbe7c6a963874ca0a197fc9e129

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYgU.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYkswUAI.bat

Filesize
4B

MD5
c27671ff670eff8c14f7de20676905d8

SHA1
5b272002bac5ad0e618000f4bca691b362722cb7

SHA256
fadd27ac0c2450420fb0a373bc55294a89d32f24ae9d48ef7d628b57bbaab706

SHA512
6f9693795cced98b099263c6485dff4e21d6ab0f6707fd6e6bfa9f7b40d45f4d59c38c8ad0d5b22e819f4ed8f5bc7c27dfcf376dfd5333f4998b48a19d8451bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\dEQEUIwg.bat

Filesize
4B

MD5
f24fdf3bf8814f7c1f686c9c4d7c6138

SHA1
a3da6811884c550d587221d6a4ef192dd7a2aeeb

SHA256
40c07fcee86392b0371945e39e764f0c74a1cf30d33f3412aac298c9d62c75cb

SHA512
6fcc22773ff04f2a5c1d15d06726581844ddca0de185a9510e93082528340f8285a678841eeea3add21f88dc94525aed7bdca0556ff261ead6ff51c6550e8e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEsU.exe

Filesize
229KB

MD5
f2e9f01ff9f1d56de161975d73cfa0bd

SHA1
a55f5c26b5caa0b9df0aaa24c7301af67224760f

SHA256
c19d1890e36e2992da341fb04fd8cc48a6381f0a4187fb9ebe2a0d8b094f3984

SHA512
f531fab07beed8401e592f9a2fec7a7650bfe6afc67770266b4baf3da1d5ba95fcefb02fa73ecbc080c6895475d7ce351cd379c5718c52cb997308692d2e470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQMw.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaYMcIUY.bat

Filesize
4B

MD5
61b48fc0c02345a124ea4b34113e7ac9

SHA1
4addc8759c2f3ca09fc28aeabc1c2f4100feb043

SHA256
601b385eec03de421d3087fe9c521d0830763f8b86b48ed9da9bb345217317d2

SHA512
6eb1b904664e8e818b4271aea5676b39f46790055c616760184338fb0b5c69a30fa99f96f41e57172022e590e314e476bb99c34329e5263fa77936b01204560c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eiQcUoMk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoYsQIoA.bat

Filesize
4B

MD5
6af09e9f48890f660484c41dedb38f5e

SHA1
bf50b5380fca235deb044aed2c27e478f098c410

SHA256
0b750676cb668c1c3c5e09e6c5e726aa876212eb50d09be91ddb2bbda2e89019

SHA512
0be7cabf8ca7279ab106dca5078bf58b4cbfac9f4a5df3986ff558527bfb61e99a682f6f694b611de16df8e8c199c15856181fe7465bb3ee355f3c3519c83dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoswYsoE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\fAMw.exe

Filesize
238KB

MD5
065a4ecdfb845312293f95b11caf93b1

SHA1
1f3d4d61ca05a31814f41319250da932884598b1

SHA256
98d2b044b3a39c3116ddada935e75a241053e33c8d4ddc507088677813f16050

SHA512
176218205008e6b928d6c9b24fad93460ecc1b3a4a856586a6d5b984907edbcae5f1b3f837a230c37dccb97c0785d68f0758ff86ae41e486151f3fcbd34cfb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMoq.exe

Filesize
991KB

MD5
861f97bac92fa6e8666cdb93a757e86b

SHA1
54a83310a24a4d0e02a9ecb25235f17a2a4233a3

SHA256
b1037a4774e3a73172cf1d81622f63bf2809eb2695ddfd7a5119a594c5953bd0

SHA512
d060bbd3047681cbdb23b4eda1476b361c3b6dfe64ae0f422100daaa240fda39d1e30cfbc4471f72d8ec90fca995dd26947a6035b92e75f6aa46cafa1b1f0d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMwK.exe

Filesize
252KB

MD5
a5b9d6966f1351a51ab570cf2afba006

SHA1
f168452511323d1a10b46e6e74918f48f94eac96

SHA256
6fe39b48f750645e86d6a66b3fb33bd30f476388486521fd4dbec2a89b016812

SHA512
4ba2bbf0bd825c2985243b87bf575d96272c454ab679283a0e235a24fc43ad971f586a975615fc96641601f4a4f143764e72ae6d3a8c9d562949f4b1e80e9336

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqIIkIEY.bat

Filesize
4B

MD5
1cd963a2c8eb2d35f906281f4a7eda9b

SHA1
bc64d9107d8a847f2b7cc7c1868330b76aeb4285

SHA256
0b0cea365934cffbbb309ad529983094b1994d02119081183b69923515cc77ee

SHA512
4242df50ec49e6cd2e53bddcd542e9c3a8cfa6be39d1a3ba949247b3bf8307384a67f3db81e2f44ec58172d5b31ec8d04ab1ee96b80477d41fb78006435fac1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsEogcoA.bat

Filesize
4B

MD5
1fd631e22eed60218864c2b2bd7393de

SHA1
7265257b56c9b0c4c7c78a3f504d91bcf0501239

SHA256
0de0309fb049c5fa70f0a1fd1a30ae16f4dbe400defe12af6d3cdd7936ffd6fe

SHA512
0f727199eb54cf6350f6b193fa34a927f8a177562c6286976db4d82a382559a3a5e397a63c6133383846735766dd208a9effb218d128347dd3104f1e26ad4638

Download Submit
C:\Users\Admin\AppData\Local\Temp\fscYogsY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\fscYogsY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\gWYMUAYA.bat

Filesize
4B

MD5
782661059521682f8d235faf944d4f29

SHA1
aba9e33636744401455852995a56d8d979c9b1cf

SHA256
c2d36d1d782237b15c35507011419d8585d6346e1b6944ce1a657d24eedab781

SHA512
81fa20e1e57f52bb9dee052acbfacdedab733dc68cd9bd0d4fa7eff825a9b243d270017176795d1e6d8976b929f1ff9520279698bfe05992b8729e59cc204da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gqIAMYUM.bat

Filesize
4B

MD5
8e7240e1b743c1142b2c96c3eaf9e73f

SHA1
79fa2bb983f7544b0e2745fe1b6e93c03ec80df7

SHA256
864aca106d478182fd2b956325132467449ac87919278afaa99ce3e161ddd6be

SHA512
b12e228ef68c9724eac17bdd22e339b722eecee7308bb1ad78ef8aa91df1b9b92227b24986f1d23468499a6c27481ea86990175c3f0148904b30fb104b98c391

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwUi.exe

Filesize
240KB

MD5
086c9c18098cadc78b59a494add07503

SHA1
0d44cc8b6d11e35148ef5ea4df5c61ce0744fd2d

SHA256
2c8439701d70183023fd164b2b1e86c046e5c037d8312f03e2a226b6cea03971

SHA512
8a948f7c773513293a7f4373d153731ede145c244e4b5e08ab2c5ab176d26d0035c250ef85977daba3b339a1e2e25dc8cee5cbdb39c8be4b37d44855ec6e294c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAEk.exe

Filesize
959KB

MD5
9514b3261f4c9eba543a3ef171490308

SHA1
f8a3847dfcef3433556055afe667e3f66490597b

SHA256
532191819d9c69b083c28e70d207e8f33ddba07da192a09f6582840eb8f7ddf5

SHA512
7069516636d826cabb7c7217393d4776826f019bc0d5b27b316be47ca25c505c2dc22968678e37a8156283d40d13417b83fb7030e9372abed762836519ad3da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hEsM.exe

Filesize
227KB

MD5
17bf8ee36a6671a0071a674eaecf6276

SHA1
fce3d6a2482d62c54664e2deaa63eab6dc40f3fe

SHA256
58198467cf99bf9ff184c5eb8fafc695acc43993d9cb8a2ad592f23b15840acc

SHA512
97cd7613e56a7db6472c7089e2ad53360c1ece608f87bf61ed259ded96024b5727c267ce0a4a940b4c0f30958a01530e37b85c812e19ec3a81152fb08204b50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIQgIQMU.bat

Filesize
4B

MD5
b3faaa76a10cdfe540127b8fc3dd8f9d

SHA1
cc5e7ea1aba01b498df11c958e3145cb19bf21a7

SHA256
a36deb64dcc0d12d3d9afb6e37d0d6490d46ff9caffad3051f7c2bb30cd3880c

SHA512
d99ed213e4dba51643af7b42d4805194573a0197b5182359b99cf43478e423370f2123a799de4a5e69c461f972d1f0dbb8b27507b6bf16080c27e665620c1e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUYYMIQM.bat

Filesize
4B

MD5
04b36aa1a9acae1ced086fe0b93bbc6a

SHA1
89f66d7e1ededb19103152b8aef4de9fb20d626e

SHA256
dd26265b8128f7d2dd25f6f2e6e2059b0a6977b3eebb5fc808c285f481639cc0

SHA512
127b84ee9eb69e5d82ea9e774e7f913dad30a12c3f589fb86755b8c375e0fac03a3e4385d2727280e878be7d0cdee8cd05f3bd7283c286c1d233d8796b01e410

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAgM.exe

Filesize
246KB

MD5
7962c507f52a341d389005a3a369c623

SHA1
2ed5cce5aada047b5adeea3b1ed8c082c9e7052b

SHA256
d133ea10d7420c65a1af870233a6d20203aead9e9b88c1859916e7845db11532

SHA512
f8968daafca7d2679f8ce58ba0bb2982be6f4b050b476d4083c7a396ae133057648958f59bd32aa399134b091d58c87df794382f99217f31401db1de7a0e3156

Download Submit
C:\Users\Admin\AppData\Local\Temp\iKokwgMo.bat

Filesize
4B

MD5
e79a37cdfce55ec43018790a7b55d5db

SHA1
8d25392018963ba898455277984c2eeaaeef96df

SHA256
44c61748cb37aa091880633eea50451cf2065f61e7b590cab4b557a397421509

SHA512
fbea21ed58b9d80bd894fdca46496ecec998dcf7b2abc702e3e113a4eb5f149c73fe2cacd749523c1abb0ec60a0650df27a4ddb632221517246f0f963f40c0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOEQcwwY.bat

Filesize
4B

MD5
a06a352f2332ba1cebbc93332a59b75f

SHA1
1a3d176fd73a15d3127221aca0c47eff3c2b1734

SHA256
c59fcf0b51b225743b552d04cbf56d1f0a8b21174631ed5f4358e142e00efe65

SHA512
a3c1e1a248315bd539bc3c6e843583ce7ceea390dadc46c3608882a078af6003dfb3d3c84eaeba7511fddac0d85a94d81ab993cde888f22a5fe685a62d94662c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYogwMwk.bat

Filesize
4B

MD5
cc51a6e630a53cc78de364444300caa2

SHA1
a688be1e81fabe261208ffa67c93846d04d49bcf

SHA256
a37995f5da9c72510fbc355da1497a72ce35d090b55d63097e5e5b432d795a62

SHA512
33cc7b7b035050c1d9ccf01676dcdf49d9e9a3e74926870bdff6ee70ae2a49eef5b8b6c400594f64169134944300283bd465fbff892cfad20cc19fb44e187f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\ieYYcAYo.bat

Filesize
4B

MD5
5583083fc2e02af421766785f5af035a

SHA1
2fbaee0a39ef549cde83175b1f88b2cde513197f

SHA256
bafd877fa9d269e38c579ee9193b4d11ecbb4045b85510d8722e2f16ca137ae6

SHA512
7846e6bace0c125784e873f409d26e3d9f9fa10856e5e41b23e969bca1c362a277c7fc51d99bfe99629b35c75bf281299fe6422014442473ea6cb370d6c37e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\isAS.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\isEC.exe

Filesize
244KB

MD5
2e52858e10ebba9b38846e2350df2a86

SHA1
429936fc5b737eb2d65c48ef2a45a60083218b08

SHA256
ba3e2d10fbdf97f4ecbd45eae2721ffa63c3567e43a7f7d6ce394ba596130f45

SHA512
72d29529166b9fc878c107b5add0ccbd24ac873a73fe2962154607c7194c86749778fc50906a5ce3a6d49d0e814ed77db7d9ff7568be48b92c4d6de791c1ebea

Download Submit
C:\Users\Admin\AppData\Local\Temp\jMMs.exe

Filesize
964KB

MD5
c2417916ad866b215453e592c82c9f8b

SHA1
3469b2f16012ff03d05b373d172e397b07b3bd13

SHA256
da615d57472a8d3acf6616eb2254fdebc4dc76f6663ff3a2ed935be583695953

SHA512
3e55920d918ac5690a6f408e7682adcc6c1eef3bc7ad4a697aeb02b012b141605a1dec9b374e476405e7924e369d6b1280ca827576b207769a150e6527fc6190

Download Submit
C:\Users\Admin\AppData\Local\Temp\jSEQwIIY.bat

Filesize
4B

MD5
66f1bd4ed521bc3b9b03daf02132b72a

SHA1
79e0e2a305459e34bdbaa4c64449b14811717451

SHA256
5dbe21938f4b3e15b6f5764eede05951471b36f535ef5abfbfa5fcaf731262b4

SHA512
d531cc7d100302d1bcf2934ca88ce3e288972e53cf2a9051236ba2186c05e556f5e49a800d108045872efbfb88a97040d5e780a4011425bb6c0350a4440b2db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYEg.exe

Filesize
236KB

MD5
cf93a16307d11018054b2a6adbb0d2d4

SHA1
8889f3485cf652eefcc3f855541869cc703c1cb6

SHA256
1a79bff8103b43eab192db3505fb4f98b12652bc861cd71597de200f49feb100

SHA512
470744bbaadae2bdd24927220f30b603a402be561023a3c3cbad8099c5db888b2da6b28172b39a95e81883bae21552d063be5536eeab6dfd9ef9a8f70ea62622

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMgw.exe

Filesize
243KB

MD5
476b7975619aea147ef55ed95691741e

SHA1
575a9e0ad77cce1afd94588dd16ce237a4e2b62a

SHA256
846b48e37c84f17e379ffdc1a3f35a18ac99885699ebd0316da5de516645373e

SHA512
8f30b2ef0df2e9aa859bc449ff5f7000411017d5c9ad51987af0b73ab1564d907c785dff19280f82277b1e6d4855553c6dc4c71ecfc86139396493b2f04d1fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMso.exe

Filesize
248KB

MD5
68066fc8d3cc4f5848d18cd310b524ad

SHA1
f76d7ea399f3f1fadd220f77bb4b8338d0d4a992

SHA256
72b70e09b74c4891ff5e40658465418b9477a73f524deffc0dd8c962910f2243

SHA512
130da382cbcb4ac06479bb7042c866d8aff8e0b71452bbd23661e854c9ae458a121ee4cad6bf094a8fb9646e7a3615793094bb6404c719e4bee49126704b67bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAYssYso.bat

Filesize
4B

MD5
53e62334fe35500712ef0ccbc87cdca6

SHA1
d7170aabf8267cec363f1abff4a0f2f65e6a5ed2

SHA256
23b1f3641ae872f0a54f1b72a2e62311071482e536cb5d350da7319c2b53befe

SHA512
31fa7c90a90dbbe68409a3a6633ff8876c016243e43203a603fcf0159e45b422162f5a6cdb55374fc398659ba72abba84bc91d3b751ac5979c8e3d06c6ae6063

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQEwEQoA.bat

Filesize
4B

MD5
ab5fa1bc7c65b62c3fbd26cc19079bc7

SHA1
b86dab2023952eb7f8aa85e1669723847ef1644b

SHA256
c60e708c5493d30c9211e7db700c3c52a30f0e6a2fe646556c472987fa044023

SHA512
a2998b682e5fd9af812f254e733c779b44c200ad093ac7d21ee26e047cad3a7e9ea1a4420f4f2a66aa7668a5737eb660cafde845931df5c3b807569b6f4d606c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUcU.exe

Filesize
236KB

MD5
5d0cdfa4fa3719172630e98e9fa6b083

SHA1
da1cd746ced94cb17b7e0e03dcd5ae4a01cda6aa

SHA256
1d39b0fd1f8d8904dfe8e2de348dce71fc09fc41380daa768a3cb9fb7a9dc0a7

SHA512
c3b9e0ad1860bf2fe8e7aaf8a99a046bef67e3047f0eacc29cec2cded0daccbb28d1102c48153335bc7bbb41b5c5a878c14b9343e009f9dfcdf3135757d4879d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcYQ.exe

Filesize
835KB

MD5
2bdc583469468bbb34cbf70926b8e27a

SHA1
a4f85a7f2501dd0580a01bb656bceb16f85a8d3e

SHA256
275b1718139342e5f37f3c022a0a12a2a16a79410f57f413e41e7ecf9c17d981

SHA512
c217580fcdd69680ed7a7b25d80ba2b0b2ff853c6c4ffd4fd8586875c8cc62a23bf5413f4c950da3570c124791eff98f62681d2615a809aa511837a03e1e55df

Download Submit
C:\Users\Admin\AppData\Local\Temp\lycYYQoc.bat

Filesize
4B

MD5
a4d808f54e7b8626968b4bf7f14a3d17

SHA1
bebb3a2188a737fc92c0b0a34d54880db0a2db1c

SHA256
704a713a2707dce549cd2a87c97ed758ea7777c788052f81cfbb9a4ca4f19334

SHA512
d0a831550f2ab67a24c184157cb2ccfa96ad865238b3582dc11b6f426cd01d4db539d5aed10bc72ae5097b9600d12cd412ec1098121f41790711317f1b70f679

Download Submit
C:\Users\Admin\AppData\Local\Temp\mGAwYcUM.bat

Filesize
4B

MD5
cfdd84b98890d234b00f7184a344a1c4

SHA1
8d666d16a80234b08c2678c25de0a4d78f5390a3

SHA256
81997521d542d547874c17ccefb69035a3fabdfd0ab5af334d67bb329e16ab8f

SHA512
3c0240360204209bc60737933861a9d6977140aa8f8004657a46c149d86f4ca28512f48b18f9d2f587b42186b5ab2e8e562cea788aa6a5cc4051b8ee9ec5ca77

Download Submit
C:\Users\Admin\AppData\Local\Temp\mGoAsscw.bat

Filesize
4B

MD5
06b49ed5ec25ba72c276b545cf31c44b

SHA1
3bed709b243f806144291c5f9c47905d1c2eebfe

SHA256
24c50e23ff66e652bec4c956d02245b46566c032eeb01fbf61a40e419f402a92

SHA512
193c78a955f98258264f45d3c3b7f2922341c76d2d70fe369ca11a6daa80429b1c17f61dfbd819c2d10dc2b330aa263d044820cbca9e4cc45557fb84dc43838f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMMUskgs.bat

Filesize
4B

MD5
6cc2fbb41cea4189f10a909506431ae8

SHA1
66a83da82f586bccd3a0f9766d38246990273f87

SHA256
f02c025cdfe02805d07678363924106db9148e49fc4b6b93f1b1b559eee980cd

SHA512
087ee3d06728ca5a66877664ddfebffaf8d3d7debbaffaf7d0fe71504b5fe2bac39facb1b37f10d4c1ded33714932251c3bed54edebf1653707c99fe6bcf4500

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgYi.exe

Filesize
251KB

MD5
6d0798ab82bc744e54c6546438904808

SHA1
329ec2acbe504c3fab040d8cc3ebaeabad4f16bb

SHA256
45ddb18e5ebf5a263a105f1cb7722e96a56bfbf5aecaff273bee25bcd27564c1

SHA512
78e3cfdbf4ae6fff8ed3837f401ed55d5d3080d3651b3da37ab4b817f2af91ee39af018dcdab49d9e3ebd7a2c4b259282a4bcc2aac90fff1e202a3cf2264343b

Download Submit
C:\Users\Admin\AppData\Local\Temp\moIo.exe

Filesize
244KB

MD5
bdc10f0f0b4a16210cbf204fd377ff76

SHA1
304e9eaa0804b32af817c665b4db657a445b82fb

SHA256
debaf9516e959a215b52ee15232f65e59562a104c3e312aeee079b3771a51ca6

SHA512
a2a6c1530e08102570104a62d086e4b73a5c69f0009c2dc86038f2e28e56667be3e44a96e7418be3c93958cfc277dc7cdc01e3d447e5d50f522a92cdbc9c0cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwAm.exe

Filesize
231KB

MD5
7929e6617405ea80ae35ca6c9f2579ef

SHA1
1a806d41857828f101dab48a9b60b0be41d0a2bf

SHA256
f9c037421cfc1762b2b8e3200f0b98a2f6a1d72d700a295045ef7451c08b6ecb

SHA512
191a8d0be28c9c5ece1f1305f02682be64680b51f0374b58cd9a6ea7baa693aaeaacba0f365819ade91bdda0eeb12239ed7661b00ee9e93b6c8563822b3ec288

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIsS.exe

Filesize
251KB

MD5
756f99ea3c707e81568e18aae278b0a1

SHA1
9557c4f15ac578524059ad4b10e8d9b4033112e5

SHA256
c553eded9d6160857b962f51750554518fc7b7baea8290cd41473984202e77f3

SHA512
5c0de3eacb4196f0b7003ceb4a0f323d1e076565f23a1e0f244d60c9618955e152c041178beeda0bcc438bf4496270fd5afab308139c52572efc0460e3082e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMkA.exe

Filesize
8.2MB

MD5
f675506b12b5ffa7cd8a5d73c127b26f

SHA1
ea0a71555e0d1b36675ab918ab93977894385813

SHA256
a45a1c7dfbc84da9faebbc9130848cc8b19079f33410cd0e0f3ee83f488d9138

SHA512
9c20f2c55348de0adea7bc2019a17fdb3c68a07199a62dd15eadc83d5205b7d89d73a7613e952a09eb11fffbaccd0d36d12496088f6ed8b37072f893a68b5e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\nSckkUMQ.bat

Filesize
4B

MD5
9c8748d30cd2a1b57d3a9e7ea223bb21

SHA1
6e927ef0a3cadc4461935159f6dda24372fc4bb2

SHA256
584f4576773ef41d76b64543a1b1a3d7c4487496df65c47cc42ad3f317c0f7e5

SHA512
5a2121949f796ede8e38e10cba6af90421b9d9ea32994576052aad17390d1167cf7846482800d53a6bd531948f8b4d81e43598cba99689151705d6541d483f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYIQ.exe

Filesize
245KB

MD5
271f16c72dcd33ce5e38cfc146ec6bca

SHA1
cc971505f6e07b512848d619b0ce0b8fb2e06fea

SHA256
859491c6602919cc28f8ac58f78919ea0666a50cdc76ede2e476b13b621edf5e

SHA512
120efea2f662ec05daab516f8f3248f3670b8da4be56781e9541542ecee950bb66eb47d262f7ef44b4b641db4cbf07d712fdb1d467da8e59529b86f3657bc020

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYMU.exe

Filesize
247KB

MD5
ecf948dc131ef216699e97925c5df308

SHA1
66388750e7efc07cf58afe3958aeff4dadf1a953

SHA256
d9e295f8fa147aa14f9596e84bf264e5754eda1170d32082aed986e1f876156b

SHA512
b5909a34ed4b686b79822004cdd4f0aa40ff58d8ab1a470ef0e70dbeb258d7cbfa49f967a1031bf388338c22bbe865b60724e6730f576862fb32e376f4be0a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngYO.exe

Filesize
228KB

MD5
cee45406268c673ea07a5459743c0769

SHA1
ae6eb4d33a51352459d9ba4fe83befe60e06b8c5

SHA256
0e9023ef7e1d14d0ec97c55dbc7534ff2bd526f7ff8f468779640ccbad929c4a

SHA512
9f30c91af85dd857f72cedab13951a95b0eaceb553d79938b2703ac3959553302c62232d5911b5fd0ac2afc5a5a3d0e5b532d9296b2ffb9c76093662beb9bd15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngcUswYU.bat

Filesize
4B

MD5
e032bd327f33a7f11332cf72b1692b56

SHA1
401a080f566ede9a0ae21b6801e35195e11482cf

SHA256
42d91b2afce7845ada1db022bf4b2c2f067188be6d0c47625f3497d48bf725f2

SHA512
5a2152deb93ccd7bc6d197ae5f4fe6a4a8186ef96e22b1aabc8d234376bef59c66cb5236f710dac4f2eb304e7df271353abe02df15cfb0e62dd52f87fb320c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\noIK.exe

Filesize
235KB

MD5
f33d536e7e844e2cbb2ddc76dccacf03

SHA1
17c06adc6f597d7ecc5d498a3830203b96ec8161

SHA256
6286df6addf10b80c2b0018b2b2c50fdefc64139dfea000950da561bd7046b04

SHA512
45d21d8744d8cf6def8892560c952846b06097bd0efc7ad5aa17599a76a7be1cc488d5ccac299ef7534f08addccf8a04dd1f1efe39bf89d80e2e7de3f7286a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwAK.exe

Filesize
1.0MB

MD5
a45d88aa29fa8c16b425b2900c898615

SHA1
63c4e034745e40d32e10f665665392844c9a7882

SHA256
afdc4ea1f9b9204eb097ddc1c11d01e0e121e570afb184703f080ab010d22bff

SHA512
5f9873a95fcaac8b109b3362cefa938033aa6819a6ad2135a2db1df7be34680bcd871ce8571ac931b2bbc49ac7bf6dfe20e35a89355c98949c6c93003c807923

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMcMooQA.bat

Filesize
4B

MD5
8f6fa43086c9479062116d553798daae

SHA1
d92e71e8ad8d42fb8e843af15d645cc0700b861b

SHA256
13415c7e42c5b9e1a0efc180ddf15806c37e4e38deebb9f6ecef7f60342b353a

SHA512
aeb18147e424c90be18dfa3eb8f9e25d49991f0a51ed3d72122cc0ba5dee3f4ac3d9535c13c762d65924edbb78d2349ce967c80f9f99937868f2e9c359be8fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMkUQsEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocos.exe

Filesize
246KB

MD5
9f13cde73aefe29cd1443fa96edf3de6

SHA1
11a999546df2f5723c2f06645a43c6722225d929

SHA256
ef67dac0d89f4b911623d2e236b6c87dafd92928c62c22834e057131b8fa1a7b

SHA512
08c4beccc20ec183a8523a3e4ed510c14722c09dea7c4397763653969514a99bf4f196976effce12ee97ffbd520a2df34d0947984e03f7ceea89c0baa2da459f

Download Submit
C:\Users\Admin\AppData\Local\Temp\okEQ.exe

Filesize
1.0MB

MD5
4cc96bf0a089a02e0156a0d0930edffb

SHA1
d4529c5c3e936dc49ce014dfea4472f34febf249

SHA256
795174f639254256ddfecd45765c6a2f50bd080688423a0cce8dfb37ab878786

SHA512
9f059f0477a537cc5cf0cab080e5bb745f868c31da391df3ef032f0d3228b3b31c8dcb03cdfbb75ada2cf4f4d553113f8aa6d6b0f35cda652cdb454523615744

Download Submit
C:\Users\Admin\AppData\Local\Temp\okMK.exe

Filesize
894KB

MD5
03aa27a8d2edb71bef5b1bb22a1f9522

SHA1
b01491f9d33c11f741c8710407eef8e70a115f91

SHA256
337a9c75f3901b297bfc10cf6f92e2ad91c4369e6b07426e52f55fc942006f0a

SHA512
c3c93eb23c08f816cec1a43c5808a7990c187710db5fe9d5548e58752e30161ea47296b7daeda6d51dc168e0e2256a3379ed8a68efa3c755f99ab980324e786d

Download Submit
C:\Users\Admin\AppData\Local\Temp\okwcoIUs.bat

Filesize
4B

MD5
8c7f62f4291801f3b4cc04ec90800944

SHA1
19b0f1ca132ed94c3af417e5677708277d61869d

SHA256
1960d58d73b2b261cf3c85f41a24ec4186a52876f53f65047c930c2bafe97941

SHA512
869155655acdebca8f021dd9f7f5de0cf4fcb39b350d8b35a3078e82dd05f6615c8aa316b72e83dffeada7fcfaba9a022aeffe210db4d110ab8ba62717849091

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAUy.exe

Filesize
231KB

MD5
25714a7f7e0c36fa2849f784eaa07f90

SHA1
7c910e18eb60bd16ad6af4f6d963cb5ff211c70f

SHA256
1dd6a74b11b3801fe2413e23f3609a6ce4721a1bc6c54a31bfb589358651057c

SHA512
d9793fb6c1eedc6569998cd12ac9b54a9645c68ceea4e94af7596eb275e7fedccef6cd30d69345ea5fe9dc2af16b850b1a6a0a771880b791ffa3e1ed5c122a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEgy.exe

Filesize
254KB

MD5
a7f9d091459fc7447553c4d41acb5e5d

SHA1
b26f3535f7e7f98b6e2a9a9859131f9d4e84cfe4

SHA256
2d38e1edaec99f00015a94c3f1a96b94299aaf42d51915332db814a306620223

SHA512
192517baced5d70ca77de28f16e49c134ec19f9b78f3e60e00cdb55551f296b7d34217ea0434a44bd3c72e4ef82eb9d32ad4b052c9c1b31cf27039287dc7a32e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qCsEkYAk.bat

Filesize
4B

MD5
cf4868005945b700ed7c5fd6dbf15e1c

SHA1
d410d52527d79abbb555129579bd046c2bd1092c

SHA256
68246d368d956d1c45d2df108dfad52d44fbf68ba2d3d33e0546a98794b48c35

SHA512
060a1b24434e77ae0103488a8e2447b48ca38470cfc562df514d6990979f4f8a47c36976fd752c3c964f775a4183e673fa04293421fca4335885bf07dc220632

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMAo.exe

Filesize
238KB

MD5
b5e7487e5c5c5024605acb4740aa8e26

SHA1
7e642928c32e43b72246ca0ece73dc054e97129f

SHA256
98e6d906e2098bfe849fcada3d32ae3b04ed1f04002b035750921e6b24e122ff

SHA512
dcbf1e5aecfdb118439ef5c4b9caf2df977e85ba2c450c2ea1cb0d0153cbbf90b627370ba3fdf70eda483677df919dc4f96574bdcd99a365408190312cf9481f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMEC.exe

Filesize
1.2MB

MD5
4e8dc2fde15941a747ed4325b50b93cc

SHA1
ea10a154bcf6b48528742861b9deefad6b21cb8f

SHA256
92db4371625d2e25649dc80d45b669fb285e63e80199ceeb1fd95d6f07dc87e6

SHA512
90704cffb719e96946047dfb7b83d1f6d87efb850d8298eeb3edf34e60a7fa52f5643815095ef49a880d77003b4e59a554266a3f968b4488b303e6c2628ead47

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMccYsEc.bat

Filesize
4B

MD5
a802875cc411b4de5c8e5a3fa895a3a2

SHA1
44c29e19e13e342ec1039b9400e52319f34e4983

SHA256
d29160007326f1d3e8d77cce808d56ded484ac9ca94271f207ae45a106af7448

SHA512
1fb64c1490ce765f54c88c2c0b11cf2d21c0c6f633632b15ba4ab5819a083f65e11b2f81c9c926a8dc58e6e2f0791d7f91ec9d1eebad272fadf3809187293473

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMgA.exe

Filesize
229KB

MD5
eab6ce5d7683b64a2ba2bb52a6d341d7

SHA1
e77af0a6bd8319f42cf243824478d1889f597a87

SHA256
d83f0955c05eebc317a036be13c7afd6b0f7d057e2cc21d8ee575740f2b3faae

SHA512
887c1a33032467e82f9db817bf0322e7df71017a83189efde3f726e29f11a4f204ddd5c0f901eaf02f29aef271ed23fdd0edd3b37a9839d91dfb66f653fed3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQIK.exe

Filesize
749KB

MD5
cdc203dc98f8f25a7648ee8242c6593b

SHA1
db7fa95906346198731447838db8901364aac256

SHA256
2dd12f69d35881ae865866244b231735d9053f00b4627f9c480e4673ba8082d1

SHA512
9142e9575427bb09378a115d1f51a4dad1bb623b7dc729de9c17a823c9952125671f024bda3999ef0ec6b7f31219fc5ef252d3d5265d8611f99efef953c8a9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQUkUwEI.bat

Filesize
4B

MD5
55cf6c03c79d2c609a6b246dcba724b4

SHA1
8c789031aca253b93ffe49773f7ccb8f485d4b59

SHA256
8a3b8f93bcf53306d4fb6e3125e47188c4369bbadd9fae2e16fbf45ebfab0278

SHA512
561da5cf94329bb8877f3e1b1077c52ccf69b84ec5dcf093175fb1eecf9e4fd7933fd7d383ce8616dca812d0146b4dfeaa7d085b5c5995757b7a73cbc7e72e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYsK.exe

Filesize
4.1MB

MD5
68a0eb0cc7276008114d0092911f54a6

SHA1
d24c09c38fc457e8cb5bf56a93e618483562b963

SHA256
956f933a0ad148cc8da544f62bbf30f039af4aa559535895d02de4b13fb12d0f

SHA512
ba2253acf349c1b2028e48dbd36e7d1e71297721f53b21ebdfd6aaecec8af9ce171a9e6b228a745cbe6763aa336181237ba71c86b8d178e959903981a25759c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoMEwwEU.bat

Filesize
4B

MD5
6cd22d8381614e820f566db8c159cf5b

SHA1
f51b04acabbb1836678efd411fef751466732b58

SHA256
88c8138370cfb6df0ac58d0c363d1381e0891afc7863e61ef92d55ae909602d9

SHA512
3c922fa66c571317b07d4e5e64a44fac0c9825ecf76d807db9295ebb60fd0a426ee26dac58cb4afc509b6c3f0412cb520094160e04b4ee0ff2850eb2761f3295

Download Submit
C:\Users\Admin\AppData\Local\Temp\raMwEIMI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwQEQkYw.bat

Filesize
4B

MD5
1021865a50916ff2a9984455a54b8610

SHA1
29edc21f4eae50a5c94b5e0ce953c6503112a13b

SHA256
0e3ad52045c092a6c7d32a4785606f37ab00c2fe3f7513d10c7bfbea183b8e31

SHA512
03fe2f84a21d42284bcb768e82bd9d75cd64e31bcb2b45b8d9d249aac34a7f4dbc3d4915c5eabac48542711311bae480356008cd7ab9a12c30ea9e6efb740271

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIwu.exe

Filesize
320KB

MD5
bfc126cf88bc841905623191462561d1

SHA1
c0673089aac57fbd4f581f482bee13800fbac03b

SHA256
c5ef225dd74f9b886c15051806a363ad4653815b4403b5d8166cb0368b95999a

SHA512
8ce980e1143a5140954171c8f74615adeafcaed649efe1e12edd04bb89f9acfc9e2313f8d9ca87119578a5a8219ad9280f798cb31f73168601fd8e975bdf6be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgIMkssQ.bat

Filesize
4B

MD5
f30f6b93b4dc55d819f73df4a2430232

SHA1
d9a307d951c01db7e2019b177f8e959e93041afb

SHA256
c4566f1a870b72e554369536f3470debebfc2b45f45c1d272a53356cac6531f8

SHA512
c1c668c059ea6c0b318d4c7f1e25073e4040e44a924a00c86101dd3dc8659c122fb71b018a2fd46d0b7b41e05b6c56fcae49768f173ae2490c9523ddd0f44530

Download Submit
C:\Users\Admin\AppData\Local\Temp\syIMwMws.bat

Filesize
4B

MD5
d78fb1c14f3a9e5ab6903b9c06590803

SHA1
2e53549377e7ffff72ac1d3063b4809cb6dbaec3

SHA256
9f9e8089ef37be029f02156db775314613d438fa503c5f9e11693d996dab1aa3

SHA512
a601e286c8369ec4d031a4bbbf3d036ede4cef998163ecf8a8ca20609eaccc33ce649809565de56b280046e13a545804ff8d6281b811b4f0bb3ac3ba103b2562

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAQK.exe

Filesize
222KB

MD5
69acf61195fc3a91ccf6556b1333685d

SHA1
9c959eadf815c28a334620020f4147e722794b36

SHA256
f98a4a1c519e2f24f96be60fc3c5c2ffbaa608ad64e31975263a330897279490

SHA512
69fa77fdd2d4e1a1e2c6540d7a7ceceeb71de9197f8531b7c4c3b1bc9dd511e09a26ff65f758d48e47e9a1d21c2474dffe7d9b7fb4b74e6f2ab3022093da00ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tIou.exe

Filesize
237KB

MD5
6740959055629c17c9398fec78897189

SHA1
8b16347c3f167b4f1dad02170a087bc18d458a77

SHA256
1b9fbd4a109990b42bc6493864c1bf383511fc16fc9ec60977410f17707cabea

SHA512
df93c963f180371617d16ac9301409e783c2d1c4d52bf62c1295b190d68a518417f346f4d330d61df3d0f7479c8fbe4b331379a86e4737611c9bb4dfadbb7119

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMEY.exe

Filesize
244KB

MD5
236aafc1c91f76865429fda75679119b

SHA1
36b6743c2d68e14160a0a0a79b0e50459e18c3bb

SHA256
4e42287ae197bc3b3e236676e188331f3cef7200a8f2d3fbbcfb87ca796deca6

SHA512
34929b218d2285e8a26c148adddc553af2311aef7806e4646fa847548b8e61ed0e3856b5dc7836f65180b82c6e00ec8ec70b780b16de59d2a91d8461b1728b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcwMsMMI.bat

Filesize
4B

MD5
48a8163f2eb522554a426a5c4fdf43fa

SHA1
23bec01472e5fc69d7db835261344817f5ff46e1

SHA256
adbb9c957ee32d3bcb9b0d4d17aca56ee5760c6298e36f56b6cd5813f366d9d6

SHA512
c8a15dcfb8385b965aaf581fb17196d7e4be4111c0a6e9b7900cd79186a3204272399ac7b54332fda3414a66f53f7552a4fe5294cbea61d58ecc0627c724a6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tscAwUcU.bat

Filesize
4B

MD5
1b17a93879fd61c666dfe64ea84fded2

SHA1
ed7154fcd135fe7ca316a7f61888fa1977985196

SHA256
be8f20a50a9c835814b6f19bf303451bf1adf336e124858237100bb1535624ab

SHA512
99ef592ca21abfb7c30430f5c2c5e74d869bd6e537244e354948215c3fe35ff7142f5ade43373e740342fd87a9b34a0b2742c13d4d227f81764c2a3dd43612f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIAUUUsM.bat

Filesize
4B

MD5
6c873349d63176572a4a0092591a580c

SHA1
389c08e1aa51a133b90351a596f424ec0dfc41b5

SHA256
b03fd8ee35bd9871685a23cb6bbc568b11fd9ebf5eb3bfe6b50dc8fdf3aabf20

SHA512
e8f31f26a55abae0fdac3f94bde978da0084438157093378e4909932d0e51034cfac4fb7c8724dea7d7933db122e998f488d0ffe963651b9d69fb7753ca2558f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIgq.exe

Filesize
234KB

MD5
e297d57436db53f9325151d8eba14100

SHA1
20dca9c350824f7f5437ea9a94f9455be92c91f8

SHA256
7efa2573f55859e81a141c287a3150bc20b18e97ed3d4b863990800efba4959a

SHA512
cefd79054f3b412e88c1cd9e132416b0ea14d846ea995bd1e3e5be331678964bab6a8701857dd3d47b300f961a01ae2c00ec2dfe6ed884e57b3e33a0e5250a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYwYAogY.bat

Filesize
4B

MD5
7ae3fa779b0d068335ffee290d40b591

SHA1
2b8188e131db1e07a1e683b11e7acbc042f9ed65

SHA256
4592b22efc190bcc57301df64a01c85950132f9e6412fbd66ab2b06be6870bca

SHA512
dd47f4d6de4ff4938b289a67088b051f62f18ccbd9e0a8c98475c2fc8ee0111a6ba959a70a695860add4ee01e3edc733e5c94cee00d411de1fff9bac8b2655a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uaMgQUgQ.bat

Filesize
4B

MD5
e9fb5ac3dab0345d7cc4df3eb3e493c3

SHA1
ff40304e0a3b76f5df02254b7d45345080b4aaa9

SHA256
1aa4bcd3c8ed8f7a67f5c5996a6bd86b68956121e95f3fdd949501e1c9d2e68e

SHA512
7200ec331fd5423250006f7bf826ce11f2ead2637f07deb54a14a2d38fad402554fd2123e49e2e3a95cc7592e3618a0372cf9eef48d6807c2aa0940fb1df6efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucMi.exe

Filesize
239KB

MD5
11cd2bb063ef0f0343ef4110bd235a81

SHA1
07c4112725d79c509f77fd6e58a5b7cfd45ce4e0

SHA256
412e3e3dc610020d8277afb6000cb0446e9d8466516a4884919d2185ddb68cc9

SHA512
7d791639f39a911b63fd2a391df683d0f18916433705af6964d4ab43f2e584a9d16eeb682ae50fccb09a2c4554709b3b997db8226cbf08e5820dc4d3de460e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIIA.exe

Filesize
762KB

MD5
c6f52d873dd5d16ac625fa4cc4d68f4a

SHA1
ef1b3cb0839f88abae04a03ce3c1f6c0fc9b2aa6

SHA256
dabb7e1d791cb0db3a51bc981af15ed830d90d0e81c3e86eafcc490828d4db4d

SHA512
294c224a3fc87637e20c010c72b86ecf8d154ca4e85cee7ab330aab45c4a41fd57d3522d8cd07762a0601ea8fde158849e6313c38d4d93012c52486cfdc1d9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIIo.exe

Filesize
235KB

MD5
1df1a8fccc70bb97c89a042a35c4e6cb

SHA1
13e1ed21ba557633fc55636255735d54f1abe670

SHA256
05324a95f78180ba1c2187b1490449fb3bd00f79e1899c4ab93790b4301ce33a

SHA512
0f63c5451c1862a08915b77a73aab8451f55de39cdab7cf3be913bf435c8120bbee5c64676e651638a5607a0f33fe12bcd1a1f927ae9db449fd8e11d4bf27fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQwgcUIo.bat

Filesize
4B

MD5
009bd4380fde4cd3e3aa2f043658b170

SHA1
06dd334eb72436594188dc62f7bb81d65f8177d5

SHA256
1055134596edeed4ef1e77ca6cc8ff1ce524e19db882b43e695eff021fcf203d

SHA512
c0f1e9a839b47c048584a2f07298c25384c67632c8b57c7f5b519b69e1812475a6e6a3e7ef296d999bfc9c9ee66d816702d36f08d6dfb66fe44885d5c769deac

Download Submit
C:\Users\Admin\AppData\Local\Temp\wGIIUoQE.bat

Filesize
4B

MD5
160973c56f52da4197b7351a1a54e4f9

SHA1
15ee5a601c85fc2c802f3642685c3399e1095fa5

SHA256
95739f3f234c431c91b72753e8792d6f3ff5af2a5ed8d900dcc7e0d471cd1de4

SHA512
c1d23b1c1af9a0c581e02783a6c12339ff27f35ec0b3ef6609890b2baf30b446432969cd752f48ff41967f6603e4f4825fafcd7af9c4353e2e8419eb46050c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\wSAcAAEU.bat

Filesize
4B

MD5
8e1e9087b1839da5fdc06e0d7ae79359

SHA1
494b02e0c10710724b6b2217c6f2d94b78990288

SHA256
db6524bf732ea9db59b89cf36aa197101be411bd847f5c8f9164c10775dfba90

SHA512
f3befe8d00ff3f96035c1e02ad33e2c98f3618adefee389a193ca9d1c8852c2280f6e143a818d3eae4ddc4be6a1f2de14df4274bc04080c8963cb39543925c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsgg.exe

Filesize
220KB

MD5
1d220ec8812503e685a0eb4a5302ee16

SHA1
c9465d66c21b997f17687efd938c9468b6b85707

SHA256
58e0a05069e78ae7c58f83d0e576597ce26c05fe75605c10450cd09c2a17ac8f

SHA512
b4525dd3cdd900ad9293c11e4c7a12a5acb39f14a09c6dd582a0c7d2df956b2d8e52ae78f919a97221bed3e2aa6e44da4abe113d49e453e60b51aeb764e5ac59

Download Submit
C:\Users\Admin\AppData\Local\Temp\yCUUgkws.bat

Filesize
4B

MD5
d5abb4bda019ee7d723adadcddbf8c16

SHA1
de1bc4790d0a5464fd4258c9bbdee62b83f286fb

SHA256
5d5164f9ac0307bf4cbec3ee29e6780f2f6082ca5decca8aa85a5b19ccb0c503

SHA512
fe0117cab340ae2a1d8c4734f82e517b46a90915fd2dfae77ea0cf1df5e7a50a07e10590a92ee3bdc08a248137c18e788e0a59e98595c0d0d2fefdfb44609602

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMsS.exe

Filesize
224KB

MD5
8427bfa7d6f3bb79aeffeb0f07c232af

SHA1
be780c232371084e922a4526683b3732e8b4c776

SHA256
7116faef87b69913a4808b5f4ae40449aa0f25bb147ba354af06f33f38fe658d

SHA512
afd8b2a10798673581da7a6968da3c3051edbca73ec473c8197491a26ccf2b1f6d13d1dfde1858966a5a37401404b6b2756ebd160313001961d0ed0546265043

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQIC.exe

Filesize
230KB

MD5
0ac5a8b0f83a3fe35895f70eeb1dff19

SHA1
f2e6b53cfea66f77bf674d14926bd1de35b4331f

SHA256
68e06d58f67be8f2322c15ef2b4808b381a92e27e0450e110ace2f683a80ab03

SHA512
2501c857a329e51f29890c735c1c8e820443c373ea21ebea61d2a6c7f6e254fc4c75914685608387763bf483b9db4a7dcff9f1d7f3e266507818f4e909a71818

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycYoIYMI.bat

Filesize
4B

MD5
2465759e22118cea6e8f70583d712ed2

SHA1
057bf2a1ba529c598950a9c99baa10e2b6d36402

SHA256
91b6b80f9f15bbc7e694900e4fa999eccdba4c919e76c036896c28e430bdb39f

SHA512
b55366c0f352714986a42278a49f4d92ab80697ffb20f0e33edfd0513fec01212f1bd4881d05304c9629599ba76cb67562ea2b220b00c07173abfa680b154b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygQoYYYU.bat

Filesize
4B

MD5
d926a00278257376fa7f4a81c1cf2efd

SHA1
2198fbe33b18b091d06a262b0527266ac91797e7

SHA256
5f141e58c3a81f85e81127d5d1337a6f5d0a2230270c529572940f62a17318b0

SHA512
b4e20dea182a38dd8e4822b78db8edc6206831d75d888d6981f55611ba770f758a9b5f853c467f0a9b873978bc822d3d561b8ab8136feaafe7b0366d383c0388

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykYUQQYs.bat

Filesize
4B

MD5
730e3e66456f439be9c7d3e750d75672

SHA1
f46733311f3a0364fe36b46d425d54277acf1e9a

SHA256
0070d786e7568c37ed165f749aa1e706190dc8b599d259ac58a16215987385d3

SHA512
2e78d1a0b260aa98fcea8e27e238485a1a6be688db671ab45e13301941cf97e0f3420921b1d9978a928e66c7b497b6edaf940b81a9a9a84c149684826a7985b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymIQkYkQ.bat

Filesize
4B

MD5
cdeb4075c7f94cdffa068dc4ff52c3d3

SHA1
78270c2a72797063b3dbdbe12ebede8661912105

SHA256
80a059895b020cf1ed671076b9c865f0986f377995e34d449d9b55bc4bb19e1d

SHA512
a811d805d3258780cf5540e2ce0f98ae3867591ed3db7b452faa0e52e6be72c62621d707dbb83cd5d27da9d6ab67d3caffd3e3e296fac1cc6dcc1b760d323111

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEssscww.bat

Filesize
4B

MD5
b7deff8e80c28d75647de54a2c9f4579

SHA1
091818119d9e58d93207fcd8360da9e8ea657337

SHA256
9cd2115a00b5e392acf3c4a0a617d1d6367cdfca0fa9121e3e0e6a39a15f10ff

SHA512
bf33b56a00746a9a100c352104c01498894131a028313991ec9dd6ba6f933bac20101e9ca742433a5c64444c2c1e3182dab0a7b847bbc4f3b6f561b92c574d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIwkcwUI.bat

Filesize
4B

MD5
ec122ea732c4fd0879572e1bb404fc3f

SHA1
ba09077347c670d7dcbbe0626ae6bef32bbcf961

SHA256
89eede1a5051c1ef44c02a982b03ea11872fa66fb1a0927be3ca3f7a44c1c3a7

SHA512
b8362e594f6b7c97e565f6726b00dbdb9a34fc7c8f93f6c6ba7ac9a86565cca8bf745a4a65e0c69a8f93fae382f886298f7e82b9b347375f0844110c30aa4721

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYUC.exe

Filesize
226KB

MD5
f642908aceef84aea351168370524254

SHA1
a96e1ae0b65b2bd5b122bdc18e05b7b16fb20a5e

SHA256
d45e285227e0e1916ec521c0779e9a6531cf4060599dde5f439295fd73c7945b

SHA512
91f2e8d69922f760f1618f12eb7f55a81d1162fa0b212aef73ec2f82ac28bb252058bd33e36e867450d20cf3a6de0a9c33ad0a3ff418dedc74dab747186907e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgAoYoUE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuMwMMgI.bat

Filesize
4B

MD5
e1f2178b2eaffff9071873d4c5a740cb

SHA1
fe82968eb773d44a2f5d15d5e5243ac9df36107f

SHA256
643d3d28d36f5d1439402f5fbb4a5f6a440677c528ed6239ca03546ae61b0aa3

SHA512
5ff4af50b265f3d885e77ff7d9dcb2d39a1017874baae34bfb005811691650777c2012154b9d080e3f3203c97a20985dea53daef3062b2f6603ffa213d69b4c0

Download Submit
C:\Users\Admin\PcIgcwoo\vewMYckw.exe

Filesize
180KB

MD5
8062a18e32f3e2445c3bc54fdcf28ca4

SHA1
4a5fd87805f88d7d83d6e22e5191df756e674251

SHA256
0e49a7be9eadd3a52dfdcc9b984a45ecdd8b91caaf688b1728cc1b6c84c3aa00

SHA512
cdf88ce0a6e74158510cc58f6a009a315184bbe69b39e6397c9c4be97590b700e8c6db3c18410870a9f0bc772a7b37f9b7a4b3c571e63f51a8bb8c47116195b3

Download Submit
C:\Users\Admin\PcIgcwoo\vewMYckw.exe

Filesize
180KB

MD5
8062a18e32f3e2445c3bc54fdcf28ca4

SHA1
4a5fd87805f88d7d83d6e22e5191df756e674251

SHA256
0e49a7be9eadd3a52dfdcc9b984a45ecdd8b91caaf688b1728cc1b6c84c3aa00

SHA512
cdf88ce0a6e74158510cc58f6a009a315184bbe69b39e6397c9c4be97590b700e8c6db3c18410870a9f0bc772a7b37f9b7a4b3c571e63f51a8bb8c47116195b3

Download Submit
C:\Users\Admin\PcIgcwoo\vewMYckw.inf

Filesize
4B

MD5
ca34f8dfafd812b25de88ed1b8ee51ed

SHA1
3dbbf5624e977c4d6d3b6ae693be623fbd5d1474

SHA256
39259142cfa97bd959ccb1357352dfaa38e868861cee0a4e56a8f9ca8885653a

SHA512
707e263613ca5d65187a6da8b7e2c3e0fe085edf1d6f2b7b63ff3eb7191e7b6e689225706b0ef23fd2033019e007c3db8d76d71b5dd86f3dbb4efe5ba23d46d1

Download Submit
\ProgramData\zKEEQswk\DWgEAQUs.exe

Filesize
198KB

MD5
0a45d933944629850744edb7d093cbdd

SHA1
d5690f8c591ea0baff9211891f182f1555c1697f

SHA256
03ec66bacb124ca4c58e6c72380c7ba00a92b2615980a49e5b086a5b03fc1dd9

SHA512
4c78d0d6c06608dfad6dec0350fb92df1e3f9034a0815732688e78093175df899b496fa963698adb294ab2fda8c4e48fcdec9981668c8a4374828431198e7526

Download Submit
\ProgramData\zKEEQswk\DWgEAQUs.exe

Filesize
198KB

MD5
0a45d933944629850744edb7d093cbdd

SHA1
d5690f8c591ea0baff9211891f182f1555c1697f

SHA256
03ec66bacb124ca4c58e6c72380c7ba00a92b2615980a49e5b086a5b03fc1dd9

SHA512
4c78d0d6c06608dfad6dec0350fb92df1e3f9034a0815732688e78093175df899b496fa963698adb294ab2fda8c4e48fcdec9981668c8a4374828431198e7526

Download Submit
\Users\Admin\PcIgcwoo\vewMYckw.exe

Filesize
180KB

MD5
8062a18e32f3e2445c3bc54fdcf28ca4

SHA1
4a5fd87805f88d7d83d6e22e5191df756e674251

SHA256
0e49a7be9eadd3a52dfdcc9b984a45ecdd8b91caaf688b1728cc1b6c84c3aa00

SHA512
cdf88ce0a6e74158510cc58f6a009a315184bbe69b39e6397c9c4be97590b700e8c6db3c18410870a9f0bc772a7b37f9b7a4b3c571e63f51a8bb8c47116195b3

Download Submit
\Users\Admin\PcIgcwoo\vewMYckw.exe

Filesize
180KB

MD5
8062a18e32f3e2445c3bc54fdcf28ca4

SHA1
4a5fd87805f88d7d83d6e22e5191df756e674251

SHA256
0e49a7be9eadd3a52dfdcc9b984a45ecdd8b91caaf688b1728cc1b6c84c3aa00

SHA512
cdf88ce0a6e74158510cc58f6a009a315184bbe69b39e6397c9c4be97590b700e8c6db3c18410870a9f0bc772a7b37f9b7a4b3c571e63f51a8bb8c47116195b3

Download Submit
memory/484-369-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/484-403-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/624-441-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/624-475-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/768-497-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/768-476-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/788-379-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/836-392-0x0000000000180000-0x00000000001B1000-memory.dmp

Filesize
196KB

Download
memory/836-393-0x0000000000180000-0x00000000001B1000-memory.dmp

Filesize
196KB

Download
memory/856-254-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/868-183-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/868-216-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/876-206-0x00000000001A0000-0x00000000001D1000-memory.dmp

Filesize
196KB

Download
memory/1108-498-0x0000000000520000-0x0000000000551000-memory.dmp

Filesize
196KB

Download
memory/1320-185-0x0000000000130000-0x0000000000161000-memory.dmp

Filesize
196KB

Download
memory/1320-182-0x0000000000130000-0x0000000000161000-memory.dmp

Filesize
196KB

Download
memory/1360-135-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1360-137-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1376-322-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1376-331-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1604-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1612-208-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1612-239-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1624-145-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1636-426-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1636-449-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1672-112-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/1672-113-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/1772-332-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1772-167-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1772-309-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1772-146-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1804-287-0x00000000001A0000-0x00000000001D1000-memory.dmp

Filesize
196KB

Download
memory/1804-277-0x00000000001A0000-0x00000000001D1000-memory.dmp

Filesize
196KB

Download
memory/1832-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-193-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1976-501-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1976-521-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2104-229-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/2148-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2148-59-0x0000000000460000-0x000000000048E000-memory.dmp

Filesize
184KB

Download
memory/2148-88-0x0000000000460000-0x0000000000493000-memory.dmp

Filesize
204KB

Download
memory/2148-99-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2148-87-0x0000000000460000-0x000000000048E000-memory.dmp

Filesize
184KB

Download
memory/2148-84-0x0000000000460000-0x0000000000493000-memory.dmp

Filesize
204KB

Download
memory/2260-467-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/2260-465-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/2412-439-0x0000000000290000-0x00000000002C1000-memory.dmp

Filesize
196KB

Download
memory/2572-512-0x00000000001B0000-0x00000000001E1000-memory.dmp

Filesize
196KB

Download
memory/2768-231-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2768-262-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2800-252-0x0000000000130000-0x0000000000161000-memory.dmp

Filesize
196KB

Download
memory/2840-415-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/2840-417-0x0000000000120000-0x0000000000151000-memory.dmp

Filesize
196KB

Download
memory/2840-86-0x00000000001A0000-0x00000000001D1000-memory.dmp

Filesize
196KB

Download
memory/2892-122-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2892-89-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2908-279-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2908-308-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2924-368-0x0000000001EE0000-0x0000000001F11000-memory.dmp

Filesize
196KB

Download
memory/2960-425-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2960-394-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3068-356-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3068-333-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download