0541b9826381707950b876731e623b5c8e3161ca21fcb4f0d4c00e8548f19d35

Analysis

max time kernel
0s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

126331dc47d5b374c24d7ea91729e3bd.exe
Size

488KB
MD5

126331dc47d5b374c24d7ea91729e3bd
SHA1

f8778e0f62dcb51c0c0a86d027fc06a103f0f798
SHA256

0541b9826381707950b876731e623b5c8e3161ca21fcb4f0d4c00e8548f19d35
SHA512

e7c8bb08ef990176e704a0b45c821a28e3714c803dcf1c9f752c35d097a655393ccc92e6c056df21731bcf292a07c8ad4236141de6ba1e8593c2879501dcfeed
SSDEEP

6144:h5lbmf0JwFDAO8xqb4Tdoxh+k9Y9Sd0o6dwrSpcIrD+aE2/irmp7fYWs:h5wfJAOyRF9KVrSp52aE2cmpu

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4920	LKAwwMEo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LKAwwMEo.exe = "C:\\Users\\Admin\\tcUEcksU\\LKAwwMEo.exe"	Process not Found

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1308	reg.exe
4076	reg.exe
880	reg.exe
3632	reg.exe
952	reg.exe
1812	reg.exe
3048	reg.exe
4572	reg.exe
1396	reg.exe
456	reg.exe
2584	reg.exe
4104	reg.exe
4928	reg.exe
2948	reg.exe
1972	reg.exe
1012	reg.exe
1900	reg.exe
936	reg.exe
4664	reg.exe
4252	reg.exe
3100	reg.exe
2440	reg.exe
3744	reg.exe
916	reg.exe
456	reg.exe
2984	reg.exe
2828	reg.exe
2632	reg.exe
668	reg.exe
1664	reg.exe
1988	reg.exe
4188	reg.exe
3976	reg.exe
4056	reg.exe
4664	reg.exe
1076	reg.exe
3212	reg.exe
3108	reg.exe
4252	reg.exe
3748	reg.exe
3732	reg.exe
1396	reg.exe
2404	reg.exe
4028	reg.exe
3164	reg.exe
944	reg.exe
1988	reg.exe
4852	reg.exe
2548	reg.exe
4344	reg.exe
952	reg.exe
4512	reg.exe
2368	reg.exe
752	reg.exe
1112	reg.exe
3748	reg.exe
1044	reg.exe
4304	reg.exe
1364	reg.exe
4084	reg.exe
4592	reg.exe
2828	reg.exe
628	reg.exe
5064	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4808	Process not Found
4808	Process not Found
4808	Process not Found
4808	Process not Found

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4920	4808	Process not Found	1209
PID 4808 wrote to memory of 4920	4808	Process not Found	1209
PID 4808 wrote to memory of 4920	4808	Process not Found	1209

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
"C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe"
1⤵
PID:4808
- C:\ProgramData\fKIIYoAY\YsMUgcQE.exe
  "C:\ProgramData\fKIIYoAY\YsMUgcQE.exe"
  2⤵
  PID:224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1152
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:2984

C:\ProgramData\tWIIsogs\ysscUwoI.exe
C:\ProgramData\tWIIsogs\ysscUwoI.exe
1⤵
PID:4080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:2028
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:3496
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsooYQMY.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:3636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:452

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:1868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgEIIgYc.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:1112

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:3744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCkYYIQw.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:2060

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:4104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:2968
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
    3⤵
    PID:2828
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:3524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owksYEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
      4⤵
      PID:4084
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
      4⤵
      PID:4556
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5088
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
    3⤵
    PID:3224
  - - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
      C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
      4⤵
      PID:4016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwIIocss.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
        5⤵
        
        PID:624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSMEcwEM.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
        6⤵
        
        PID:3780
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:4852
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQgsYcUI.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
        7⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
        8⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
        7⤵
        
        PID:1636
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
        6⤵
        
        PID:4936
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2224
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:1308
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:3272
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
        5⤵
        
        PID:964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSEsIwIs.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
    3⤵
    PID:3780
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3052
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4512
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
      C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
      4⤵
      PID:4344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSowUEwA.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
        5⤵
        
        PID:628
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:4056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgokkEAA.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
        6⤵
        
        PID:804
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2584
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:640
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
        6⤵
        
        PID:1628
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ruIMwYIM.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
        6⤵
        
        PID:4216
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:5068
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1484
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
        6⤵
        
        PID:916
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2964
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1548
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:764
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1664
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
    3⤵
    PID:4496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4948
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAMEgUcI.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
    3⤵
    PID:1364
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1396
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
    3⤵
    PID:4928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:3480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
      C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
      4⤵
      PID:624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:1308
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:4388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:776
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:4252
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3900
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2448

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:2192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:4056
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VskYAsQY.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3744
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2584
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4572
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
        5⤵
        
        PID:2228
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
      4⤵
      PID:1472
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4628
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:3164
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4936

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:5064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqsIgwUA.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:3948
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1364
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1076
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1988
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:1684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:4344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:4808
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3952
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:944
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1740

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:4408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:4188
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:1796
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:2448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1548
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:2456

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:4076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:4440

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:1740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3664
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:4792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4684
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YiMsEkMA.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:2948
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgYYMwYk.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
        5⤵
        
        PID:1332
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2956
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2584
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
        5⤵
        
        PID:3940
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
    3⤵
    PID:984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2060
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmkQcEEI.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
    3⤵
    PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
      C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
      4⤵
      PID:1576
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaoYYMko.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4584
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3152
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
      4⤵
      PID:680
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
      C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
      4⤵
      PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
    3⤵
    PID:2008
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsckwUoE.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:4368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:4632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:3612
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:3276
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:1044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:3224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4636

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:4052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:2404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:728

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikYUMcwk.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:3844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uooggAgY.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:3100
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
    3⤵
    PID:4292
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2284
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1972
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:4388

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:1548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:4660
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:2828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:4552
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIkIkcEM.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
    3⤵
    PID:3976
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4252
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
    3⤵
    PID:1544
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3780
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3952

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:4396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUcAMkco.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:2548
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4028
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3732
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqAMQMIY.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:3108
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
    3⤵
    PID:3940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:2676
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:4304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUEkcYIM.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
    3⤵
    PID:3952
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4252
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2296
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1972
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
    3⤵
    PID:3116
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:624
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4948

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:1604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KucUAwkw.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:532
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3796
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1636
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:4240

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEYwssAU.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:4552
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkYgAAEM.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
    3⤵
    PID:836
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:404
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4188
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:2968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:1740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkAkoQoM.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:668
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:936
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3976
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4408
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2952
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:4684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:4252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgcYwQAE.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gaowwwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:936
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3100
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1592
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1044
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:4808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:3656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3828
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4244

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:3164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fmowQYEE.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2016
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zwEowEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcAkUMos.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:3952
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:532
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:1484
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIIscUUs.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewQgQYow.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWgIIoYE.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:2440
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4028
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4244
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:1564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwIEMIMA.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4024
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3276
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:2552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWgwIwcQ.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAoEQkYE.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:3276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYgAMUAI.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
    3⤵
    PID:1112
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:752
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:2060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkQYgMYo.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:4344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OookwUEA.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:624
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1104
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4364
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAwIMsQk.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
    3⤵
    PID:4408
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3844
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
    3⤵
    PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsEMUEAY.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2548
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQsokYgg.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmIgUwsk.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3164
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2676
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:3664
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:3984
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:3612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyQIEUgs.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:2548
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoUgYgsI.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:4440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAoMgAQk.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:3496
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2548
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4572
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4632
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:3748
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:1044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\regUoAYY.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:2720
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4472
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1012
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aaAcEcwM.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4216
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:776
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3276
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
    3⤵
    PID:4104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAgssoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1552
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
      4⤵
      PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCAksAos.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:4932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3612
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WsYkocUY.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
    3⤵
    PID:3828
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4056
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1900
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2060
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
    3⤵
    PID:3984
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4016
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:3192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqUMYMkc.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkgoAAYc.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSsIIsMQ.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:4572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUgwUIMc.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:3984
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jywMUEQA.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUssQYoo.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:1988
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4084
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4852
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4304
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:4408
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piIMMAsI.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:1332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuYUEwwE.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:2676
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:936
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2192
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuUAMoAk.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:4408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kacIIAMY.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4664
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1428
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:916
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:936
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgEMMYgo.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FskIsUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMMEUYAo.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:1364
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2404
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4664
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uaYYQQww.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\woQoIoIU.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
    3⤵
    PID:2208
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1900
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3688
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OagcYYMo.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:2180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqkggEMg.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:2556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgsAocIY.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQQgUcYI.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:1372
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:964
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:680
- - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
    C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
    3⤵
    PID:3744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCYEgQYM.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
      4⤵
      PID:3152
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4428
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
      4⤵
      PID:4496
    - - C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
        5⤵
        
        PID:2456
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:916

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIUsEsUo.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcsEQAco.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:4024
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2252
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4188
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwkMoEwQ.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:952
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1332

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:3340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGMksMUo.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2296
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oMUkAEQk.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUcsgsQU.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQgEcYEg.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:5100
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4016
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2576
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:5064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAwAIAQA.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:3032
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:2824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1152
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4440
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmkIcUIA.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:2296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGwQwEMs.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:3984
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3948
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1988
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fogEgIsI.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XogssosQ.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:2548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoAwwgIk.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:3632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:2028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAkccsos.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
  2⤵
  PID:2024
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2960
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1372
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
  2⤵
  PID:4476

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgMAsQAE.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:3316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWQwoEIk.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:2828
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4476
- C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
  C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
  2⤵
  PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:456

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQcIkcMI.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:2176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4104

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:3164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAgsUgkE.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3212

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:1688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkwgcYsc.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOUkMgco.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:3452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PegoIwEM.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyIQYskc.bat" "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe""
1⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd.exe
C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd
1⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\126331dc47d5b374c24d7ea91729e3bd"
1⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2824

C:\Users\Admin\tcUEcksU\LKAwwMEo.exe
"C:\Users\Admin\tcUEcksU\LKAwwMEo.exe"
1⤵
- Executes dropped EXE
PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
890KB

MD5
17890406ed99a41c2b72b2fb08e189a4

SHA1
6addfb6d834db6c2498817c7eb9ffdd431fec76d

SHA256
5ee5c11749fee7372fc9675ef4813612a9d028180cef242816691ea641a33e46

SHA512
a4f7d25528a2ade5e86463a69fb53fc4d4053b47c3c28c4df5959cfc46c5f7bea025837aae5cb584ac75829b7874624cdea3f73ca6a5951a895c9187a6a3b0e4

Download Submit
C:\ProgramData\fKIIYoAY\YsMUgcQE.exe

Filesize
92KB

MD5
a6c2aae3c7f33f1438b4e07e0cf11b1f

SHA1
85a5746245bae7bfac8041fdf7168c10c0cc5565

SHA256
04a09f0ad6fc462dcc524a7388675c6f71cadc4561a3a686e3b46e93abf4b0be

SHA512
d85af7e6232ed7a203b374070c8e8202d273db6f28b6a5d15768bfdf70e7f9a8eeee169538d2ce8bfd2a2ca915d82ccde55569b5f804bdc8898cff26642ab5f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

Filesize
437KB

MD5
50bf460a6298549fdb1c5fd2cd4f88c1

SHA1
5e848e315ef138976b89c50cc2bdf57d80ce45fc

SHA256
f917af7996430ba8ce445e1c5f3d02a4d553d50e3f7cc6b8f77f6a596661cef8

SHA512
7c94548808fb618f25a96c9f801fddd6dd2bf720281302f02833ef79f46b508242a35784a204c0ec90c0da980ab0a09c6a0e19a8ed58da4718d89c6a7699a008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

Filesize
446KB

MD5
5d572d50215b07c9491b374fb228f50f

SHA1
b7a48f691728f8878f9e655c33dbf749e743496d

SHA256
feaed7d3fd87b2e8ec6adc56a1da288d549caafc8ffb2c73d9a237f197fdacc3

SHA512
1e432c09765481342c27073b916cef010011b2952e545a0971bc5e1af12d323f6597190858b1a35c2e6ab5ea47c5f53590985f4666460e2da557621068030238

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aswy.exe

Filesize
436KB

MD5
7b77a0061b48c6bf34acaed6d27e65e0

SHA1
89fb3fa96386bfe521fd61aeb11cff3d6247a21a

SHA256
d99f207bcc88661aa771a5a2445ee4f69ea65d4cb98dae47b198a6b1095a4215

SHA512
d2908bdb56bd783a5226121e259258ce8d198d4d79c5d5f39d98dc39c1be779f99623af455247c64c6dedb0da91903fe966a17dd7c566b1756b2f78680fe5d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAQo.exe

Filesize
1.7MB

MD5
31387b90f529513d97ec589d179d5d6c

SHA1
92af2fbf510568733b5f78ef2d2b9c57554f0610

SHA256
724e422f5c68c378e94d0ef85bc8304edf5ee3a18cc945f854200a6abacc8b68

SHA512
46667effd9afbcc8cf5b96ab9ae4986e858db4c31ea043c97fecf15833f05c52d6dc1ccab5f28dda37fb7cf8ac169679fb5e6660a48299a21fdbe4a17a62c416

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIAa.exe

Filesize
558KB

MD5
a1fcb235f9710dce4fe5dc56d426c1f5

SHA1
d9bdaa815253eda0ccfc1a6efefc787025711223

SHA256
056e0383f4deea057728c8ba3d7b7ede16b1df8af4e43fee7ac99640115db187

SHA512
66020905fe373385b144e3c4afbd5ef64481db6ba77e729507eaf3cf49b2e2dc601bf9d1b7d403a07e3d23d46dc27d1f52461f497fdac3e1f9c098bea14691e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUcG.exe

Filesize
442KB

MD5
8b536531f5ab8c888ad3dffa06da1052

SHA1
1ed085866ab3de6e0e614b7637d4f9fe25619dbd

SHA256
81a93ce89a7bad52ee43df283ef72e28c0999b3f83f8b74ce9331af4190a731f

SHA512
76ab9eb4ec0a6ec2cc02066fbe0cda006f2f5e3d7db099e8c3bf4b97e92aeaabc17b6a58391d0a7d2006e5ae9166cc66652471461aeafb5783d46e0ccf02634e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYwu.exe

Filesize
1.0MB

MD5
ae950cf435b78952a8536cdb85881047

SHA1
ccb62f4189caed80cc86c5fe359f037383fcd451

SHA256
ae5f8bf735b6df82edca260fa01fe32d9516555b9b144389fb664f7515a2d032

SHA512
52af79e844e4c0b859e8846f8e94607def5381e32514951bab3e10abc2d2546a92759360eddfca8abd0227e8cb7d1a1aee65a54f96c5fae699602ca6bcb6c875

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoIC.exe

Filesize
1.7MB

MD5
63b5379e183b4132ab3279cbcd196ad9

SHA1
086b63567749c3d35567ad90086898a5e79a831d

SHA256
14bbd6e23a55c4b3e3e85aa858e380de2a8850801780ea5fa31e89fe5684bdd7

SHA512
8870fe312a5c51b55f2fe6502b465cc7a011dde02c301ae8e7bf4735bf82bc39697ab27cf808452a0308354ebd77f996c65fac7337032e05601b09877bd2b177

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cocw.exe

Filesize
440KB

MD5
a855896b4cb84b24c889d9ab00db6c5d

SHA1
686ebd9a9fe6ad1d07b0d215f2baaf10daf48b65

SHA256
dc07eb2bc53dd7021f957d7d8e2a81836f1980690e2eafa419634a3f43e7dc69

SHA512
4df7108f95ec8dc6fde191007ce55a598f6c1b45246f77501e7d3f791a846f7681e8b192bb06e17a954eae205238086ef190f36e90b906291051f9206fbdbbd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwcW.exe

Filesize
436KB

MD5
bf8af73e14069a3c27da1b2c2b2ac824

SHA1
3b759765c4744f3b1dd004ea7a51436686ac520e

SHA256
205b3202948ae31261648a69454a1f80eec4bb39a69e4599b002e851b389d1ef

SHA512
698a8bf0586a7b04de18a4e99f46af2f5dc5de473dc90f9bf9752fddba36cb73f9f4d13c1dc4031d54bba0ecba921a246d9a702b3a457262109a40b6ad231af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cwsq.exe

Filesize
845KB

MD5
393f48d17de8a53665b1c082a70faa74

SHA1
1d88d290859d9533eacdc792e1b3044a329e3bef

SHA256
ae2d531f7c47fa009e740ea1b175a80f188ea9f6981b15d7376f9bd72ff130c4

SHA512
e346967aa44a635ee3cd890592a5bd2fb83d3fb9cef5108cd225f82c7dac20ec2829a0a7c76dcbf567daf37b43c24f1e70f89b4e38832e78ebd237e195c799e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIMU.exe

Filesize
440KB

MD5
1233c075cf3a2e4982a26f2ba1a143b8

SHA1
2bf5226e5ce58e7f560d2851d8427b1e36bb75da

SHA256
eeb324177cb8579a6e61ba77f0f9a601d3381b0c6478372862f45afb22fe2935

SHA512
0c1b03656496ceb3892fb3e95683dcfdc2e272d1b72489594edb56e8f9e5bb479565b11c662489c1a348d0fb2d49f5c39ae7c7b4d4e84d7cca7ddce893242c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUAm.exe

Filesize
449KB

MD5
cab0dc098d91072620c74ff3e9b6223b

SHA1
a9dd19c11c1452c13765924cbef8f6e502e7ee74

SHA256
25be185a4f40928e073f7032c5e5354901ad10c2394f7774f4a6e811c21a8fc9

SHA512
c6b140cb77ac66ca4a916729c42905b92424f43c4e301beacb3ab11972731588d715bd6af47f2fdcde7f5583a644510bbd776d3326bafd70d0b633e169798c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUci.exe

Filesize
457KB

MD5
bd249b2bdbda9deb384d2797261a13e7

SHA1
2a3c3fd83a009a79cae7f807cf88d904d214d39d

SHA256
156de5171e142aace0c798c4f4315af9409007a4b501222258c4b3d4b4c99466

SHA512
11aa2b28105697e60e6ba3e3209a80fa30e6e1804c8a7c14304a2a0eb248565dac5e77384bfbce50664f01e86782679045c0efe32f1daf2befd1d0ab37043e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsQC.exe

Filesize
446KB

MD5
c9cd2ef502c2b2e9d7edc7f8268eae84

SHA1
7c5c42b57ab9afd4dc9969f6575bfd602f05b7f4

SHA256
1002d5a0b8f04a7d13e9ed515c591bc2ff0ad8ef7c42552acfe8117bdbcdab56

SHA512
b85711766ee284d2ef0e61dbe478b8f410d05badc238d35b1f3b213ada08c35c3aa592f082b759719eef122e854a90aad08e70b9020fa2f4563cb214b78e2272

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQwc.exe

Filesize
751KB

MD5
ca68f763ddcc073723754139f01ecf4b

SHA1
359bc9822cb20ce8842c34b6fd22f5fcb3aa5c14

SHA256
41315f54274d1e982e32917f735061228388f5ba2197e520ab40380014d7d764

SHA512
3ad54ef99bffdf329045b760d22f6282c1034e83f917c002e9f3cef0ee271ad8a70f6605c284476b31347107cfb8868d3ef81f93bc1699845f847be3bf6517ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gggg.exe

Filesize
436KB

MD5
d0068eb65f17a7751bab133a89ebfcac

SHA1
ba472f75eec132e73f8e94705f08913ec0886fd0

SHA256
66e86df07f2103d1572bab7920753cff970c4e48699f1e901d87fe42ce9d228a

SHA512
c3694333f3084c9b39c5d658e01656beca37719df06ed38d426289f31e8d9d091b0023ae4992067b023c6bf4e59b6e4072c3faa168e8a4bb887a7049d7a13d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAwC.exe

Filesize
438KB

MD5
5c4c16de5286b669a4f5871b9d2dad63

SHA1
a76c532f96f4d1232a9181ded33fc1c50a668b77

SHA256
01e1000d5f61d3de33cb73b360cd0b06066c037cd5702be41dc04db0f2f7c3ad

SHA512
15879bf01fbb25d9f36b88fe8c4bf3efc89d79f3654887c4ea06c6ff7688a540edab5b05eb209d46b9f15810bf1603b42a5415223ff052c02195361570165e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYIa.exe

Filesize
561KB

MD5
ba5d0bcd71512c37132c707b992faa4a

SHA1
95bd560a869d9e1d8564c612ab24b93b76b2a3a3

SHA256
bf205c9b725aaa63b723feb2912a0a259416e93a63af599de7b8ddc7f1f0ce7d

SHA512
3d407fc01f19f760135f841a31362de8c883a597c6997de1f3e8e29fd9084aad36122a6cca5be3647e73edd79e8ffd84e4feced1843bfc1f47f8167fa8ae0712

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYkc.exe

Filesize
442KB

MD5
27e380de3f3ae9ca6063f54354dc962b

SHA1
2062ce401f4b0d7b8bed96fa3f8ca4d982935b4d

SHA256
d7e1baabd28e204a52d225c38de33cbd6862577a96e2ae7ff9eda0b0c021c022

SHA512
38d3b312d895ca5e0a875518c4612e81398a420f63495f58fb65b2ff0cb4a0fe81662957c36b2f5fbb3e2464c7f519e231c240579ca297b7b7a7fe107221a9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAUs.exe

Filesize
434KB

MD5
8816984469811240ba6c29b5fa700dbc

SHA1
0ca8885959fe96ad4b918f924be4f851321c2d36

SHA256
292690045948d62aef0120470075e98d47b44e67cb8be805476f4f6542d23404

SHA512
42fdc3d3a4d42f680fe62bc345c6fa96a722d64bd1d1d17c247a33705573a1d4ebcc06d07cd36816641299781f976eb46e80bde521ea627cd3e3546714b0f05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMsm.exe

Filesize
439KB

MD5
6c4b84953dcfa37fd281c7397651a0fe

SHA1
ebb1deedf7c1beda234d7915272f8146f226b6b2

SHA256
70e6736acbe7371f0f2e8d4b4fd0510fae289c198b82ff77195db4534d6c65ee

SHA512
5d0118915e355e651d50fe95af66edb9739de9dea0eecd2efe84af269ac9aa56639dd410caae65e71d920cc2ad3861bc31d1fe920b7ff5b1f8311f50a6687de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcES.exe

Filesize
1.4MB

MD5
da9e2a7ed35c8a3ae19959fc673f9e6d

SHA1
8eeb7cce2392be79a343e1fb83dacb284514baf4

SHA256
f14f3de48ec5ff5462eb11180f759d16629b7630dd8148ac420b7dc69a7a6635

SHA512
5c5507051faa5f27cb4896bd5b280059650e22e9ca1de0fbd988b5be711fddc7d0a8f3b3cc96d9332398bb788b849159cf6b09fd57ca20a53f4e0ad802226947

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoUm.exe

Filesize
782KB

MD5
3f3fcc4a4ce7625b13b78ba839baf4c5

SHA1
66b15a6d332df08723e70b2b221242dbae7b6277

SHA256
d3e2f71cc6607b2d3ec020d6954d39803c622f29fbf3ffbd3b49119bf9163d20

SHA512
1f20fa29cdd2b5b8adbc1a21606370d861f8364951a6c6ce86c864499c4dcc975fabe894cc90240750a329a54a9b285cb4a62c4fb7074bb30144081a8344c697

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwUe.exe

Filesize
1021KB

MD5
29ff5055cf49a2941b88dc4611b42c33

SHA1
1db179c839be6fe0e6c0f5ef3000c91fd552d190

SHA256
4eefa3c9046fa88df1aec8c9464310e4707e0d539f7fc2d05b3e7c96321d78f5

SHA512
653a7193221b8edc1b269591716f721a0fe6c3226bd65f2e56b550b7208030b1a88a53b5c7d35b9446da413d6f5e4ba92ad98bdfc3afc3074242253ed5454a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQc.exe

Filesize
443KB

MD5
d9f6d4d960b1f6fbfaf539743979e51e

SHA1
1a57c0c9242b8cb6ae0dd21431b05863fbb9c4e9

SHA256
56435efb08660de0b78b5eb56467c9bd9697532fc78fbe62fa352639c43c2891

SHA512
fc8c66715c47aab6111daa35cd94b57f0f36d4af577009be0bc54bd1a9409c7e088c9b48e0cda8c79af137bf663fc50e21925afde80dd2814792bfbb3c59825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIkS.exe

Filesize
435KB

MD5
3e0c7d603d4327cc7cbe2c1dea450171

SHA1
d6f7bf334256b9c60b2efadb267488231fb97d80

SHA256
ba33eb64faa9981e4f4bd017b289c611d277e0dec3d3ffedc0cb33dbdea26262

SHA512
dae2bb6941ad363698ce207b0af1afc9669c8120a78c961a6e84df999a7be34950ce9f08dd7ec9fcce8eaadd16e300727bde206a78dc437855f1ff68da99cbaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMYc.exe

Filesize
480KB

MD5
02da0ad5507bcc6d47760ae93ee78ce7

SHA1
7d0a85a3239c20657b025eab4da2cdaa69e9157d

SHA256
f9eea486a90090d6bf210b6d82cc149beecd6127e1caaebfc4997186302dbfc6

SHA512
6416b0451e21de3a4452f88bc8faf4885945a7f6ab75e35e031fb3ba03568ebd851a7c9f4d9fb35c18772bccea5af87aab9dbb9aa9426b3314a3c1ab7168db16

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUMS.exe

Filesize
438KB

MD5
b44810e9fadb1c0ecb4553c2ab5b19d1

SHA1
c0de6b520088465a29176b2b88d89196b9e7d4f1

SHA256
d941874dd36ae9053750e31974446d67ba091dee818fadaf070078ea0c828a4f

SHA512
0911e93e5e1c0a38c32f6e1ec439a5828659b00c323b78e41a1f9d4580b8a757e4d2a40a2b22bf7d0246f4b029385ec73e8c98cbf60336b7b152ebac19a15cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYQe.exe

Filesize
2.0MB

MD5
dbc66b9f0e7e2397860c740fcb7f761d

SHA1
cb29b5088368a1606fdc5dd6dc422b1d888e6541

SHA256
2e2668e86cbf61e3fb6eb2ed445477085ee0dd6fa68b6bd3a1cd4218780144ff

SHA512
c7dcfd0c2324999730428d8815a2979084342a1bd31a19e4fda981e39bbb9c9dbf11e7ea83d0463e24251fe46b5d53479632fa15212c3136b37e02d6e5d389d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYkO.exe

Filesize
886KB

MD5
23ff3319a22f595e033426b0bf0962f4

SHA1
a16a94de1f177f4df8135fecbee78bad81f3b2e7

SHA256
3154e88afdb83f177a568c6f9522ffde1616e775decc91b9b9a646d1a3774da8

SHA512
d8a9efec3a1f7c0c39304ed20f52e99160d27e542dc747d2c4fd086dbf4dc5fecbc19675d6203abd16db2ccd3ffafa878ba1d658428ca33d66a8713e414d19d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QCYEgQYM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUUU.exe

Filesize
438KB

MD5
bbfcdc1176c5b9a99beb194c32eea562

SHA1
73d01a13d57619d8481844237139a80bf629194d

SHA256
7e73fe56f66248ca141f70fe60264e3a9c58ae93a229508745f48296c5965751

SHA512
02f7c10e279ec21f7f58240b65a64e7d75951cbaa20cb3699856d694ba6687279deee70eb316288982871fbb88c37f23f3b1c64f380aaa4d860ceff6911cad40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qksm.exe

Filesize
1.0MB

MD5
08516492b13516000a93aa14e26377e9

SHA1
087b7eea36c7865b5925b39b5e7f3612d669a9bd

SHA256
d4c8f637bc6e331a450e4c6051e648cc6475443a1b25cbc6d82897ec41c32640

SHA512
896c51f8b54a03d687d54ab34cfe8d47e239ef82fdfc28bf8380a2bd28746ff39c2276dee6f77d0bcd4592c345d2205a0c0e112dabe27317db29fc48859873b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEwc.exe

Filesize
1.0MB

MD5
e6024161aed43462838ca6bf7c35dbd9

SHA1
f20dd12413752a9cd6a9403971d5721112db51ce

SHA256
e65e1a043b0c89c941e6b7ea0ce6ed8792e4bf3f7d029bc2cf5c7c578e295244

SHA512
6a9492ffacf8935211e34e03aab9a5e76d0758d82ff62ac604a82438ca5e54e4f3c6b0cd655aaf243f8a6d5e9908ebaa3e8ae59b6a51f504a7cfb3bc73a91ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScIM.exe

Filesize
451KB

MD5
8b8d1323bfaa9d4fe224c4a4bdb869fb

SHA1
24b478e8c91ec00175faed50a7f0843cdad39196

SHA256
a98ec657f095a898e29ad6eb71df272ee1bb3ac99b1b7cde3eff2d0bd190ad2f

SHA512
3ba575879878657b0f659732dd031b5e5cc226621b72157cd6f4552fdda0702f74da047093ff4fb4626b84e881d70c4a1c0c0599df5f49cfa12b3871cde5a4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgwG.exe

Filesize
1.1MB

MD5
05ec4807e7e24e2cddd1ee50303bdf91

SHA1
31f9a8889be5fe504583e0beb7569fb223e4b1e9

SHA256
edfd5df34f7061d3d0065587dae6f69a5d0efa3efb83491cc73a564ee61a297d

SHA512
e60c3fe3f07d0a6880e1b772c7a811c2829f91f84de0d2b793a7cd505fa057cb500f3c4ed2e4e5edab87f7529235a0a3ee68264595132fc5c070585a688ac1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsUc.exe

Filesize
440KB

MD5
421cec3ca32b50fbd3d3a53465574d9a

SHA1
9c79e74d41da23b01bf0d82bf727f629c5c60894

SHA256
b6be18c41dc4f696fc0b22a28157844367c26021593360427acfaaf5b4e97870

SHA512
f73edddf57782a337ba61a16718d023e0c34abc41ebcb890a6f146d96bace8181cfcab3fe7a76f7bd683cc6dc4ea5842b93a063d58071cf0df7aaf935b1c6d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgEk.exe

Filesize
433KB

MD5
a0b2e851f3916295d115aa72352438be

SHA1
6a6f828f0318300eb7d5a8ad0410c18fcb47d361

SHA256
849ff2738b2a01ea2ca662cee272f40ed3c24ccf25f98e1eb4121a584fd55d22

SHA512
58cd832145695b2e875431de1f09dd15f4c922bb31bcd5f9a720bdfaedd2f9fde8c5c8be3e057341cd479f51d78f6887212c964df2baaff22ea908754b342980

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkwG.exe

Filesize
434KB

MD5
021c6a5ac71da799d8303f706c6e5b27

SHA1
5b22cc4bfa693e4cf523f80b3c97ef3bca016829

SHA256
729c15a3e8e573a96b915352a8072837e31b954f530518ef097880081cd0f97e

SHA512
a30ee875eb406173a19a296d7d8fe831cd6f4881ab9efd601a70ce57197b955fe592bda9edd677c214dd01deac997bfe9ded5f038bef5c59b26334cbc114d3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WooE.exe

Filesize
438KB

MD5
4ad76eaca8120ad632eef31985bc4f11

SHA1
cbb0d073eba2b6541623bc1a95926a91f3161f4e

SHA256
a727f9c070c6fae5547e1241bfd5ce3d173a11dec559125aff5404e4a6a9b98c

SHA512
daeea70c1b5160f2a6c7479c5e70e21b687ddc871d8c658b8ca059f37b76727d9cf383a07df0af2fa9f3b08eedd5ee6fa854c6747c4f6fb8ce67c4102529fcc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WuQg.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwQW.exe

Filesize
556KB

MD5
2429658429b3e7b8fbe4c347174c2114

SHA1
dac9eaa46130a135ea55dd44831e362579535ac6

SHA256
37e3ab96f69408e0b354e117dc6485241343c33e07ad12d823f744f433378049

SHA512
5a52113eb31d8207049d429b57178a85804d92e43c36bfeb829489d70c013d6375b13cf1fbf62f3457de53c9180e8c5168b3ed441e78b38ac274eb5e8e9abafd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAYq.exe

Filesize
437KB

MD5
ec7d91b5950c932c5d1008cd2a95c9ff

SHA1
5413059de6d58712048ca03ab0d41ba85a025e98

SHA256
7109a2ec7dd7e4b41ba27aaec17c860b1d1cb698077588856f1b5b6394ac952d

SHA512
5b284af2440a7f7c2e7269a81924f80102098c5020c3fa956521dc2e576c4559cc46c003b006f019d95f4d97f3ea61eea61042ccae7a6ce654f35d1cf6d41cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwQW.exe

Filesize
563KB

MD5
21741cf6942589e5c106278a99ec38fa

SHA1
1ff3bf9be814c01eafa3e4e9616fe74774144488

SHA256
7ec76094c36bef29c15d36539f3f28e7ff14872f1af6e3195a2460c9b3d2c9fa

SHA512
37b1ebdd885475985f5dbb59af31529289ce67da79137074df05d128a62e7fae5bcc964336a780e813335213b248a155e7a9b4ec12091da0ad45ae37c90e0ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\acky.exe

Filesize
457KB

MD5
efcdba12ae0683faa9e6294bfa5713b4

SHA1
afe15d9f6cb1f9cc61355280b477af4e984afa8f

SHA256
74282e339b79b69d18863009470ed7225fedd380572866329a4fb57236ef233a

SHA512
4d930163258703a4910581dcfddfe8d05fa3d3f36730cfae7b491545481669cbd507f1c9636d52ad0b3e1f8cd214b567d611611fff51cc6e8c944a710afb40d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\agcw.exe

Filesize
446KB

MD5
ff0461e7dec1efe64a13f85769dbf002

SHA1
b5f162e469c9908b2bb713a13158d090718e76d5

SHA256
3ab1905c684cf3676456cf00f332f1a1d9a871df4cd1aa37b1f4f16825d39b38

SHA512
9ead33af416d160d8085460cc5b12e3a3b2f2947da5b2d75221c26ba858df872b3a93acd24f7d0746f1316a74ad852545d34b1d2a66abd23d816e2547a335f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\akYG.exe

Filesize
459KB

MD5
40185b9267cf5ca1db892a7fd63af19c

SHA1
da046b33099e4dcb858d9f617a620830f494bc80

SHA256
00bfa81bf682e3ddabed51d285096b1712dbf06ecbac7a58c6acfdcc0918bee0

SHA512
2017ecdf2bea13dd05ad8e489af406c28fd1a1bb7aa9848931cc23770dcf824de66b7d5b046b409464d788352d7fcdb37f92dc397c94c3029978e15240d31460

Download Submit
C:\Users\Admin\AppData\Local\Temp\aksW.exe

Filesize
438KB

MD5
0219225f50a41455d2d21c95f5179b02

SHA1
737a8ae381eaee10e38577018c745910f983ea51

SHA256
0855b13ecbb73d5278f2ce928998001f2ea39834f123618c842551b01bfedd25

SHA512
fa44db7c9ad6a2d8cb2644cc349966fcf4d77ea1c5d8772df909bc8d635d54133fd3527a0c4a2ec83900532c55e72a8d0b1c1a9588282b5fb6b649061665794d

Download Submit
C:\Users\Admin\AppData\Local\Temp\awkG.exe

Filesize
435KB

MD5
9c500304c80dee3a329f2d01f497ad7e

SHA1
243481a966d29ef34244e7aa10bba136193497c8

SHA256
4465f72a532416b879671877267e9b0686a263f0b8eb712c127594dff641892a

SHA512
2909d56ecacc163b56c39a44b484c8616ed30d9edf5461f78e044b7ec378218472d26eb0fa10fc4d817dbe087e17ad95ce8b9a972762a51d8a1816a639fee156

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMYK.exe

Filesize
672KB

MD5
c38b78234cb4f4a24eb6dfead592a36a

SHA1
8ad2fa2fc1911fc38e2302f57595bea6e60ac0b2

SHA256
161e7d93595ed1458dd5d6fbe04b83db9c9a417f62a985ba5da13bce20165b4a

SHA512
0a7ed8d68b1dce3092b4f4d25192738a92033680b6d5ebdca83b52cf01f9793d90efd781e6f439b1521dd90532e3a1b4032ab75dd93f9377192cfffebf91a0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQAa.exe

Filesize
881KB

MD5
17b06fe142b6d7e32f91f63533e680d8

SHA1
0f699323fcefc704a659edacf54cb28f405e184a

SHA256
397a2a5d0720a28234ed1740179b2b6d4cb0bf1582cec124895e81e30e901607

SHA512
56a4789939ac90c11072f705ecd7548ee09947772b00dc914a3bb8705347667ae1274172a26d6ece2fab18b48cd50186c401dba5929a1c1b019d2e34619ec0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUQg.exe

Filesize
901KB

MD5
4e3d1708ad8294bdbd0dd14efe726fa0

SHA1
979ce202cc26248601ee0a38a46684fdbf2e6f87

SHA256
42ba38f1a8242a8fb589bd2c8718b34af50a1ed337b0d9fb4d3923a5d5507f47

SHA512
bce11a2fe30c86b6569fb82bc9d9c20f1366b9b8716fb6cccdd4f2ea43634058db947737e3fbacc0e4098b70ad1a8768c16ed8c8fb0f5b88e00a8919d1f678ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgYI.exe

Filesize
443KB

MD5
153ed3d040cded9b0df982caedced89a

SHA1
fbda87278f84c498610584f83d8dec7732ce91fd

SHA256
c65f766231fca7be1bf73e9bbdf42950e97d7ec7650a90683284c8c28a3f167b

SHA512
3a3544a78ecac36298a43752a58604b6b0add2f48a374a6f17cc88af53a3bd10fe265feda41a8a2b694c79b89310279ded7f8c2aaf753c7f0f3dd5ff8cc81e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckkU.exe

Filesize
1.2MB

MD5
57371638b2d4810cbe36478132b3721c

SHA1
7b1ef602a82b97de7cd53e6dc1bcccd436bb3b47

SHA256
9d359ab1b14dfdcc9d95c9c367f5e7afb4022d86555020b83189d06bbe7027d8

SHA512
80488114688d11a1f0b1f30152131b0d3407a907595601a08f974b3cd931bbd2bb7064652de3e11694079b7e6a30c25b2393b7925780ea66c3b5b06ad5f16fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUMQ.exe

Filesize
441KB

MD5
75913cdd1bc92edc51f530424038c1b5

SHA1
78cfafda8c688c2b7ecd46ef4950ef4c6c33d21b

SHA256
fea320ecfdde38c885e87a9f57bf5c55833d1d630feb36d0ba3475ab611318f4

SHA512
bd19b0747edbe0b9d59d8b6a74816c691b3838fbc883e38882a7af8907345fe98dd70c777a696fe64da43b0fac53fe7c8043b51753e68cec490a83ce3d2dc379

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYog.exe

Filesize
573KB

MD5
937d860233a5bce8cf1841651ca3c63c

SHA1
3656c6e377cf07496736185989722f74a0e90169

SHA256
0b804ac579d8ead1565955b56f79356cd8c8d0b9d084d71bbcb5935976071feb

SHA512
92991ed57e193b470b684a1504facee4405aa88ea3a25e48186c455ea32d3e16180e25e40fbeaaece6c1f38440363b8774b5714674ab3fe84f24a8e2fbe49b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\egII.exe

Filesize
805KB

MD5
046822886a85f4e7e793a982c2689c08

SHA1
e841fde36d21b0faab5580ad5d4b5de2e656444f

SHA256
ff1633a885e731f1e1a0facb73720e0bb578786ee3c9acec1971490ed965214c

SHA512
e9d1bb57cc5222d8a471dd420681aab45ecd2dd8d54bfe3e4e2d0c60822205b3e90a1327fa82e29dcef1d94f76930e7f645b48af614dca13eebf2fba98e44106

Download Submit
C:\Users\Admin\AppData\Local\Temp\eocs.exe

Filesize
780KB

MD5
ac057da3a6047f81b7fdf0f0bc10083f

SHA1
eb88272272023d976fcdf0892309c88d1cad7ddc

SHA256
51fcb72b1f0cf449100cc6ee893788e74f854008b37e3f1e1e92be421da49a24

SHA512
380c1ee42e951ef7ac7760b214415d06df450ed64bb775ba6f3a4c2915e608917b5b0c55f2fdccf387c34e20cca4106cc3f5abf15d632b7fd1287f1d1111cd84

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEUO.exe

Filesize
5.5MB

MD5
c60e6f2ac41d82df192f439c4b617f59

SHA1
49ebdcee2a70b1b986bf66e7cb22ad96a456e0ba

SHA256
9894bfd592b7b4500f3ba68b0b3caf2e1e7f0180620859ab6c0f8c1e60660ae8

SHA512
28031ad4adc853529b7849cdce7172c6c02c1535b0753940140b6d68e106e3354c4c7410d3a09abb32e5a4d3e4f1628bea286c93161b78bc8eb50c7c0a2f2570

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMEA.ico

Filesize
4KB

MD5
03c62b34b94a861c4f99017a91bc749e

SHA1
2ca36583370792d9d56be7e5db98417188adf5a6

SHA256
6b1018b4e474afacb1c54331284d85fdbc2bb5e945466dcbda91231feeac5fd4

SHA512
4260811ca36c05c15db789932b24767db68b0dfa1a0590e8d4f69328e208c38693e978d892e0d229756a8ab9092265e19b0a0da132f0542f8460be54ba6371f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMQS.exe

Filesize
438KB

MD5
c9d59928bafb95bc07030de861bca499

SHA1
87bcc53a0978d6bab92c0922fa9b51a48c201963

SHA256
d24c09285956097183ce93fb3f648dea66fdaa9cb617eb7eaee4e4ee16121528

SHA512
e643d6647483104e557a7caadc535fbcef58e7fd0269ad3af89ff6b8ae18fb1c226fa5d22afe906a47771eda59f83ce8222bb5e3a0ad713c5a2039235492336f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQcI.exe

Filesize
1.1MB

MD5
69a2a0ccc076325114312c01c9183443

SHA1
2be2de8e7cdea3e5b9ab2843df519112cedb3d54

SHA256
2e1d818258b47847e6f218d9601dc61bd69e9697a054950bd22c40392a6ebb00

SHA512
23812afe14222b50afdbb5bb6db56054e627d43eafb42fa340d7bd6beae61dba3fb47c991e6570c1c237a11a13724becde114d9d3e2ef9deb4656d1d94c39b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQwO.exe

Filesize
440KB

MD5
6e7fc8bdc46c3ac0c5f809dbe2f3e7d2

SHA1
2ba384c778e9f5f305556a236289ef5306aa8978

SHA256
9a1d1a19f3fba396f01dcaae5be31b3222b48dae81e1a5eb4d146f5fb8b282cd

SHA512
f42b009c477b7009dbe6de43d0e4d1b1e49509c3025877eda0eec9abad6692e93588ab80e8d9cf3e56e9491b8daba359bf831edf50fd8e1242556548d1266479

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUcO.exe

Filesize
440KB

MD5
d807c13549aaa788a6646e2376f159a5

SHA1
4a15f313525d44a0dc3b41a1ee5308175b273af3

SHA256
b04d1fa1e78e3967c084c631371d4496d1b7f22aa8ee8b627a2387e18b3538c8

SHA512
68c8987e0dcd06450b9300796e8440c7fabfec4f6098ca33c76c6e15aa0d5902e3440ecec3d31c5f0db4575cd9aa742dadaa88c7e8d59bfaccca25188d7f3e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUwU.exe

Filesize
439KB

MD5
c4eee2faf349b99ead748449b413be94

SHA1
54d5e6103e6398e8842804fc1d5a9b95b0399294

SHA256
44ede1a946fa14fd6192ea399258e348c7e9fd3016628c4a21ee912a646dcc5f

SHA512
3374fa91618847dd1c23e14503c48de5ff968e97aef46fc43a252730013d65be7d677e80f32708cb99e458eba1cd9eed1d4b7d5733aeb140bdb98c052b1a067e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggAq.exe

Filesize
890KB

MD5
5d375b2f638a875865f247a9fe11e4c9

SHA1
58c6872a79723de064b09ae5febc524aac1940be

SHA256
a9e4026a4a4863038e5fd594131ef4ac56ea5eece8034230dd308445f0cce7b1

SHA512
8ac0d6e0dd5133cfc413e5d39f92a88821a7e727af6ae7c03fbc16d0f7b55297436e8b73420f24da2fdfab9cef874bedec5676ea0928f8b4edd9bcabe6061a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkgK.exe

Filesize
1.1MB

MD5
39ebb95f2263d81664bd7f3cf8325cd6

SHA1
efbe039cac11540901c283db4a660ef9f565eeb6

SHA256
da3a507598e61c78684f6e7afc53496c6882ad14486a782a9629a15f8b656460

SHA512
17d4a9abf0038f8d75969a62eb8b93b52b84a2c42a842cdd63ddcec4271b69a9e85b950b8a12265ef7c565eddfbd528cab27f8729878c4acd3d996b12224275f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIwi.exe

Filesize
443KB

MD5
ce2615585ae407c60034c9235e39db31

SHA1
51ec9e05afd59b04f3c85e1b335cfa7af71578ba

SHA256
9efe658e57540bd46b9f76372850cd124b12ada6bf20c62057e745c8cc235fe8

SHA512
7d89f585c7739a268cb4e17e60572a87652ce9971a93882f59af9b0f79e3b698e53a37ffed09a842e79de81239ea7626e1d41dbdadbc545ca99327464845ebcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\icAU.exe

Filesize
503KB

MD5
ec454a117604da0e58d35ed9412ed24b

SHA1
371486cf673015057436755b4879e0278badfd19

SHA256
a4edac7a4a388c01b7fc823c5bc255cea646dc6bbde7a324b50ec5e3c6a6cb6f

SHA512
a73f941f64fcea502e1d83c9fddf3e5b9144391e9c270f075d03e5b4ad6bcb55c70e30e9030b44b108673ace85f765bd48b5b5f0382129b3b72a5182004e39d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEMA.exe

Filesize
440KB

MD5
46aceb83952fee2db7a67f64d1a09283

SHA1
360d128e8d396349e431321e6ab6d350a13815c6

SHA256
84136642ceb56f1a2bb78bd21ebbf008c04c725bb12bf59e26655751ba8f37c9

SHA512
8795ce749e54bfe4f04c58426424d29c80073d05c0158c760f2c0474c0fb0e361298109e8fe23f77816ea2b111412f5d1d17677a228d0d9037cd234fca53d686

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgIW.exe

Filesize
474KB

MD5
57c482bcc9576ac220e0c0f25edc6e0e

SHA1
9b62407f206c738c0616789854db4c93a8717107

SHA256
1940918a7b3fbdad7b70f739a7d7aa9726ea39ed0f741d2fc8a03eeb4f89d52e

SHA512
a5296a2e8a67447080eba77726c63d1413fb135198524214c92f93ea72ff5faeea050193e7a76e915f137689bfcbb5afa153042557e375d6fc5a43df196aa45f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgkc.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgsK.exe

Filesize
432KB

MD5
f60c845ec9d674c96bf1708dd0e80b81

SHA1
c09448dfb9cd0731ac27a616646c93302a39190f

SHA256
2e88d55e5ad08b828a32c349eb9a031a18587b8051d117728944b9ba2e2333a1

SHA512
438c8092af291155f00abfeb47689f76e140cf6d40e14021a7b2dad96822630ab04fa08824cc08b3727fb074186790e2e5b8ce1a4830ef29e085b90c60e880c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kogm.exe

Filesize
1023KB

MD5
a107f89833f6f1434ddc54438414eb8d

SHA1
a90e08ad1d2dd09b0fbc660bb670bd434f299dac

SHA256
59de5181dafe8d35b40dcb1f266f0c53bc2eaa83493d2f54a741466ff689bdbe

SHA512
d119af38d2361a1b581a33af501c3aef3b0c3613ffbbaf5fe2516d347477955275fff17187af79fef8f5e51763457ffbf70fe10b5c174158d143bff232cbc57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksAq.exe

Filesize
446KB

MD5
5b1f4f064e103a37008c11203adda795

SHA1
8c19e00162f3c558577a8bc0ce4f518e8f77148a

SHA256
a55c197c047cab93e7cb978fadae0f4d9dc996581bd009db594c1cf9e00cbdc6

SHA512
c9ae8f712d1a77a839b7c67e21a8744359a544d6becac6842098463c7b1130a2a41772589f56f460f3d775f71cfe2d227e6e8893ed5a11772a787f22890e41d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIou.exe

Filesize
471KB

MD5
35aa15cb5f1bdbd5869d0760ad4e3da1

SHA1
fc741bedfda3d1f60191ed5967d5a65108632e3b

SHA256
140a1e4a19bd14ad41c1c4189c1f7f54d8ff662214a1366ce44a3c33a59e4f8b

SHA512
7feef1765be76c5e2b0353d32815e00333584849173d875ec72ef64658fd167b76b4a1fa3de4fcda358984adb94060f05a76a1c1333b2084db73164a8d146057

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMgM.exe

Filesize
875KB

MD5
d2b9a77a0a66f6249282608eee3f2ec1

SHA1
387c551b2a922faf90876a9bc79a8237f6a41e06

SHA256
16563b97e412623f7e63661b2a439a4dccaf9ce4346ac77d270c5b0fcd335f6d

SHA512
9901d8dc0354852aff1b014a6ad2e313cb56ffe94011846a9c0d110285623b541cbc94d403dc12bbd63d2cb3a0eeaded65fbc9205dcd5d3213a28ceb732fba39

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMwo.exe

Filesize
444KB

MD5
bbbfa387449cd936de55179e2a2f26d9

SHA1
c04185177172509e86601cb94c2c3f93f5ddadab

SHA256
bdf5d24bfa0a0d4c5e101e95679f6bc0b50e1df4e8889d6e9b3c019afe269b91

SHA512
7d5b68e2346f85ac03995fa129b8d2540b0be7679ffb2bf21c8ab4e4389ead5ae210c87f7cfd1d93c3d7e57fb9a0720ba1262d4015d2b1fa6ac075e054484268

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkQU.exe

Filesize
445KB

MD5
b6bbe4fa107a46eb04b1fd5268ef4c54

SHA1
9c1e04fda71c258b15f85c8bad1298cdc4252d40

SHA256
21fd4eb7354decd07d39e9828c0c4005871dc2a85a2a1862f4d7077f1bb29ee2

SHA512
1a035f34d4833b60400a7c786c4556271d2d1994aee5dfc0aaa7a4981e446bba596796787c78e848050159c61f8c0adb3cda8d635e38eedb415034210295b392

Download Submit
C:\Users\Admin\AppData\Local\Temp\msAu.exe

Filesize
1.8MB

MD5
ad48643c9d2ba3d5e90513f9a48b0eca

SHA1
4e8692f664b93aa80f7e43428e0905201be49148

SHA256
4b7f452e447b8bba8deef54b41a4f8d5599a1fc82a81bcf9c7e9c171e1761dd3

SHA512
b3940be2dd28506015f4fe4599d25ce536d92ad17963c59fe6515b611c4be61780e95dfc3dd95ee885f0ed637c640ff9ff284bfab6a20239f5c0e038dcca7ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIIu.exe

Filesize
460KB

MD5
4be1297398da8113e0472f33c39bce5a

SHA1
e8e516d1b1cb7824593fd9d4f69743cf7077f340

SHA256
124f86676f51b17fbb47b3f19218b34b7f697945079ca923c7f7c08c6ecc3e43

SHA512
77563080f79586143729a85f4585a0dfeb881fee3c0c923d7ffa45cf2000bea63b6294becfb440469786209f2a628f581e011e8fda3c262fc1259f83ec8067b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMIc.exe

Filesize
434KB

MD5
143c9399f585ce580a036f10c77147b6

SHA1
5243cc54418e0af7405dc44b58fea802b5b8c98e

SHA256
c88680ff09e27ffa51421f31c2569d5840c4c186f987e88debfccdd1ad32282c

SHA512
90e2839a3aeb6ae52c066be1a8c285cd13fabeb49a86b4ec788b33e22dd5573f41a628c6168fec83b4b5e1dcd13174822bf930e2fdb71a7a3da88f7c0496b8d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQgS.exe

Filesize
1.1MB

MD5
70b75e0235aa1ce3bdaf6218cac58fcd

SHA1
c687e5a172d4e5194eb3a7273cb8b20abaeb238d

SHA256
d3d35ceafe49ec228ca9707c94869cf3c2478f824db5068176c1f7dcb15fff14

SHA512
2db33a15a7c52816e657685472a89999f588991092d44d824ec94de3dcbf2cf57775b531d760b242a2a207cb6e7fbc1caed7a258da98cb1334f7d1806ca27bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogEO.exe

Filesize
447KB

MD5
94e49f5da2f0b217f82453f86f296167

SHA1
48c9e79854c41570dca785e7905423f5697ae472

SHA256
43ec057f45cb0019c23ef7c7d1182ce88cb137b753974e679d0e953eddc43a82

SHA512
03af3972cec582d273d1190574888d91f5e0b16459e69a0c19bbe636d90402900beaaeb73c2e5d635e61ea61db2c9005c1c53cea69b31c2c539e34a058c758de

Download Submit
C:\Users\Admin\AppData\Local\Temp\oksQ.exe

Filesize
432KB

MD5
06d79bf3466dcfd48adc61004c299dc3

SHA1
9643df62134d83377c3c051c2abf02a6e0c67af2

SHA256
dfdffc6fc9feccf2b807e4787dce528cf79ada104faa28c6cc6291613800e63b

SHA512
7f9d05c99183430b19e175d02e61c557e53f44efc966dbc7d2e7372a0a6a22675183175dd26d84544bf203f6997f137db206fd7a9019909b437f738b1ac85ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\osMa.exe

Filesize
464KB

MD5
42f9ae0788cbc828634e1e352bcae942

SHA1
5d67506c5a559075728eb1d79f49c5cf83108233

SHA256
bd049e500dcc39796fe596b2dc6db577092b402866778c6cf2e734c20c5d93d5

SHA512
5a859ed7242f6a76e10a2bbb3a9c8d8c1ee3fd75fe61a0f304cc6fa82bbf557fd8a3b6eb155d2d1a6c796bc288bd211856e32ce9d4e09fde3716306406e8a3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQos.exe

Filesize
433KB

MD5
f3147c454b30848b32f903ec3a6bb2de

SHA1
1a5f6f6fb0b039cd71db4a64e5ecf23adb31d3ad

SHA256
eabf1dbec3c9234061aa758067d5f274b6d0f937f2fccd6c03410212229d9bd2

SHA512
32ec267f1000747c80cc9315d9bc9de170f51cbc23bf95edf5403293301964d3cf3c5c138bbb198e4ca6a3b107ee0748b133909d15a03a9bdd9ecadadf4a4e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEka.exe

Filesize
1.8MB

MD5
59c5e5b5928d366220aab53c7424b8b3

SHA1
20db0977c0f63f160097b5b1867e799bb467e08a

SHA256
9e796a29c72fbf40bde35086d188a95e76ce5f6c4548acfab81f28618fa285b1

SHA512
d2cd4d1d811c1b270676ae5b8dbf0f9ca2f00fa0fc25c182fcf428a3362f4c9e6a5848a0f2c94e5a7cee10e7ef8c6d2af455387a7e3ebab5b8d1ce29f3923902

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMsg.exe

Filesize
765KB

MD5
514d32b4e3df9f4a1de8453294f33cf7

SHA1
2890e004b4e117365a7dd04fa77a5026ed215500

SHA256
485e2b9dc60adafd0c8d700f890f57241181dd2e82ec1f4e562d4ef75f26059e

SHA512
f2680b981be094090f830f3254822b1bbe68e3f00ce93a9cc72a362221e9c4a85e54f19022371cfcfefd5e11d6366867d360e0c0ddd09882dec17532d4d4ac91

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEsw.exe

Filesize
436KB

MD5
2a30810c92d91426014b495287f1bb4c

SHA1
f3c8a6f686d71c147efcbcca49e2f67c439f4d04

SHA256
9baf93c612cb0605027f7b3e02e23490943b4293786a243f932678c073df1672

SHA512
3a29a056adc78e8b30c5a84f1a9c22abbcada6d0bc6bef82655fdb0907104ae91b5bf9cf106984eaeb40668bba0e2c1cc965c9272cf13333df6a8a25d3949243

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYkw.exe

Filesize
894KB

MD5
b8f011e93d018ebeb610f071f91f98ea

SHA1
72dfc921f6cde5b3a134a4b684d304a2de96058e

SHA256
13a4b46a302925ca70b91780f7c335866ced4c83ad8ff191cc271f50a61fd3bd

SHA512
08d3f534a3ab4f8f4dbb159b6cdf1a5bea65f85ad1f1a980b0881a6eef898d7c97fde06cd8987729a204e74d5c731e447be23c1224e676f985cb45ea377155c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoIC.exe

Filesize
476KB

MD5
6b4eb0d280d3aa8a594eefef068a3672

SHA1
f6290727b8c64ac31433254e32e1f1b5b3b58c40

SHA256
95a166875798be1f2b966a3635320b44d3c92fdc32ac7eccc57a6061bb47b9a2

SHA512
5b52ccbe08cad7e27f86297c4d0f283131dc9338e27238dea9b5a2649ddbfe6a93dd8de8b0b46a4240df04937a13c37ad8aa49e0ae329f0693d830c6cbc20552

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoUM.exe

Filesize
609KB

MD5
afed4c75ce21f3f777e30a7c3570da7f

SHA1
8c9633e2afe8aaee77c88bd2c24e9b6cd497bd05

SHA256
ae4b7e82dc6fde5e56dff4e155a9e7a1eccbf2bae3983578207e805706ae9fe5

SHA512
8352441e94255c7c894c1431e3f0f5f85ef52e7f12cccef81584194d58e63a4f79de2cec10abf51476c6ed3bfbef6a22ecb43d4d7dcfe1edc2a7b464d8e6d39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqIk.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEIk.exe

Filesize
460KB

MD5
4af1cbf7df84d0158a4f0b1e795a8eb8

SHA1
20473b3ebdb35f842527985768b447d0d44bf60c

SHA256
d65d0268250b58b45bced291e43ffa58d6439634d2cd9311a7e3efda62581bc1

SHA512
b24c38ef70cee7d121e6ed6c3f29ad2f2ba95f4d3a4b25d3ae12221ca2cae606c4dc10b22c7c598f714d69ac1f51d6ce2d1ef22c831130f473f82544bc21ba6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYwA.exe

Filesize
1.0MB

MD5
1d381b7c6b31f3d6854d5712c09c96c9

SHA1
1b9319c00349382ad33f720f3925ffc1d679cbe4

SHA256
4102eea165e699ffdee6cabb2cacb9dcb5808e0a4fdac48048b9bab472b9c1d1

SHA512
1c0c09ae1abb6f20fe644a524a1758c7a9b9eba8c691820fafc28e84c509350f5d5517efe1569653f965972698723eaa26292ab63e5bbd737e619266a910a6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUAS.exe

Filesize
442KB

MD5
757efad74caa0407417c1cd0f1592c1f

SHA1
2ef70cd45f231ce9197a2307d343a1b2311c6bf7

SHA256
dd5236c18bc43442826264b6d5ce6d68da42910667b51e4e8fdd4142b54550a8

SHA512
ef2839848452a59dd70959a8e310efe143242a5bee2e18547b552c558ae733f3fdb2666bbff285e2250e04d12c69f38b454c2045d8aed3f686811e18f4aa9d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYkU.exe

Filesize
1.2MB

MD5
e440bc2f2741354b852dca9c566075d8

SHA1
fd9b4285790366b302ec04239657da5ff9423a1f

SHA256
87e8e76a9fe5c0c006f00ab1e4c2173b8f7b8f6cdbdfc9ac42052ed337882f5f

SHA512
4b3ea7288d6b2705059f14e844761758fce62fae9a1ca4e4239a5ab0b07743169f3e3c6f13794f33dce92ccb6f33c4c3b0a27ad6e358c3a647080bfda32599c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywog.exe

Filesize
1005KB

MD5
20274a62547aa657a676ba61f5f4b32e

SHA1
52173990010e3f9e08169b33664a414470caf0f8

SHA256
c33ae50688cdca79cbde371ba95f05a92198e7b6fb667fc281539d18a9c83ce9

SHA512
5fd606d9b4b9ffc3e6a68d1febb64423b4034d25cb443b15a6fced494663d7fef09dbe265f67e71688591625ca1515006d4fe27d2290afc34b1cc07d3fab82a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyww.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\Downloads\MeasurePop.jpeg.exe

Filesize
1.1MB

MD5
e5081155aff244769ef762e9f844f77f

SHA1
c83947cd995764216f1c7207d74331af6f2dd3d4

SHA256
94d8b88d08ece2caca16d43bd5e23efc25c12e768880bf9a9d9268505dbb52e8

SHA512
8d7c9fe9a25b144cf368f8700ed852fb317972048b16a2227f17e055f57e9e461f6856660983f305e2c4a90075f627736582269c4e97bf41120e1696428069a2

Download Submit
C:\Users\Admin\Downloads\PublishConfirm.png.exe

Filesize
1.2MB

MD5
4cfe0855f11acfc1274af6b8b7d55f38

SHA1
a7a72923d58387e582a12481817fc4dc674b22d6

SHA256
1e65afaaeb0d1048766ca6fc6c22acc57993a313e744b4a7c823c1c1ea28f7ab

SHA512
b02f902d239eb1a3731a93b0fbcb663859f4f1e313d40178193ac84368219295b3fc8787bb12e9ae14b5a78668c6ffff3c9bb328831ff4904fd98f61c7d3ebbd

Download Submit
C:\Users\Admin\tcUEcksU\LKAwwMEo.exe

Filesize
428KB

MD5
3a68bae005ac809a1e8b15225c7b463b

SHA1
ce13354dc66672fdbc7a15d508e2382986b7992b

SHA256
e43137649666d2b6573d590250bd335554a51fc4968d0f8d72e6e8f6d78a9e59

SHA512
4cf6a130c161ac7e4fced9f65cbf667ef4ea16a33678940d47d826e186296df2de679b12ec3af481dee49e471c07ff8d6803dce47a8ca887c1d52b04643a8427

Download Submit
memory/60-839-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/60-712-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/224-15-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/224-113-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/804-587-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/804-477-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1636-1002-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1636-905-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1868-187-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1868-203-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2020-105-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2020-88-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2028-64-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2028-79-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2056-92-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2056-75-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2404-233-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2404-217-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2456-199-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2456-221-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2632-154-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2632-140-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2824-392-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2824-293-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2828-229-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2828-245-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3452-51-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3452-67-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3480-812-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3480-913-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3496-179-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3496-163-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3652-39-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3652-54-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3664-570-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3664-665-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3744-241-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3744-1001-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3744-262-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4028-31-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4028-21-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4052-191-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4052-175-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4056-143-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4056-127-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4080-17-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4080-126-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4104-254-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4104-316-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4316-389-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4316-495-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4344-114-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4344-131-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4388-104-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4388-118-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4652-167-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4652-157-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4808-87-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4808-206-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4808-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4824-27-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4824-43-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4920-101-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4920-8-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download