082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
Size

273KB
MD5

455a7fabe1641afa6940f7537d7cee54
SHA1

dd544da1945c8ea26acd229eb8712378d0225227
SHA256

082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
SHA512

8e7547c8d2e73f5e3b9ca65a0d80436d5e83dba239c03801e56a708c31952f857364d4a486de507c6e589072b01b38f28939401634e0728a7659bdd339b48238
SSDEEP

6144:jV0X5Gl3WlRYgwERjDuV7hOWC1ECIg6dY1c+V+th:je5xkyRjD2cWWHtaYy+0

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (64) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VosoMMQA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation	VosoMMQA.exe

Executes dropped EXE 2 IoCs

Processes:

VosoMMQA.exelUQgoUsU.exe

pid process

2228 VosoMMQA.exe
2580 lUQgoUsU.exe

Loads dropped DLL 20 IoCs

Processes:

082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exeVosoMMQA.exe

pid	process
1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exeVosoMMQA.exelUQgoUsU.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\VosoMMQA.exe = "C:\\Users\\Admin\\GCcQEEsY\\VosoMMQA.exe"	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lUQgoUsU.exe = "C:\\ProgramData\\mOUssUwk\\lUQgoUsU.exe"	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\VosoMMQA.exe = "C:\\Users\\Admin\\GCcQEEsY\\VosoMMQA.exe"	VosoMMQA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lUQgoUsU.exe = "C:\\ProgramData\\mOUssUwk\\lUQgoUsU.exe"	lUQgoUsU.exe

Drops file in Windows directory 1 IoCs

Processes:

VosoMMQA.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico VosoMMQA.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	VosoMMQA.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
2264	reg.exe
1696	reg.exe
2100	reg.exe
2744	reg.exe
1488	reg.exe
292	reg.exe
1968	reg.exe
760	reg.exe
2112	reg.exe
2584	reg.exe
2488	reg.exe
1900	reg.exe
1356	reg.exe
1076	reg.exe
1704	reg.exe
1756	reg.exe
2824	reg.exe
996	reg.exe
2488	reg.exe
2952	reg.exe
1996	reg.exe
2464	reg.exe
2260	reg.exe
2208	reg.exe
1748	reg.exe
2152	reg.exe
1940	reg.exe
1608	reg.exe
2540	reg.exe
580	reg.exe
2200	reg.exe
1484	reg.exe
1548	reg.exe
2072	reg.exe
2712	reg.exe
2444	reg.exe
376	reg.exe
1508	reg.exe
2280	reg.exe
804	reg.exe
320	reg.exe
396	reg.exe
1880	reg.exe
1372	reg.exe
2380	reg.exe
2084	reg.exe
772	reg.exe
2656	reg.exe
2084	reg.exe
2420	reg.exe
2964	reg.exe
1112	reg.exe
2016	reg.exe
2372	reg.exe
1752	reg.exe
1792	reg.exe
2328	reg.exe
1372	reg.exe
2180	reg.exe
2932	reg.exe
1696	reg.exe
1920	reg.exe
2460	reg.exe
2348	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe

pid	process
1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2224	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2224	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1328	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1328	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
700	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
700	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1740	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1740	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2396	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2396	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2768	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2768	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1956	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1956	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1136	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1136	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1028	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1028	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2960	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2960	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2252	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2252	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2600	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2600	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1668	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1668	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2764	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2764	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
912	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
912	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1284	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1284	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2084	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2084	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2712	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2712	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
468	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
468	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2360	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2360	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2668	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2668	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1680	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1680	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2748	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2748	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2752	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2752	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1884	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1884	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2136	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2136	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1060	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1060	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2464	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2464	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1532	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
1532	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2492	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
2492	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

VosoMMQA.exe

pid process

2228 VosoMMQA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

VosoMMQA.exe

pid	process
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe
2228	VosoMMQA.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.execmd.execmd.exe082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.execmd.execmd.exe

description	pid	process	target process
PID 1616 wrote to memory of 2228	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	VosoMMQA.exe
PID 1616 wrote to memory of 2228	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	VosoMMQA.exe
PID 1616 wrote to memory of 2228	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	VosoMMQA.exe
PID 1616 wrote to memory of 2228	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	VosoMMQA.exe
PID 1616 wrote to memory of 2580	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	lUQgoUsU.exe
PID 1616 wrote to memory of 2580	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	lUQgoUsU.exe
PID 1616 wrote to memory of 2580	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	lUQgoUsU.exe
PID 1616 wrote to memory of 2580	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	lUQgoUsU.exe
PID 1616 wrote to memory of 2732	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 1616 wrote to memory of 2732	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 1616 wrote to memory of 2732	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 1616 wrote to memory of 2732	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 2732 wrote to memory of 2620	2732	cmd.exe	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
PID 2732 wrote to memory of 2620	2732	cmd.exe	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
PID 2732 wrote to memory of 2620	2732	cmd.exe	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
PID 2732 wrote to memory of 2620	2732	cmd.exe	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
PID 1616 wrote to memory of 2612	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1616 wrote to memory of 2612	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1616 wrote to memory of 2612	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1616 wrote to memory of 2612	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1616 wrote to memory of 2300	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1616 wrote to memory of 2300	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1616 wrote to memory of 2300	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1616 wrote to memory of 2300	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1616 wrote to memory of 2728	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1616 wrote to memory of 2728	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1616 wrote to memory of 2728	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1616 wrote to memory of 2728	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 1616 wrote to memory of 2508	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 1616 wrote to memory of 2508	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 1616 wrote to memory of 2508	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 1616 wrote to memory of 2508	1616	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 2508 wrote to memory of 2480	2508	cmd.exe	cscript.exe
PID 2508 wrote to memory of 2480	2508	cmd.exe	cscript.exe
PID 2508 wrote to memory of 2480	2508	cmd.exe	cscript.exe
PID 2508 wrote to memory of 2480	2508	cmd.exe	cscript.exe
PID 2620 wrote to memory of 1916	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 2620 wrote to memory of 1916	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 2620 wrote to memory of 1916	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 2620 wrote to memory of 1916	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 1916 wrote to memory of 2224	1916	cmd.exe	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
PID 1916 wrote to memory of 2224	1916	cmd.exe	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
PID 1916 wrote to memory of 2224	1916	cmd.exe	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
PID 1916 wrote to memory of 2224	1916	cmd.exe	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
PID 2620 wrote to memory of 1608	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2620 wrote to memory of 1608	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2620 wrote to memory of 1608	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2620 wrote to memory of 1608	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2620 wrote to memory of 1464	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2620 wrote to memory of 1464	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2620 wrote to memory of 1464	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2620 wrote to memory of 1464	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2620 wrote to memory of 2152	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2620 wrote to memory of 2152	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2620 wrote to memory of 2152	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2620 wrote to memory of 2152	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	reg.exe
PID 2620 wrote to memory of 2216	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 2620 wrote to memory of 2216	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 2620 wrote to memory of 2216	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 2620 wrote to memory of 2216	2620	082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe	cmd.exe
PID 2216 wrote to memory of 1920	2216	cmd.exe	cscript.exe
PID 2216 wrote to memory of 1920	2216	cmd.exe	cscript.exe
PID 2216 wrote to memory of 1920	2216	cmd.exe	cscript.exe
PID 2216 wrote to memory of 1920	2216	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
"C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Users\Admin\GCcQEEsY\VosoMMQA.exe
  "C:\Users\Admin\GCcQEEsY\VosoMMQA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2228
- C:\ProgramData\mOUssUwk\lUQgoUsU.exe
  "C:\ProgramData\mOUssUwk\lUQgoUsU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
    C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2224
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        6⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        8⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        10⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        12⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        14⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        16⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        18⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        20⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        22⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        24⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        26⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        28⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        30⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        32⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        34⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        36⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        38⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        40⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        42⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        44⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        46⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        48⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        50⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        52⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        54⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        56⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        58⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        60⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        62⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        64⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        65⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        66⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        67⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        68⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        69⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        70⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        71⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        72⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        73⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        74⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        75⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        76⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        77⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        78⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        79⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        80⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        81⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        82⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        83⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        84⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        85⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        86⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        87⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        88⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        89⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        90⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        91⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        92⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        93⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        94⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        95⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        96⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        97⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        98⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        99⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        100⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        101⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        102⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        103⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        104⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        105⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        106⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        107⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        108⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        109⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        110⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        111⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        112⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        113⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        114⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        115⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        116⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        117⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        118⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        119⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        120⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        121⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        122⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        123⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        124⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        125⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        126⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        127⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        128⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        129⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        130⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        131⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        132⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        133⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        134⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        135⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        136⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        137⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        138⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        139⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        140⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        141⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        142⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        143⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        144⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        145⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        146⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        147⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        148⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        149⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        150⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        151⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        152⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        153⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        154⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        155⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        156⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        157⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        158⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        159⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        160⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        161⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        162⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        163⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        164⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        165⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        166⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        167⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        168⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        169⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        170⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        171⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        172⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        173⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        174⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        175⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        176⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        177⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        178⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        179⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        180⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        181⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        182⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        183⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        184⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        185⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        186⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        187⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        188⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        189⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        190⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        191⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        192⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        193⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        194⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        195⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        196⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        197⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        198⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        199⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        200⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        201⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        202⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        203⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        204⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        205⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        206⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        207⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        208⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        209⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        210⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        211⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        212⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        213⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        214⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        215⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        216⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        217⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        218⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        219⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        220⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        221⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        222⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        223⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        224⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        225⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        226⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        227⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        228⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        229⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        230⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        231⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        232⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        233⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        234⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        235⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        236⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        237⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        238⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        239⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        240⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        241⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        242⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        243⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        244⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        245⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        246⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        247⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        248⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        249⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        250⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        251⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        252⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        253⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        254⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        255⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        256⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        257⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        258⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        259⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        260⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        261⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        262⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        263⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        264⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        265⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        266⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        267⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        268⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        269⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113"
        270⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe
        
        C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113
        271⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        UAC bypass
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        Modifies visibility of file extensions in Explorer
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pygkEYUE.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        270⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        UAC bypass
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JYwYwoIs.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        268⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        Modifies registry key
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TqEQEQgE.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        266⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FooowQUU.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        264⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        UAC bypass
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\myYgAEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        262⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies registry key
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        Modifies registry key
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MgQscggw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        260⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        UAC bypass
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EAUwsUoE.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        258⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YyUwQYss.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        256⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        Modifies registry key
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JAEEMMEs.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        254⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LicAwsIs.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        252⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwQQEIss.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        250⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bwcEQMwI.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        248⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies registry key
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        Modifies registry key
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ewIgoosY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        246⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OMwMMYEA.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        244⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        Modifies registry key
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mMsswIkE.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        242⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ywUEcoUw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        240⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AkAQQQIM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        238⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vuYgAkUw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        236⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FYIYwAwc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        234⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        Modifies registry key
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rYQoYUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        232⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        Modifies registry key
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZwUscAAk.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        230⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QYQMoUYQ.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        228⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qKYIcsgA.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        226⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies registry key
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        Modifies registry key
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yYkEwUgs.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        224⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YIwYIIIg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        222⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        Modifies registry key
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pwgIIIgU.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        220⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rQcccEYg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        218⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZGMgUIUs.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        216⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bAUEMoEY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        214⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YsYsEMso.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        212⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KygwYgoc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        210⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eIAkMEMw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        208⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        Modifies registry key
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fgowwMgM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        206⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JEIIogAA.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        204⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        Modifies registry key
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oMUAIcEE.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        202⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YowYsQMY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        200⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\giwQgAMU.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        198⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EaQsgAQM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        196⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xwgYMoIs.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        194⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies registry key
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DCYcgsgQ.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        192⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xaMMAIcU.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        190⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vwcwQgks.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        188⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wMcIwgUg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        186⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MecwskQo.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        184⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uUoAUEAc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        182⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xQgIcEYo.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        180⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        Modifies registry key
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZeQgoUkw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        178⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\riwIUcEQ.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        176⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PQEEcYgk.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        174⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cusEsYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        172⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        Modifies registry key
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SgsogAAk.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        170⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wQAEMcEI.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        168⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iOMQcIgM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        166⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        Modifies registry key
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uMEsgocE.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        164⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQkYYQwU.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        162⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lWYMwIoY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        160⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NegAEIYc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        158⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DmUkkQwE.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        156⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xkQYYoAY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        154⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kWAUEsAw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        152⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies registry key
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\waQgYosQ.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        150⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        Modifies registry key
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GQIYQkMA.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        148⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qqQggAIU.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        146⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VSUYsAMc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        144⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies registry key
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bgoQMwoY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        142⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DKsMYYMA.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        140⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies registry key
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HwYUcsUQ.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        138⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tQcssMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        136⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IMsMMEQU.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        134⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iaoIAEIg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        132⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OkEEEowM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        130⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SkwIUQEE.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        128⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies registry key
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tOIkwcos.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        126⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dSUwkgck.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        124⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bUgsUYAg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        122⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        Modifies registry key
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RckAIQUw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        120⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aeYYwcwQ.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        118⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GUgkcowg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        116⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        Modifies registry key
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WCUYYsgc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        114⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AAkwgwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        112⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fMkMEIoM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        110⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwIIQEYY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        108⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zEAwgsUY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        106⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tCoMkIYg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        104⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aMIoMckI.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        102⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ockwIQco.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        100⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mYwcwMUc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        98⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GWgAkIUc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        96⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VIgQoEAo.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        94⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JIMAkQcI.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        92⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vSkUAogw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        90⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VSAssUIc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        88⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQwkgQYI.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        86⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        Modifies registry key
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IIUAwoUg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        84⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iiAcAcco.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        82⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\asccQEgE.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        80⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Imckskkw.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        78⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BMcEMQMU.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        76⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DCAcUAMs.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        74⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JYQwAYoA.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        72⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZCAsYYog.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        70⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies registry key
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SEQwYgwI.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        68⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uqwUEwwY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        66⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yKckIcMk.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        64⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uAkUscko.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        62⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yQIEAQIM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        60⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZcYkIEwg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        58⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NAwQAwIc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        56⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rEYQQssM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        54⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xowcQUgg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        52⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uuEEwkkY.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        50⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KeQwQgwE.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        48⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wSUUEgYU.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        46⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MIQwEYYE.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        44⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies registry key
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        Modifies registry key
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JGcEQQok.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        42⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies registry key
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FkcwwsYo.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        40⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmocgMAc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        38⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xsIEYgYk.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        36⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\biEkgAco.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        34⤵
        
        PID:340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IIEUksEQ.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        32⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uOQUswIk.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        30⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eKkUUgso.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        28⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QYUEwoUg.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        26⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zScMAcgU.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        24⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PmEwEMYI.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        22⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\luowAkww.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        20⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zsYUEAYM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        18⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\saAkMAEE.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        16⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UMoYcAQU.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        14⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mygMgMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        12⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yyIsYIEs.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        10⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\USoIYsYc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        8⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:960
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1240
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:856
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:868
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BwAwgcgE.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
        6⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2432
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:1608
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1464
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2152
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\vUMgIAUM.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1920
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2612
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2300
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BgokUcMc.bat" "C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "168146016561007335049130429613153707952679743481679946033-2761436101513635385"
1⤵
PID:2324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "217688133-1495283325-1163915501-1863951628-885319870-11476986422052723127-109050975"
1⤵
PID:3008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-86376453298110956085747897-21258907473256582731302475965-1524353157-944405370"
1⤵
PID:2456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "315259372-245058155263815773773997766-633397259-7240589591631760906952079495"
1⤵
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
222KB

MD5
6de701068eaf18061a9c3d0e3599d8b4

SHA1
3da8e03d8779d2288fb0a6057f83e42cebc1b46f

SHA256
7c8f45ee81881ee101b03ee6ad66a1cb2e88536844fc24f7155219fee48290f3

SHA512
a700b239807a2a6d870cc3cd7dc9eb86d3446765038740a8aa98d1399a50cedc363cdf402878aa82997bf3aed42da565aba63716995635835f0883a7d0232fc3

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

Filesize
234KB

MD5
bf5f59d2aa5abef446ab8b4eb3d0bffd

SHA1
086a63036c982393e7e6615ca6d1b608d39e9eb7

SHA256
a36ed27f9b0c355cd04c3c29f919175df56e7b25fa9dbc09bc200e533f4664bd

SHA512
71797733f4e9ba7877832459bf51d27be4ba2fce7d0ca1790715af7e5c489b65cd0e7ea4ff091f87de92360d0e443f4b0d96a8fb0a3d572ae930d4bb4cbbd1e0

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

Filesize
248KB

MD5
cbc021911002a7b6c5e9d6fb57cd4dd6

SHA1
a2fa498159840f6d44eca89bb3325df1d655e9f8

SHA256
3605bbb87885731366552aac48adf3a2cf8cba129ae5c34744251d360e3d12ee

SHA512
61782d6507c44c0ef206aa419e87b6b941bb0c0c15b00c491cdb9feed1a2a105d58212f62fecb78ca8df4229398a53a047ae1cdb57cce7a635c80929d8b90b30

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
243KB

MD5
960d007cbf4bb681789d98c02b34c7fb

SHA1
8a40b50966908f8b1919f9d2540819a1836721eb

SHA256
65bf33bdf6582ce2e8c895edcf904852c78afd7fa0a480a7793679204fa19724

SHA512
99c8e3e53cb7df24d40b5f37bc6efa1ca71c1e9489d78dece5f7fdb208bfae57624b904e95a9f0a7cfc7639f3dd92d5cc26594656f0ffbe969028fb106dc2eb4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

Filesize
236KB

MD5
76de9d065d9833b90c8aee8e5041e309

SHA1
8ae050540e8f34f3b7262ff2c40379a56d2d4efc

SHA256
6f0258a5a7eadd00c2aa310d13f30604bb90406d2cc407835f17e6121e4275f1

SHA512
e4db6bc5a605b828346d7a352afad14d19b0e7fabf9d33558732752b67817ce81bb09cea54bcc0e8f6127619d55976263224f2abc9197ee44f30e2536e212272

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

Filesize
246KB

MD5
2ec3489b3550f6c8fc9032dd9a4c4b99

SHA1
f66bd565dffe3ae3ad695354a4a0d6cb2a2c01be

SHA256
81d535b774f16c8a03425a79fecad456d22b1e10fca9f15dd2cac968645e29a9

SHA512
a0dc829d0381d504869de9fad7579e856dc3f92a31391301cbc99dde792d310725be1d1c2d96143237758b44572ea73aac4ee2fb6ba5c8665a8fbfd703e6b849

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

Filesize
185KB

MD5
4f9f25f9eeb4b5ce38da1b4d4e8c1a16

SHA1
dd87449f628984b48be8e051a11398d701ad8cca

SHA256
4213019a3150d324993470f6035137d9f3e71deae9f30e579ebb934b8847d7a3

SHA512
342b095a93186a26c31292d5ee6168db5701e2babcc581aed98aab8a81e6836f82c31f43c88da47743791655e00a77272220c6fa42a16ddbde79efa756312fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\082973bf90e1f66fa1b2eb4593333b1c41e705b6261eecb869fe1b7af222f113

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAsS.exe

Filesize
1.0MB

MD5
e4fc3d71e9b56e3f134c5d5ba3d98013

SHA1
02a1fc6228a683589c89b3a654267608b40cd42d

SHA256
da392902e676185815b8e6ae30c12f281c76b344a4cbd1fea73793a7a34a2460

SHA512
3679efc1b908711f25d417cb59eb4d6cc9e5e5749b4e64a174890c3d8c4e0b60d71036081f1fe13b0b621851fbe75e217df1a760f1a910d8697fa36c54919a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIoi.exe

Filesize
191KB

MD5
a932ded6d250dc068f09647cc5542049

SHA1
202e2e99b4d8eb2ddfaf594037a3ba994299b2b0

SHA256
bc2cec7efa3b7a5a2e9266f66cc9c4f66eb92a7d5fcfbe3d4860ced14f24414e

SHA512
1f52eed9619515de25b959bc32049d1d222335764f2abd3d08f9c30c1dbb0ed5cc9c7468232182a345ecb573fbb7030bc32024a586f88a9d009ce17ebbb96678

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQocssUA.bat

Filesize
4B

MD5
0aab0b6a2fba8f036b6b85fb74931ab1

SHA1
44de82710ed4a241f1ab7ec4a398b88202d0deaf

SHA256
2d6fcf863d5eb31383689cb2b757614dd4e34a0e02e80f3f33112b8be81998b3

SHA512
6d7edf5366cb16fc0b72ad9a537846b299d66de76cabf72b19f5ec8a3b3daf23eb75e15af7c230e1bc65c00be36f7519f2309a0a3d74afb557c360642f846dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BSAssoMk.bat

Filesize
4B

MD5
910a111a056b759ffe49bfa85cfd367b

SHA1
c991d45a1fc85984c5146dd8c39c251ff6c48123

SHA256
abdf3e0a431289a2adc66fff190a973df4858e2b1444532ecbb432b6b03a509e

SHA512
4a3ecd853ab0dcbcf3a5e5375508380fa333bf3fe84727376fdb60ff94861c5e299f326416d366c6c36171269e998bf4feeba0d3f3615d59030ada7d72018c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYEEYIgk.bat

Filesize
4B

MD5
98405e13797d0162bf0e610682a1b7e5

SHA1
c0f4f8c19204caabf132869b39fd4964f6739a74

SHA256
c64280726f70ed9b2cfdc8487cd5dc95daf72ad0fa196e841ab67abb16d82b3d

SHA512
0fb31377e75dcdf52ee7fa104c4e99e351cb9ce071d1daa3c1a1dd1b6cba622d8cae7cc55cfddcdc6e7bf7f9f07dcab84d50eeb5df4d80290744ee2dd2e808ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\BaUsMMEM.bat

Filesize
4B

MD5
aa304da457d33f5e57b0384a53fa6759

SHA1
081cb3b33eb97297ec47cb22c02f6db477e7dc02

SHA256
fe9dbb7723f6b9fa0cc02b4732b71bff320aed3f39a041f93ce67607f5be6c42

SHA512
0c89d6b422d04ef34b9d9d571ec81b73146d32b9a2f03963f69b9f56b81a654712855bee2c62fd4caa398fda82f6b2ac4f8af328cafdb3552b254bd093c68819

Download Submit
C:\Users\Admin\AppData\Local\Temp\BegIwMoI.bat

Filesize
4B

MD5
be7ad1c9136e89e8b00dba53e0bffc6c

SHA1
db6c73990ef8f6c8d06a770eeeba40df473bc2ac

SHA256
41459bdd140ac114dde288b0338492bce40343e0edca2b7f05693444c4ddfa89

SHA512
1401815ebedfba2a6ffdbea4afe0b7fd0ede77b0f162252942427338dc5904a70ae34e37632bd9177d74d9a1bd6195c02d49028f80591ce7637579dc89117c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BgokUcMc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\BqsYQAYY.bat

Filesize
4B

MD5
598e0c49415e044226812fd20753c917

SHA1
db405af4010d34343cbe101f7e18529435fd08d4

SHA256
aafe2bacb61ad04a86effc2aaf744e84170ddab60252949c8465cb92f38e1de9

SHA512
8029ee890415586d58791d05cd012804fc844f11c57b17bcc914579c0178ea98a7c6021c948a84622b7c0a5c121abad212b331cef75361e4ae102f6292d26e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByUYUUko.bat

Filesize
4B

MD5
1bdc5829d29f272e3289e63e749c7f14

SHA1
2b0b0857ffa6291911891721beb9af29a9bc25a5

SHA256
30b9e8a431c6f0c8dfaf3c603d599ed83107df30f8138a617275a9b034b2d2ee

SHA512
f0bfc3eb874449f78b11b7e86f6bb10d0e2c596402409ae3bf45a57e4866743d59f0171c4e37b209d62d930606b5b25b54b71950c24ac6a7e8b6659f5ec8b586

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCMcQIAk.bat

Filesize
4B

MD5
3e85e360fef0d2c6b3b6a4ac57b5dd14

SHA1
3fe437de3bf2196e28fbce1bc363dafd075af3ea

SHA256
ea52821b2723e65f92146b859a0f7af67d33c700ac5f775de3416e117a7c46c1

SHA512
1c5b4cd6dd1a0f2469ff611dd2c502cb639a6cfd85803e518291a104508323927acb844a43357e3e00107afe247822e885416cb59ce676dbf3c5a9a75394001c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIQm.exe

Filesize
228KB

MD5
e56a7882ba2da6844bfd043cbefc646f

SHA1
0253550926cb357df63f86e54b1007efaec2d214

SHA256
b7dc47374ca4591daccecc818ff844b5a0dd203c9e79a1cd89618fb6119f9ec4

SHA512
529454db8f96b4b0600d98381133ea964b99abdeea1513405c8513701bf0164f367605f80b8073fed90279249067ef2762641fb3a5dd14ef7fb1222d2f7d1e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQQA.exe

Filesize
189KB

MD5
aea4c20b59cb29350a682b6948374917

SHA1
8be0579ca94808e436a2392fe89f23ed5a03e21b

SHA256
274ded00f592eb3fa7a33de0efd5cf680c4418731f5518ce184a5ca68de07b05

SHA512
11f7449c229eee99f9f79f4bafb24d5a16399604f26cf30ab9e4c52b1197df3991a70f3d91f34f33dd9ffc9dcc4617bd80e90b40bab23777836be1d93676e918

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUEq.exe

Filesize
242KB

MD5
4640c14c9df0f79e5139bdab0899abbe

SHA1
907daa1c4031d28303a880e6b24fc4fd7eeb8573

SHA256
69f9be21b045fe7d1dd67ec52f336e6ce1dfc76b989034590cdee9dc46944a81

SHA512
64dfd52b4ed53abc9a7225b97ace82b523e4e5dcb4d1ca81212af7e93d29ee89fada7be23d4205206a2892cce2469d3204a4f38fa51f07ea42fde5a37cf1f985

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cckm.exe

Filesize
239KB

MD5
3a2026a6b9563f5a9dc5fc4a3c29a911

SHA1
18422fbc0f365b904e03a37cc3e34911797768a1

SHA256
615d8a84f6c676aaccab04c1faa379a4e22e558e6992de8539abb1a47165cc1e

SHA512
e227f610312445d5868883eddc7bf977a81e1784d554f61c427d0235c27ae92856f9f946088ee26a381dda063b71d753f1c77a7e386c83d7067b456ff01d5fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcoockIo.bat

Filesize
4B

MD5
23cb0ab867f97d4b82afdad47fd95af4

SHA1
0597f436a6b59f7ad822300c62a772cb48c91a47

SHA256
02c645d5d743db7f47ba317f7c66e5984aa8ddb99bad295a96e4cc13aab69e40

SHA512
3da9e91ce4da94265d7809aaaaa89a7dba439d839984d64912d7390155585a5579cbacdd32a86cd37cb722884ee134f4bb8bd8cd15dead1ca81c2059583b7edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgIC.exe

Filesize
232KB

MD5
07bf61b112d5f616925c84c1ae736a08

SHA1
5265ca7e22c609dd721f7e88e11faedd8b81ab1f

SHA256
7ec1795750511428bd09da55d8dba3a4dc4d3a2a586d31c0385bdf5a0c19ba5e

SHA512
809f4e9e034fb48403768a6723a2b7bdf09eb601821468947719e38ffa513001bf6d580f32b7388dba7b2c776e78f8bdeaf1ccd8ce78dc0a0fb3894039498527

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQkG.exe

Filesize
205KB

MD5
ab5a9e9fb357f4c6a3b8e28e87c0ca9d

SHA1
23edf523016991cd266433a65fe6a920211c9edc

SHA256
51910cfd1131d541161d7087ef2c9a30e3678c43120e71d22c7aa9295f7ea4d1

SHA512
dcebdbad86e9f70977cb4f9370ba76345fa9ebd67d545e0a21eff5cc1ddda232ded56d0fa57005b4b7e1c757d567fd67a2f5080eda73fe912f989b949ea9d22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUMI.exe

Filesize
190KB

MD5
9514d7c57249885fb4d657533bc00ea9

SHA1
6e6edcb5fca8a384cca72fa42ef58bc44fe4722c

SHA256
f7c009137a3064ecb5014cd1e8ce1b0ff9a87742cda968975547e2d829ab4552

SHA512
1570ca579a28a5a227d0a0f3145ea107e2012d8dd51f40b38c59e8771866338d2a78f47ecb9fa73f8cbfaa2c0c59facac6a23ca771fb9df3538f4cec0eb615ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYku.exe

Filesize
720KB

MD5
7a83c1b419b54f3ca643e818296ca09a

SHA1
6119576bde5f54405c725d962e7e5ac51c7f5335

SHA256
9109f4053ea5df96e3cf707e2e39f5177922d3da51c02e8877e496f427c91448

SHA512
8b380ef849aff1b1951039d7a2c77bf7fc6ecc65c56a69eb58eeabc06809ba43dc11aeee3007a07562432369df88dd3073bec78d6876a29f0f4755f083b64570

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAAoEQMI.bat

Filesize
4B

MD5
e18161864f21a502809dc342afd927cd

SHA1
22a849a545881589e40628c59284f0abc7aed0f9

SHA256
f05e67772103424a24fd029d5ec4bb0e0a7a8ea286d2ec13c9e08e374cb49987

SHA512
ecc6d34b4bc927e07adb962fc1a7d0fec504aae2fd00ea3f30c2664556485eb2b73353716cbcf4e00f6c2a6edda69f43cb99746671532767bf284099f16dae52

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAQsEsAY.bat

Filesize
4B

MD5
483a5da192f46e3cfe8391d3ef234fc4

SHA1
ab9dcd4a0295bd5e2c0f799fd9becca5752365e8

SHA256
9856b7433f842da2093b956811286d51860e05ae3904dc40b36dc709ea298884

SHA512
db3018d5d446b8116b0e67282b6acb16d86686194c6b4615334132af68eb79ab90622be13631ac1e12ffb9b7e525612e3e858a90148cc498cf13d08649c3f8ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYsocEMA.bat

Filesize
4B

MD5
fe7cf7d54b302d182b8c1a2b94c7ef02

SHA1
35668674ff486bcb790671091c108df0cf509e74

SHA256
1d93756f0927e98ed7fb0c9c204e3b39e8cbb8763605447427cfe430851c02ad

SHA512
3c8fecc395b499a4e41d5c06cfae892be6fecc935b7ec3b258af66ba9b88595e099fda1c46a0cb7261eaf95f5139a6a3a1444097dc17f391c8d0febf2d5938e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FiAgIIsk.bat

Filesize
4B

MD5
f9f1d24d0527886d7bde2fb932e548f4

SHA1
fccf1973f4c907b915cc2ba1ad25e87a6a804fb2

SHA256
b74177f51a35b8150f22ebde9ae22e81853e9b0225df105fba2f1214d90d222b

SHA512
5f290dd41ce5213e6341bb1fa3559e20cc0d3fa183dc50f27c11c481ac9bf76d15e0644a0d3a9ac8a12953a2957149ba5463916061fe6ae77cd7b4ae02f804f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEMM.exe

Filesize
468KB

MD5
7c410b66ceb9e015f1c245a3e4f921c2

SHA1
e96b964469c8e30c64d6fe5427d4c068f26663f4

SHA256
f6e8c05f08d22d2d3a22868bf7d42b3748fee42a91d13711673f19e315f8776e

SHA512
c7c50c3e49469affa60fc9c8e7fa713d6746812f96d5c38a3c8e1696b34c1808fbb8aaace10bd7b65c1a95c203a5c84e8c0564d119d20b22816cffea6e5e1333

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEgW.exe

Filesize
1020KB

MD5
1884aa85fd639975b56ad1ddd303fe6a

SHA1
27586e31a4563f088122367c213b8168873d8153

SHA256
8a9982582c85562e039f9de9168b5cd24fc92e7b1bb1964f3cc5d6fc6322fd33

SHA512
2dc333a2c63892e817ce39debec0671866af31d774416c3aa0bc29edacda601b922d2e10e3af6015c343b3063bbf346c9a78f2cfd89257522bf6781b886ae9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMsEEkEc.bat

Filesize
4B

MD5
088e364b375051ef5bf8107999eac0f8

SHA1
303b9128dafcee2f7ad198c3f3f590f9f3c83a8c

SHA256
ff29e366e4abae1a31a08780cfeb511f06c314987177013f37fe02fdc225aa1f

SHA512
6e5f8bc0b453e95d32f4859117223cee033604878661e8772055f3eea1b1d5613ef0e6b217657bbcb6d7bfe065d1bc318e7184580e0af0e6cfedadc5da49bf29

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcUwoAEE.bat

Filesize
4B

MD5
7ded68c5c331702d8186eca034608e88

SHA1
2366197d54abe5fd528983fac686aec8a9a49c63

SHA256
4d2a30eceb2b5c461afa8b61742faad54973f6ec500e284b61c0b86313472494

SHA512
bf5ccda9b9b04d7007c6752ba305409554939e6b06359a4b99cd36a88e1ea8afa7b353a59aa1faaa23a0543fa0f0accd7fb1acfeb364ae624d387700f1cc9f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GccE.exe

Filesize
231KB

MD5
dbd689c33dff3db8d64e17a34318cb98

SHA1
f450512e770715de1606a4b66c0f020dcdba1fdd

SHA256
604c1b2e11d08b0306f8d971fe6d2c6efef3be3360b25fc824f1a3bb5d9ebe94

SHA512
9b62e2ca8d1cb778353ceff3198384eb041c829066c1c10e5702757237001f81b7661f5a3774a50d053ce02f770f226ba743248ab70ca5de295e5bdb43e91d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gswa.exe

Filesize
227KB

MD5
1b689f525bd0a491bab6f621584a89f5

SHA1
0e3594d668459629f8c7007e6742f0fb514d7d0a

SHA256
e88d74b2261b5b84e4f755f4127668c9957d9b8d62634350eea2daf29a1a21bd

SHA512
8ff32d8aef44ceedc80250281a8922e876a1f219dc11024d51cc8504665123c78618b4efbcf3990d7b095b028fe628b5b30ad6914411dbf901b85de477d0b09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUsAMsoY.bat

Filesize
4B

MD5
358ecfe618e3d9531e20fa219f71a683

SHA1
aa72140c87358d780498b5b6e3990dac7064aabc

SHA256
f6bbeea318cc32cbf087bba1969c72fb6c1f7b9dcfa188a0acab96a8410d276c

SHA512
244fbb3d7b718958f5006a88b7a56c3318094af5dff75b4e828abde4cd0d097fd127a6585c73b1b45a7c087b072507b30466a45f34b1ebe735334bfc59000611

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkwMIYkI.bat

Filesize
4B

MD5
610fd513fcd606d9f06c318560cc9a41

SHA1
4650b56f668a53c1fd5a97829f4ec82dceefa702

SHA256
6b905eb5125468081b03e457076b7b08a3b70dc9dab98917ad9a552b9a9c90cf

SHA512
13bd0a9575cc31a55bec9072325781ea3596c818274f9d45e52e1ed4a0734d277bc7d248cb5c5c51e5ed23f7fae9dfa1422ca6fe3743f9635fde5d4b92a615c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAoI.exe

Filesize
244KB

MD5
c32bd2767099322443c9a11b3421f143

SHA1
0fa04cef249fd8dea4b3b5e084060816b6c69970

SHA256
e0332c8cf4fbda38c074bdd2bb36cfc6648bdc69a32fc998ba35c7dbb5c9d177

SHA512
b09f6c08014b34f98f184ec7ef58a8da8febf60c300dbb8909dbd65343d761ae78fe941f45a767112f1458e03f0f65fdbb6962d27cb681e426e97b4a81ac0713

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEIw.exe

Filesize
726KB

MD5
5b64621c61f6193777c4bbc990ccb16f

SHA1
14c77ac48c0391621ff8fba74305982ba0126e38

SHA256
a237498a21282f66f510fb7ab73dc395b68e724663c81f0522956dd236ce890d

SHA512
fced19781815ad49645f4789881c5a2d2ceafede36be2607733ebdaa16ba9b029d8f06de40b63d711aac52f8095e516da70492a3cb88d18c0e6ac0e3a64547f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEoy.exe

Filesize
432KB

MD5
b65a92c993e73ceb222ffc6a14901e6c

SHA1
726d46da422b43fedf98f8c28f331651d27305bb

SHA256
aade0f797c6cbdc8d42af67902d3f38fa85436c5480f455dbfba6374fb6b8b46

SHA512
6a0c8a7b7fd72cae48ce04f9a26385db23e99363075b7ae20ba06225f96ed3e89e6b05f7665d245ad1905e274e384264fa5a8b5703ce43ab356ab0ab0e534b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMkm.exe

Filesize
237KB

MD5
c4d59c3c17bff0beafbdaad1bc6c1106

SHA1
a92f27a5a646dfcc8da4319b9824b4b512d0a43d

SHA256
a506a22ac442916490cb3b1d627de630b6943153bcc62dcaa6c44a49daee3dc2

SHA512
84f25bc9749d868034acfe11c3de733da422b331d1e456fe8b83376f16600322a45d4c67ced4db661e432461eb0b0c636007242df914dae8d824892709dab8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMwO.exe

Filesize
796KB

MD5
368270f212ee637e8b8229d274a6231c

SHA1
ff5f12df3e778e0e6782a1cf8363896adf8e3f20

SHA256
680b0cc71092f02d79932779788d26451eb96830f5612bc022b828d7cf22830e

SHA512
e16487019c997ea96b9a5d8d44ab35c064416e5e4e1c8c46c9a4a741d2ddfd56916ad778518b28b4698915ef80fdfef722d0e65d0e01a17f2ed74c1e533136ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUYI.exe

Filesize
242KB

MD5
775fdfefdd7fa040a712cabaddc3c264

SHA1
2b4515e187cf20f185136e93805730a58c2e0f98

SHA256
c237be7e1ece025ead2e7efbe69c3ed856e0d694cc519c21b2796716c18f3a81

SHA512
e4922d24664914bbf863f8d3cd5e9d150ce386db2c85644a1c19883506a09677038a287d7d940ac90e00622a19b851def1ba3e0b29c002e73dda6405061d1012

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcAM.exe

Filesize
238KB

MD5
db845ddbf06039480dc2524f01ee49da

SHA1
496a9b05f589d3e43a2eb0ad2d6a866ae59a4157

SHA256
d377eeb4e7a885e55ac7d6d3ed8a196c41a59251987342fdb0fef8b8c81386df

SHA512
5de65c74ee9436fb38fd1ff1ac14eff1a89f9d1831d2d9b8e51ac88d2320f1bbb7ce1cf260aa47a84061edc9e4243f2a693748ab2807632674667f57ef1404a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgoE.exe

Filesize
233KB

MD5
0c760f3998d3d4e038859b4301c1e144

SHA1
57042f750aca74ab6104b61b0dd678b49846277f

SHA256
0b38b66f1e3122b60f72cc76f9634b297056747a6efe4a0585e84a459b6e5077

SHA512
e9ca44550f35d01bffd55b810544c2a5db2fadd8f5fc55f68b546ce2086e1bac67e6186c42aadd7fb656916bd7be0b72559038c2f7080713c1824413e102f777

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ikwu.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsIq.exe

Filesize
227KB

MD5
11f19ae50de7bbed727e93bc3f5864e9

SHA1
ccbb61c11305590b06676ac8abcf8c11683de0b4

SHA256
674771aa73d7211b6a629afc139c3373e57fc5ee286566e14f7ae669a4169af6

SHA512
75b340a00231fbb09fd544fffcd7d7f408b2ee414f4105720802ab48a96e4c422987d1d3183a1a2219a315b70597a03eefa976f41fbb8ffebeacda40064b6d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IssQ.exe

Filesize
194KB

MD5
5d178b73b39b11412a2592f40d177284

SHA1
87fcc52e06936fa5242821403651a5c137c486b5

SHA256
e5e52697b91d8acb491797f01592be3dbe54a6855f4f46a9fb53b61eb07a321e

SHA512
1e536bb31fb9313666431366dae3612e8f9ce453082d295a3b048696ef42739eb32456e50ba4ff2743926c3154bdb2c0ce884e0909323b565af071974638d28c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIIYoMcU.bat

Filesize
4B

MD5
3cf05f3d78cdf112f8426e882f4da267

SHA1
588c042347597c1097d1ae31bdb1f1f6fce1737a

SHA256
8d8050e8a14876afc48c7906e12b5b2b88244b9e0a24d2a9dbcbecbe5e67386f

SHA512
86052044058c21f39c48387336837513547c4c9cdb95b421b50a24079cd4c6303945599b0d73e657fedfc8b21ed8d54c9558ed469c897df2a32e9742433b44ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\JcAsksoY.bat

Filesize
4B

MD5
a6c112e24964344b93f9cc61570af805

SHA1
831b38fab93c930ef4d71be122dcaf9b116eff8e

SHA256
9acb44442820155864feedfd468dc81dac38cc2c8bf528c8109e3d28dc5786f9

SHA512
9d7b578c15504b82a415835e5a0880314ae2ea1d12e461a4e7a1fc48ea9907c1800835d47f95781f09bf7f6a2465c5400d1e2cd4f919420a8e912e75856c5a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\JsAsEgIQ.bat

Filesize
4B

MD5
6b0b95d0efdc18e1e26aa8583c2cc878

SHA1
aa9cefea755385ddfd7a84dbd7f61299aa079745

SHA256
5892659c9bd7ee17f8def9456d87994bd9cd020215c4ca164f1b16f48a970edc

SHA512
2e5bcff5874cbbdba79e28c2f87988359db37b5f14669f28449d5a80c4af9a2b5b0ff988725e672b75f275b9606140d9d7c6cd3231c2dad877b5246bd95bc473

Download Submit
C:\Users\Admin\AppData\Local\Temp\JyAoIYYQ.bat

Filesize
4B

MD5
b8b7fe7ec0e529a798e732b5b57e04de

SHA1
b0615d444d325f67ccaea20c6e2c03bde506c7b7

SHA256
99a0b5a37c0dc59d8bf90a77f9d88ccd215282d361376ca30d8ff241483b049a

SHA512
66a307fbcc0b7161ab158f0b71dcbb307dadf89103a22d51bbf783d95da15b02270a1898c7d41d4338191aaa08e8ce930a151594ab337cbdd735896aca1910e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAgc.exe

Filesize
247KB

MD5
86907999e869cfb3312d11fd16131ef7

SHA1
be4c89b774a177e11e63bb6d5bc4714973ba59d8

SHA256
ffc9d828749ac5ae8fff431260949c73e4da30313848a0dcc729ace3e0f8f89a

SHA512
dae066492a81dc9ce6539850211f63a42ebd044f7e8d9dadac3dc1f950e7f80f44b173ef4e22439e1b9290c884453877d6054a0a12246612131e8b1e105779cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEAssQkg.bat

Filesize
4B

MD5
56edd7c578297587615f991d0a440a1e

SHA1
32b8ba6a7b2df8d9c275fe322a570c79bfac2702

SHA256
876d50e78ea245378f16f9da44c76d7ecab2c9ecd639ba808471faac507d2e3d

SHA512
b38e47c2f60208198b393ec62f098df766fdbad672099dfc64762e116d9e4de83a465346956b3076029a0e036cd178835356210799aa0bddcb478ae274ba8d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEIa.exe

Filesize
232KB

MD5
c61261646828501a35b45e6c96437856

SHA1
e99d8aae9ab0a644f231e209f364d7ab673793a9

SHA256
2d7ad520656bf934d6664e0a9aeb1738efb8045292f44a179b2595b9bdc73af1

SHA512
505e2cf2394033572311a3ec8e20d8af606f26eae239c237aa50d1acd4eccc0303a248a3becdafb6dc602638d680c93099d097fedd59fde360138d317a0e7c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGwwgooQ.bat

Filesize
4B

MD5
9d563dc5b525df151ef37f061eb37500

SHA1
06e2eae24bd47080af238386c262516d6a8f48e6

SHA256
37a14d2aa4b4ab88cdf279089596fc3d264928ca2f912f01ca369418bad1f941

SHA512
c3be2d171e5e4b549054c6312a2d86c6a68672362bd2d1e07d6d8d1711902148ebbd34238a0e468c11d752a365f388a7e476c79f3db57bb82c43efff86b1bf7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIMM.exe

Filesize
247KB

MD5
66f1d648ef507a64ea2e8549e479e44e

SHA1
215fbaad0188834e166312c8a502f963de090419

SHA256
2a635d4a9a2d68cc97171d5eb934bbfab050aadd4961c9037061c2b708c652fa

SHA512
3be297417cc1894ab6eae5fbd82251d5b8234b9cdc15a3451f7280b53896f6f9bbaa9a309817ec19c588b60ebc01832dc671a0bc72e5dc8a102d2da722a9300e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIwI.exe

Filesize
238KB

MD5
77635d0e2733988296d176150994b4b6

SHA1
8bd4316d413a4416bb1cb50f6c1144041bd6ea24

SHA256
3d97b66e2b02577c8ee9c963dcab57179b74288e4c8f9329fc51edec6fa46ae2

SHA512
3469bfa92c1573c148f75779d390b1f9237200f3399d9d9ba354296b30471c34a6b7430bd3e3c8bc5b266b86143b069f74c1259daca91e2a22403a4508c17f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMwO.exe

Filesize
238KB

MD5
f46906112ccee4f98143c71534a227fb

SHA1
5816c989a8789b3faaa5837f8474cb2a8dacb612

SHA256
e5e9ec7c95b927a21a865f29138b5f923470d2b3465d8d164938621a46c20ffc

SHA512
a533f3dc4ed584fb22d6d04070671b0e7000b2e57c8588a8646e0222fdc12468823b2b22b258ac14c76891b7998f2783cb13042d5b2e2ace0d9f1f34db749e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUQm.exe

Filesize
1.2MB

MD5
29e73fe5ec0681c9a013047396b3578f

SHA1
ef473d3561b42ddf6f8d5e623c0ed5805cf2442d

SHA256
49a7f41bdf43509201b775d654b935338c711082e0088cdc317326183296733c

SHA512
388046de3373212625074d943061c7bd55ee5a4f16e7170d84bae85c1fb9a9b4a0e25c234a0c760416614bbdfa8e58a99cedaa30e1940a857db8d07a358dc5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYsQ.exe

Filesize
228KB

MD5
2739c1bba81dab77f6f829a5f7327e57

SHA1
9e27da09ce6008b8581d2fbb04f9a33e9ec5fd8a

SHA256
f2be5596c4e6f174688b25dfa2b589e0ad10ff110c6657d24f00e15f111d5b98

SHA512
9e61571889edd6c4b194987b9ea318b80481e00131624631316f45fc0872234a134250499a8819a7d4f5aad1df5744867aa606c0d9f8ac2afd270ef86d327f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcYw.exe

Filesize
318KB

MD5
ab0bb112764aeda819be6f7685a122c2

SHA1
4a7e67ed428c13162b69997158e50ad8660229b4

SHA256
8036a68ba26b5eff9431f9635019f06c0e9eae797ed19fac3f288fe7afc71462

SHA512
8481e92632321619b36999c8d0709964348117546aa87517eeeaf9882ec7caecf3ac0e3ea8fab3dfcba9b612f33b4edcecc9a213dd5cffec358606b4ace4b3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeEMcQwE.bat

Filesize
4B

MD5
476f1f79dc19ea2a9e5462a390c4a79d

SHA1
42bfb1795586178d15890a8b01c12baf2527248e

SHA256
9105748e471c147e638085b4a7f6ff94128e7aef6fbe2f45088477ed6aeca313

SHA512
1519ea22f97624a54bfc02b92c52305eb97adfa70487974dbb3804bd89a8b6a80cde9943866e021484dd4ff909574e2bcbadbac5f5a7390efd345086a73f5cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeYgIMUw.bat

Filesize
4B

MD5
5f4f5d1ee698d150bb34c5515d752af3

SHA1
68198a5e31b9a4ab481c2dff96b3ff382cf37fe0

SHA256
cce6d7563822e7d0c80c2fc62c6ae78c7e5e20176409bc3a04c789a98cfe9592

SHA512
77b1b7599b761c358792c0def58c5277f789f192829fe614acadaa347e27bb17314890228bde442ee100cd9bae915b9bc35713f4e08484d59cc0f1988920791a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqQoYsko.bat

Filesize
4B

MD5
c5b46ffd05c5e6e4eb77069157b3bbbc

SHA1
a6dd8099c0834e91a24ee83665648e997f13834d

SHA256
23e5c8dd69c27b042ed3813e1b1fd5c96404d11fa952c4fe863b44e4c9137ea0

SHA512
956c1487b275a86525b30ad928e14d4229090729b13d4a0f500b61bbda3d78e6f907ea078b6e63b734b22f5075b6a431aa54d0624b9e28c0a77a1a32738a77e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KyIcUIMY.bat

Filesize
4B

MD5
c701acdf02a76a053443fc00abdc6ea3

SHA1
1ed63184bff9cf22fc5ad53b8917771459ab04d1

SHA256
0447d9b52c36ef7d0285ffd4a534008c42f0045f8d2b111e84a3affbece4f506

SHA512
2191ef40927f7e5ea06d46e14a28251a0d73a0bce14c80e07847a2818b8815291b9dc3e417a8634720a97ecc5bd52c4a2b6114e670160be6b62ebe083ba22f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEkYMUgo.bat

Filesize
4B

MD5
08ebdc85ed302e81d4d40c2297ea9eb8

SHA1
148bf8a0c07631e68b1356214bc2e3d2259774e9

SHA256
ec1cb0b8e4fe37a7db431219250df75ff113208567ff09eb2b85011a0b91faba

SHA512
588416102cd08ef786e4293d7f03c62488513466459e70bcd709a1f75860485f5c547fd68ac20fbfab963e2b6efdc935e1c44b73a2e0be79269a2f4a80a8fe2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYYUkMYU.bat

Filesize
4B

MD5
86b36a52a478dda4b37d101464e94e38

SHA1
c54c6fb04add7ca911ee12d39c441ed999da7c94

SHA256
c8a33a855b063435a0ff0cdf310eb342e93a363d1c8ea914ffa8f78f57c9d6c9

SHA512
bdf6f48837c1652643aacd6ba4393fb5bd299347fac2d81cc85f66f95aacf27a62e61f7ace4bb7384d9fc091a5eb9a609a37702ee98cfdf74d20e5d9704bab43

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsUUMgwc.bat

Filesize
4B

MD5
67490e33e03b57a94016933b460ccf0e

SHA1
c3cb3ff0cf849875ac0304814acc01441d17fd8f

SHA256
0aca1b230ab20497842e40574591c940141b5d05ceac6ce8c6f9bb938e528d70

SHA512
9ed11e47cde454db56240b2b6a58e20d12d2acab95d1e613a5a1b23f6a6cddc38484ee309a98c8458424a4466d45d115953eb7f9ea0c25267e23246a0c1e4bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LuYgQgkY.bat

Filesize
4B

MD5
ac76fbde2d8da95d9caf4c12057ea064

SHA1
57380b328f8d6aedd8fcc562c156bc275e52b0e9

SHA256
c0d61bc01a747f1d65e85404f3897a619b9f6f7930b23e8a986f0394d3507452

SHA512
8b2548db152cd33af739a527a08d5df092f5bdc7956d6050e025632f1f99e78d972fe53297fe2c73ff9e31028aac9727bfa029117a153d5a593ba8784ae81d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LyIkUAkc.bat

Filesize
4B

MD5
643cf77f50bff8712a0c787707161ebb

SHA1
729dcc45b2ab67d9b3382e439ebcd9451ac837f2

SHA256
1106921a74d4cffcb890bf27c2933b743a3773dc25a7aa649638703ec1a95bbe

SHA512
eb4b1c23f6c899cee45be18c790e9f49cece7d8aa330fc7b317a53ea16196012d7624a10cf1120de1900b31415e8d9054743f015894ad721b93c8c04d937b818

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEYUUAcU.bat

Filesize
4B

MD5
a3f0bfe3c00ab386c45f86675f026d4d

SHA1
08f7469c0184168814ea77eda0c33fd47c21ef12

SHA256
2cc583180045d0310ee6979889f0e58653036b3098c2a621dc8685dab0b84bf6

SHA512
4bddccdf0942ebb9541c864f6035f056a1ab7d98fe7e70f4fb84945ece4af71c2ca2c567a6714fa7f6dc3eebb5f98691cc8d5f8e7415f03d09e567e560eaf299

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMgU.exe

Filesize
477KB

MD5
cad86ab6c84aeb4fad0efd1cbbcdf7a1

SHA1
c7e556a3aae110c80ce234d3d6b59bd8570d40fc

SHA256
a0da8c5b90d39b4c00bd9f587cc1ea83e81309a34fbea04dd9a9bfcc5a7ab607

SHA512
b5c099c0a100106e1c9c338cc6c3b5bf0dcb3c10b4e4b585bca5a9ad7a871cf4bca6ac39a769495c7efd832d25b0f8cb514309769c4f0227a341562456ff9578

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQUIQkAc.bat

Filesize
4B

MD5
48e00371b08ea341d967a92cd1aca0aa

SHA1
855af181abdf4c20adf06ac96fef5aa71d08a51f

SHA256
9e92fa446f6af8ec1de185aa76d2d372804d45cd3d3759fd3af79d4222280e10

SHA512
07380edb5e31d59438cbad1228c4ffd4a7bd1f7970fb5bd3fb629ead1ccb27b296d4deb8d9729a2d90e9071e37f4613ee351ba38ed6cf5a729633c3462ddfaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYgs.exe

Filesize
236KB

MD5
d7b63e59c8446bee2fc65576d8fbb447

SHA1
0cd853d206f5f18d16e79b02e46685830374fd5c

SHA256
a18cd113662f1cd0aa75a9777f2de39cad230b8b9d8655c7f306258a1399ecf5

SHA512
f8f6cbcb908c22b9e349689c06edf8f11d03ad01457978c704f245028970ccbfab374bb41996834545ebdefd1885240606632780da8add278180e9f9a45235cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYwk.exe

Filesize
631KB

MD5
81a616c43ff9060725261567b27d3487

SHA1
5b68b6e3c97d2aa7f4ed1b615410096b340b433f

SHA256
75c82df8b70e17877198db21b8e4bcc240711171f772b42c6afebd97cfab0ea9

SHA512
b2c8397f3ad051a88c2687ef5ed6eae58faead4689cbd58230fd8e42d3e2f3c01aa8767971f93b10ca1321cc3cc97d84d479ef16f0969b9368122084fc1b6b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\McQG.exe

Filesize
227KB

MD5
41d451df5228774a2671168aca29da13

SHA1
aa34300640ddcc43f048a78e8c1405684ec5728d

SHA256
3aa9f5367f123111d9ae5b0a2c2eaf108bff49c6adf001c35a48caac930002bb

SHA512
b39d4be4a178ecdfb50745a47d38c8d94c296ef87a355dbede6e020c1a5430921fbb9b56aa18a9c3d1f513ccd4d1cfc418c24c7276672d698e6a6b7b5f98965f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MokK.exe

Filesize
238KB

MD5
a19c1d811b3f95ce9bbaad6c4bf53f16

SHA1
2181f64e01e8b26388762e0ee6258fbe33d876b0

SHA256
f48c64f427504090c8f578d018182fe96515180e2bc457e3d4393a371d490fbd

SHA512
08fdcba4611cc91a83ba77c2158c6989990dd6a232ad7e435f992747a0e49c8881d5a73e4746f03015d28ded223f1fdf05114fa19ce2dec6aa3e890313c38809

Download Submit
C:\Users\Admin\AppData\Local\Temp\MssIIowc.bat

Filesize
4B

MD5
f6641216b9916f8a94db8595d9979bf1

SHA1
921b5c96d04da506cb9b11b3a26ccade1b4f7e60

SHA256
5c84fcef339ce77af1dae066cba446f87e4989b86361652a1b7d189ea0fe6871

SHA512
001740c198a8df133b35f0fd7fff2c0a34cb30ccae1123f151f393587c8ff93145804c030a846bf76d0732d8625388399e8306be43e1078eef1fd8e8bedee72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwQC.exe

Filesize
237KB

MD5
0bacb07bf83dd7018502a6a89efda0bc

SHA1
3fbdca2418ffd6340885f9ecbd5fd3ea6a735cf0

SHA256
17ab95ddae2da0a032ce325517d237b24efe9256894399d87dea66ed05147e88

SHA512
0f0c1d54d5daf534d6cddea8f4d0c664319bac815c54c833fecadd8f332c040689e177bdab014ec5e35bf2101d50c37bb5223e15bece7e41e67e8ee084375f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeQoAksI.bat

Filesize
4B

MD5
17487852cbabe46001083668d243f3e3

SHA1
e12fb71afe55db4335c1bcae42e40e1510a72624

SHA256
61aa42d3c3adeedf9561fe7c04b227408a0db64527a9a0e188366e0c382a8e7c

SHA512
bfd45969418edb3849719edadb4ed960afd7b6d52e59c85951da06c34120bca8ae1bfadc6329a8c0b59672f49b4b965ec4c378cffab20f937b4279dfd570a9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEYA.exe

Filesize
241KB

MD5
6950d6896b3400023d7bcf8b358a5e78

SHA1
1e6763c8f66ef0764b5a5db3dd03c3f5aa6b77f6

SHA256
dfb58d01c50031e635b9ef162880d287b835299f4b85ee4493209575240d1c9d

SHA512
c8786218a1c380b2b8fc17d51a79819ef9716623fab777da11ade692472675a38b7050626b303d9e0a5e9c8b14ee03acf3b9c51ef94969a59ac875f28972885f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIss.exe

Filesize
247KB

MD5
1693ed9494b3cfe2b027deb0725d8c5e

SHA1
b6edd5ac59ad4e7b64fdee3cdc0ccb0d7109b8bb

SHA256
e9fb64852a5619ccc26c3746d96144ef6020115dcb23bdf46ef738fc0c8ca84d

SHA512
ae1c122375ab4017140b1c3503515cf80d681d81d1696a2e5315b7938163d983f0e8a2802c5cd8abf329f21b734aad7c26cc75e89936eeff1b119f30e932b9cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUYC.exe

Filesize
4.1MB

MD5
f3b5a6d59571b82758077da522e25aba

SHA1
4096930425a10fe7e9c45a988fe01112e25686ac

SHA256
a31499b69734a794d93546d97528e87c0f842a2eda8af66cc07f2a2c13837e13

SHA512
de28d78dcc1ebb97cf2886dd44147f25279b3c7e346e0331f2d04d4639d411f5d68b9d557ea7a217140d3dcb2e53edc1c40d83d86a25a70100e8bb4ffb8745e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUoI.exe

Filesize
320KB

MD5
3461b63a609fa0d5f2335cd03253d026

SHA1
fed544bc94bbcbc6e5ba3d6318332f69d7e4f6f1

SHA256
a39db5477340fa6e3961723e8cf1e39a12e7325e827d3238678a2830c329888c

SHA512
3110efb4330188baf53363a0dba66e41938657f96eeaa065e5bcf326751d68bb44a3b6e807193b8f474849126f93c3b158bc6c8a1eee5764630da26e374ebe55

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUoksAcQ.bat

Filesize
4B

MD5
5916587e18ed8f137fe74b633bc39403

SHA1
592e305793b8a312cdd00caac1c3fe04c8f43f0c

SHA256
ea0243ad37ac604687ddc086c351965bbb1d2728a9ea9b2bfb950960d2987f5d

SHA512
75e7c41c33b7e3a6d1b91d98c548791274a2fe89e67f9f2b69aedb5b49b23211fe5d947ff997e70ba115fb8206998509777b6c9db7e20fe5211695a9c2948fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkAo.exe

Filesize
237KB

MD5
7199a97c2dc65af352e94b9dfae48a37

SHA1
8a3e434e608baee5f6d6cd8592d4101dda1eb246

SHA256
57f8c97ecf88b5ffb2428f16398921daa9ed74dc13c79c8bacb4905ace4b347c

SHA512
9ddc5db3906dbd8b20ca786655bc7644e0b51a0b252dc888f4c48511065fc36cc4c5f37e00c3fc72196f1b74d69d5df1bdbb8cee36c9e0e385d916da8d1be6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkUi.exe

Filesize
234KB

MD5
95fbca1990d57fd804a5b0ae0effc208

SHA1
82866c663249b7eeb832ef92d0b445282face126

SHA256
9b8e74e17583de50b83b1580ccf508036c785e674152e16a1f4031d905b24c80

SHA512
9d0ba7b4f3dc2a7f3ea9438d7e26fe514f481aa8231eeabfc4139a9314cf19a88bee109e8a8c77b750e56a616a5d6604d97064a1f97fbd42535b119efa3a5b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwMk.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUckowMs.bat

Filesize
4B

MD5
a43d195b44cacb9b2ab3e84bc6f0139e

SHA1
917b83abdc032d474e3b41cf6ec95567a8dd7cd3

SHA256
9e90dd0b1ebcbe98f204c2526330ab3d43a9d65cfbd1482e34bdbbfe3485e80c

SHA512
a2c016c8e8877d696bb00b0fb178c4ec1c9bc697f9b18d3317e87cc0d73384326afa0386593b46cb24291eb7eb225b678fd077ffd4f5a2230e74e0d0cc0c43f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\PaEMkoUs.bat

Filesize
4B

MD5
ba100a68072b501a50e389fc09b1da6b

SHA1
e212dbc527850bb88907f8785cc3d22643a969ef

SHA256
689d71fe7d81b2a3bf99cd189ca3949eba9ebdc914ce495966230eadcd98c4fb

SHA512
951f48df940b464cfb558d569da43b18ebab20d5110ac2b572133acc7a6022e84feae6b766148e4ac21b8a6f189c9e737b95262602044515051791fbb6f6ddc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PgcgYocs.bat

Filesize
4B

MD5
c9b9d16393407f4f1608fb2dddd2203c

SHA1
95f48c20d48dbe7fe58333450b9df24b956a3fdf

SHA256
14513f7b43a75c153d42e9ec1d1871c6edd6521da2360cc88d6d18136dc6e00d

SHA512
eb19540c0b64337db7160087b248cc1d6848f8503749dc85f582f1ddbc4e96b45822e6cc6eef46f1a704d0911c8c1a32bc19f0bd9695b9728c92cb7331d7e283

Download Submit
C:\Users\Admin\AppData\Local\Temp\PuYsgwMs.bat

Filesize
4B

MD5
0a365e1c7bae9a4dae470d5d588036be

SHA1
f1b346ffe80ddfa55c57f800698bef23068710d9

SHA256
83baebdd861e5ee65c207b06b510c3a5ae2ea89362f49961532cb1d581361d67

SHA512
ec6a5ffadaf29ec7126945bad659154ac1b9a07c668b624f1b68bbfcd6c8d5b97d4d192bae0a970847716a95025d06ba5b4fbd338c222d97229114faf8934dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEUQ.exe

Filesize
229KB

MD5
a214799e7b5dee6f47e01fca65d96929

SHA1
f4399f7ffcb5a0a6ff61173db63a9533e0bf5e94

SHA256
66836852119402d6cb29cda8a2d880771a0131f5ba27ce210015d634df565c59

SHA512
ff71f08d29e5348d3ac39ee6c1fe31c028a86414e3c80b16dcec0ac4b73d2613cfab0d598511d2fc23ec30465216b531ec6741c5226136b94d8876dcbc3c2c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEYEwkcg.bat

Filesize
4B

MD5
79cf23d971625e7289fafde4a824467e

SHA1
c5d27026b1c024a975578fe9debbbf467f160c3a

SHA256
1b2cd9b89caa164ec1c9f1870a1ed77b2fb4cdb6552b1e6986665dc7957cf2b8

SHA512
37084f12793c6966c855283b40db741c4c937c6feaf8ee46f13a9d7571d7300685600c76168b35d77d2d50cfa5af6500b0ccfab3d38301aaa88c3d330f144a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEYU.exe

Filesize
635KB

MD5
ee2e4e3261688050381055be582e4265

SHA1
4bd5d7f5c356dcbb1d4f692f82d2db986a1f06e4

SHA256
20b129f2da33de7e77a9a5f09ced5db9cbd82181d7ba0d47f683e60ecaa8caae

SHA512
703d59bfce96637e0970109349ca119e8489c51e952fc7004855056365c9758ef10d2b8d67a2bbcae1d32a9cbd9d3c2014a6e44adf7560d3927ced5ff9292dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\QGsoUwok.bat

Filesize
4B

MD5
2dd39834f404043c90094cf994abc329

SHA1
130e1f135bf27c04c4b67e5706e9337a7db5837e

SHA256
ccd0ab431b4d2639a3056f41189bee50c7af095d628d4722055deab7ecf67a62

SHA512
e4c780556790ef7fdc5410759ed20defab23e34e7482d2c24f9aafa7b090f2094fd29992935351edd23763140ebb0cf67cf03cbbc946424355a62f68cd1e9a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMwk.exe

Filesize
239KB

MD5
1a39ed4ea2361443402fb71ba47a2a40

SHA1
7a1f1158e8502e1c708d5f14b307b4af14c3b9df

SHA256
5c4442cc4fedfc128ab5259cf677b17bec4180966391e174d3199bf54b30fe3a

SHA512
426c91aa9a27cc545af313a6fffb0e86dd6f325173e37530384f70fa6d78bbdb54d945355869bd3dbb8770a21f528f8644cb7b8d1a5b69e57221685344aadc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUco.exe

Filesize
202KB

MD5
3ad28e1178a60dbf5e69aa7169a30d03

SHA1
9574974b0f551ac0d2fb8110ed8163cc46237c31

SHA256
ce57847c5748d77f7e237238fe47f4bc7182dd88a9837359cc4533e845a66bd1

SHA512
061d8f7a5200934d71995fb19559241d28f27305b89fc1cd36958ec6c0381a1fc3db864fa882f308ac5dcc3360a439b53cbe027c74676d084f5a67c73d5d9e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcMwYAoA.bat

Filesize
4B

MD5
4d3271fc8df4184ee8a00d17e859392a

SHA1
729a61704912fd10d524d2bb303df15db35b7b42

SHA256
d1c4bd43d9ac4a486d6de2068dfc048e8b3c5a371220a07a6252e26075b43fa5

SHA512
68110d2c8a50f93534b9a647f74d14caac1d66e0a4e8af9fd3871f92b9b63b62a561fc40ccd834ddf56578395d2d0f364abb1b6cc75f4d4fc1d82e809873fdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcQU.exe

Filesize
185KB

MD5
f4ac7a4b75893aee003ee0c3abe3fe39

SHA1
2a3af1618b5578c9631a6c816f36afbb455e2040

SHA256
ba8c9dcb5c6183edc35a95b2f65e7a90323a6a426ec9dfbc35f521650de26d5e

SHA512
3cfd935741972fd2199d5bc68bcdfab6ed4383f877a563d99255be5e3c38e901be946312408649c290ba3a650f78e7de9b5627ce233ad5cc8173d570e8d47774

Download Submit
C:\Users\Admin\AppData\Local\Temp\QmksMEgk.bat

Filesize
4B

MD5
46272c258fb6000b518e935091808f70

SHA1
d9a5ef05928645b299652407498924d9b6ddc96b

SHA256
e1e0ca9fde5a6a6d5f417d66fe8234e02cb01690212df9abfd2a80771891d333

SHA512
a8b5b012bbad2a37e4fc8af9fce4d54e2e8f8d51b927dbef65622edfac8aebedd8ebfe5770f9c67a42c3a155c1ae9261947b7805da325146c6ae192b8b2fcf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoUQ.exe

Filesize
250KB

MD5
ff11540de184b4ef4ea75ab470f3bd3a

SHA1
bfacaa014ad4a10bd99011d27d3372d3ee329a6f

SHA256
cd9e5353398d83824f5accb66b9d47f0bddec736378b4dad9b15438f0b819257

SHA512
0eafbfa247218558c780537b4ca38254def504cb253d51419a230b3fcf066c84b91b8b84e20edf6d3321b80fa232650432edd7458ab1ece8775be95d63d53eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoYw.exe

Filesize
232KB

MD5
3985f9661225248e428c59aaa720b796

SHA1
d1acb786bab436bfcfec0b933e7f7577d36ea746

SHA256
3aecc37b1be25a9ac4c1e09d4286567cf31039708bd11a518901416638750b9c

SHA512
60457769d51c0fe678d610ed7658701900d7c453de865c24f7bf5d2654224736e2fdabf7a0b49600fee233d0cef571ded49697ddcd706791a8c7fefa8813e050

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAEIYMQY.bat

Filesize
4B

MD5
4ee8feb821bbe4d5db19963188a2bfb3

SHA1
020256c5077cac4e00d24d9a326012561c507bb9

SHA256
757a5a6bd9b3ff838f1eb6b03a706da55496631ff23cbc680cf68b61974127d6

SHA512
670bfe41ef62b64864b4f09c095a5f0d85925c6c199aa2e541a46857685811b125558c06959dd1011563a3f5db2a03ee8fd60d5eea6b6b56ae32353545d080d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RiIcksok.bat

Filesize
4B

MD5
b64217c7260f672b1e4ff86a0e3350fd

SHA1
ec4a70d7493aa2e91f802c12c761d060a0980d34

SHA256
9b1bd179fdd73b5eefbfcffa0e9c3c0d5e95512237bb79a4ff3ce89a36157643

SHA512
b6a2d74db62cff0fa5d1fe3833e07ca0f0b16e9f823372a788b71645f1761c9dc016b5e4ca2699d8e491d798cb6a8c4c66fd04d4f3959170eaaee6a7121303a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEAsUEgc.bat

Filesize
4B

MD5
60bc52892519e7f04d958da955412ce4

SHA1
9b9a570ac35025bf10135a65ceec91a58d778791

SHA256
81844d6890fae13d8b13dcc14b9e6d63afea5125169330710045b10cc03421ca

SHA512
715f40133c990812baf71397c5439b334a06e54b94de2b1f0d907cfe726a1138e1de1eaa6a34ee8b390d61a0b31193547dc44a2914c1dbce60290355cabaea75

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMwG.exe

Filesize
959KB

MD5
af95e795d6a14b3118fe3cb532503f1c

SHA1
b49fe806df6e4b736cdb0a161f104c80abf06116

SHA256
3faee25a924eff1b37ee8feb34442a8cffa3da8dac3a40928a4bd546ef8a81d1

SHA512
76cacd9abe88be015aeae266a1d7c3e3decdbdfbba4965f16ab4b056d36244eb1f29f3b2cba48856436ba8cd79fa9ca5585eea1a50c20eee8294009865565165

Download Submit
C:\Users\Admin\AppData\Local\Temp\SSwoAoYA.bat

Filesize
4B

MD5
b49b7f1c127bc3353c1eb129c9e68394

SHA1
0fb2f19f7e572688992f635d1ff70c19192398eb

SHA256
4774e77a98afe3f9d561f2eafa102ca5ee310f6b8415c9b64df28d349d0b3d23

SHA512
24cab212591c3cb04f682f26c55eb55f573df386398d01cae35e0c356ea9d0d7891e07685b65c70e5f557c07fabf4d5d497e79cbb11521ae87f1dfb482819f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScYS.exe

Filesize
198KB

MD5
4e0ef49fda2f9cf716ec19f0258113f7

SHA1
9d4f3b532593fc99f5ff11d475f9da6969efc298

SHA256
331ae5f34768d5f554200c34c2f8b0d96c6d9045095a9c2315ce313f77114a91

SHA512
f7ee38ec5729edd894b375e31c1557f1327fda186bacde2c30c560a562a5a0b87a8ef31d32a3a61201974ee8ca6a818f8525be2ba611faff8f1d03f8871ff341

Download Submit
C:\Users\Admin\AppData\Local\Temp\SskG.exe

Filesize
245KB

MD5
2c3c984dfdc449cd0cfadb991f690563

SHA1
9ac4aa6de15c2d087e515065210a104bf96b15c4

SHA256
a09a90af0ff636a2c6a8606a1a0f2b23530e05136c33bc8b03364a3fe62505e2

SHA512
9d7826e5a0991e2b85cbe20cf64d915da9d4c63874661a11165952c5fede54b597064963a86ca3e8aa79c6e811ea0e5210e98c7a1c1b006d23c5c456da6d50f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCIsUYAU.bat

Filesize
4B

MD5
60a6d17128afb5bab6174eb17f1b496c

SHA1
ae5fb34447d1d1a8375ec5b535f1e97ed9efcd04

SHA256
6b517b48ad29d849e336603c3193fb2b09948cf152b89a0afb45b74bd5a98c72

SHA512
5cee005ecd779a48b6dd529f647aabd0b8f49251dbeade4ef52e21baa3eec1471ca2fd627e62c79df05810491fe6a71828d9ba4b82175818e79e72563ce20cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOowAIck.bat

Filesize
4B

MD5
8e2ec654b1973b83a8d39be8b4dc7a1e

SHA1
e836b3e8d036d6aa0e02a3658d51217466ca7227

SHA256
6e5d5a13987f7c390784c47653a0c8dbd1241f39d8238e12fe3ce875c1e89a94

SHA512
b228952e91b21d83693c744d551cbbbf3f1c75b58add5200b0869be7fe5405e348a0fbd98c20cee3a0c19adb180ebb787573fcf5634d88802f280ec3210562e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUUEgEUg.bat

Filesize
4B

MD5
4282d8a171c2f70556b49125475247ee

SHA1
68527a5043a284dd1e3d9ad451486bd28b358e84

SHA256
484a30853ee01548038d6eee5cd7814b694c4cdf2817088c45b4e640f2bbb483

SHA512
0efb7fc9efc3da97c39041530564a55c0fb1a74bd2c2d4ba9620ead5fa1bff0756694b9b45954da215f6a38b7bfe5da7890526a05f704a7ebe0611a4e7c32d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TgIQcocY.bat

Filesize
4B

MD5
3ab22544a3e853bf7020c537b6006d9c

SHA1
80c06db7745b8285754b3a3f19aa1f68b5e02581

SHA256
f099226a4a7baf1d1843e1bd88d28a822237a2145ce461a37b73b394bb957b2a

SHA512
612b2334fec0c8aca4c53cb2582b1702bfc8675be0a185ef1c77652d2aa2954776519194ef7e0b280288ad248a22b3de2ec72028339d1173b0436902faafacf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TwwYoEUI.bat

Filesize
4B

MD5
edc75c7562807fd4ae15c6039cc2b263

SHA1
4e7895c1e18a28eb9585392c443cfc8697a8c731

SHA256
89728288d737f6fadd188b714a0e85525ac83d8b50f998f041cc34f078334dab

SHA512
18f06a761d69eb1d8cbdcc0492f5cc2d3c7c5d5d4d1ff87472e80c2f4b5646c7a2c7fdc68cac3321ea85e60fb6d36ee893e07617e127ee02dc95285e7f2d2a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAQG.exe

Filesize
204KB

MD5
7557527a2d6df0e3b18c7518368ac626

SHA1
5b32c3983848193194602b1c2c0a30a0cbb72eb3

SHA256
7325a09bd6a854c990eca2c167c5e58948c1999faf7ea5ece7e4c01506998412

SHA512
01b2fe5806d1980917ed7e84ec535830447af48197c0a90550a5e7305bf75d437e47ca1d588ea53516eca1d842544365d8d5eb49366813ce230a9e5f550ed5fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAsY.exe

Filesize
733KB

MD5
dfb208e79c3a2d6273f6ddc49e101606

SHA1
7a21d2d68c925bdd0f59a4277fed075a84807a86

SHA256
6b0b7e0809bb0f3feb4f9c20a5058c47801135d16f3dddb7622afe8fca1a4f88

SHA512
b5f9f514b83c90e69e85b307a7ef1c3823baaf404d089c3f3acaa8e89f2022742e924f249553de1988af77a27a3bc8fae31e57e29102b74d9d4f90080fb3b3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UacIwQIM.bat

Filesize
4B

MD5
5e4982cfe2da82d182e7ae2db98c8d81

SHA1
1f4813b7b7c0397d40e6c507dcdc0838676dc1fa

SHA256
37eac72a6cf22561d7110f54f62dd713827b3b0d9c6e088357c425081b0d6f1a

SHA512
e9308c316fe3ab0d0f6b4aee9f8a2ba7248cbf24add9f955245538a64ffea91c54d9b2b3d6d15dc7ac1a477005849c1fb9036bdcce3b80bb61b12fe3437de21d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UggW.exe

Filesize
241KB

MD5
bced3936150bdc29581155bba0ea53b9

SHA1
48705e18ff83c8b358c566cb24aca980833eba4a

SHA256
299a57fc8b9e08cc7c7355e575fc9731668d214c2818641744f1157b84022d99

SHA512
9f66795ef90fbab76fc31cd2de5a19e07be6b719c8ee78393d794582660d5218f8cdc384e009a6f49f76b8f07b577fd7d0ef1a91cae708d4ddc99e1c2138b8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoYQQYAE.bat

Filesize
4B

MD5
ea7fd04be028ebe839e5dfa424feb54e

SHA1
5912b9a92b8751979011706db92c6fcbcd5da5a8

SHA256
a546a998a998a3fb358f43d2be0eb507a4927484b7024a2919465f3c8866928d

SHA512
42706084d02eca04afb9441c942cef3b7e9f3e78130cf75ec370bb91f5239bfd8fd18dcd9fe7d53eb1d86fbb94b28a93f539d502e701c49b1c462650d16e2edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uowe.exe

Filesize
221KB

MD5
0c34a097f1fec7410ab41f2f78ea3c6c

SHA1
4f046d20cca6477dc83aeeed6251b3ed748119d2

SHA256
ccb7d7e828bd0448ed0f71b0539c1ee7052735bdcea07ac7eec8572401aad883

SHA512
7fe41700e40ce91d417b76febdbf6a857d2a07599fcea8834aaf0c824038bb13cbc9400e8aec5e8d7bd5f774612d2cdd1f6c50ac4bf27e22294c1cbb74f186c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UqAQUocI.bat

Filesize
4B

MD5
25e59c5a29e095f931aca930935d92a0

SHA1
20d0130d12a68cd247a02b8fffd992be31383e9f

SHA256
f923489632aeb5e4534cf51a5756622551e653a1c959047024f30aa88ca404d7

SHA512
a0f209a3260b2f307c19070bb363a2849498fccde5f33524af882ca6e1f1c990b41006a7b56bc63d339527896bd626a3278b0c2be57599985c167a52de733736

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwcsUogA.bat

Filesize
4B

MD5
23357c6c0291367511af6ef0351a9b3c

SHA1
3810ab7618feafe273c81160513296b2465ac1c8

SHA256
234e99619717d3fbd5104d390649a45c65feec5f2126e050adde5817517396b8

SHA512
832f7a2d19d470c4d5a831031fabab37fca0546c53a14d098b5ea1941246850b7b1e8967bee0a034e4b1bfac84409a84de7573ba10328c8bf5b2b28aacc6d526

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUEUoUcM.bat

Filesize
4B

MD5
e75622f491d4c34888df369e71500016

SHA1
c6a1184de43fb9c3d9bfe709f1f55d419b13fa81

SHA256
1f7e3d49632220386c303966bca59360e4767e866ae966dd6beedb32a285efeb

SHA512
ffe8879c2f7e98ad06db11f93ced13ebf753f9da1146a4f2c2312c5731951aca69719bc0d8eb7399488127763ba47ba694e7e914f56e45ad9bb3eee995b54aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUwUcYMg.bat

Filesize
4B

MD5
baecce2706dc0f3326a1b5796ff24ab4

SHA1
fa7334e010ec4dc1a2cd4473b7ff0271cf216497

SHA256
26aea1ebb83d613b9b35f038f9e8978d0f7da2c6dca3ac736d48726d987f754c

SHA512
42718348d6ee5c5f6f11d11391aa43db3e32775565ff4a07d5a0e67dac9114a3b3c319af9f88f2af4eb1b8ed020b8b53514525c24fb5473ec0b19ac309541139

Download Submit
C:\Users\Admin\AppData\Local\Temp\VkwwYwAI.bat

Filesize
4B

MD5
88b99a186b89fa85a2c32628b7c4c2a1

SHA1
32c9d8ebb297856ce5b67f73b1012309ca425034

SHA256
4b2881d64c956a9193541c2fd8420813eff6e46b6aac3af86a08f40227ed01b1

SHA512
9f42517aa5ead7ad9a8566c48a7e8ffef91977afb6435177fe34f3d26c92b725eb66806dca65a08c30d514a6b3c9669b58148600f81ccc6a6addef4fe301d9ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEEs.exe

Filesize
246KB

MD5
542102dafd04b396ea8526e1893011bd

SHA1
2704b916af71102522c642ff48865ec217ef9ae4

SHA256
1cfa5bef4442123dde8cfc5e50f97bb1d1086b38bee27bfba6d237f188fec79f

SHA512
acc8b2790931f8092b74bdb1345c4fd7331eb721c9474cc135ff2341898a9e6c26eaa7ab2d099cafab891eb8266ac7e5c9b2709a4e8769fdbe5a1ae0fbee6c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQUa.exe

Filesize
228KB

MD5
ad81723648a92db40a3c82332f4ac27c

SHA1
85f3305a412d446b7fdcf1c8e251c7ffdffc636e

SHA256
8b6611cad675abee6a466eda4c9a96aa4b6f5b70d1a1829ccd5b207e0a982550

SHA512
15cb6bb582e56115e7b0cada85336031f871888ded31710e0088c750215806cf9b24041c28fbc6d527718288465b3b06131890b39f2612777d74506fb572bf8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSIAwMco.bat

Filesize
4B

MD5
f77192267dc9927b6308c0ac1977c1a0

SHA1
96c0aefd412fb9cfde4ce68235a2f46952cbbd14

SHA256
0bdf531593866877211021b1d50703000391111d31d13cf0a4bd9bc1e428f19e

SHA512
4c061e5b2a7da756977d5162bffd8ad38eebb483853db270e911bcac20ab203b84cbd37a34e6c9967f053c1b8fa6c165bfc13e17ae6ab08e4f41ae4711f013a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeAYsrYo.bat

Filesize
4B

MD5
0b5a31455dfd4d0cdea55b82524c5905

SHA1
7b556976b7c5662a4043051f41da69bbbe224c45

SHA256
b15bea4f8e6fd007906f5fd3f5564e88870be598e21d3465f5d2a17ada1985c4

SHA512
b27cacef261172969cc971dd4dc03f5736dedb859a3931b024e1f2b587fd17f132fe33d814be20df0a51b1a4992176c580148026726cf14dfdfa219c6aadd9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeMMsoMc.bat

Filesize
4B

MD5
77e37f898a4b0f81370561f12cb1248d

SHA1
d3fa75952b98a8c8d326526eea90b4c06a9c55bc

SHA256
285e477b5db420d7912ee3ffc45bbdc15a4e28ea982c560f2f6c7c03a8a57669

SHA512
d03d2b25fc45b0050ab25c04524011576f15cf2f45d8426d220b33a4dd56e44f64aa5201d60afdebf6361d8e7d851b50af46a36c8543893d9dbcf21403135aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkoQ.exe

Filesize
583KB

MD5
70df90b34fc605c2974bc9a1148342f1

SHA1
8db960bc1cd9fd7e0b0ddc86ffc38048c8470dc8

SHA256
c63bec0f4eaf27275000ab63990a65129cb92c72af42548cf9af3a2b5a285d6f

SHA512
ace76d17b1da5a9dc49e28c49a974a304ca17cfc31d1ebcae30abf5d27566b1ed94b8e5e5f084cb185573613cd24c761ab9c0f70ce1d7a50a3f0e01dd71726ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoUK.exe

Filesize
311KB

MD5
e6993f78a93e147be2b1b471d91278a6

SHA1
3e574f7f10d4e01daf67540c84b9098a8bb7005e

SHA256
31343024a4ba6690532bd2cea431a69948d4c19d2797a4516bf91c9d3b9ace67

SHA512
4d384a330de2f00ba4485e2869283f745fcd919142f87d0f1e5887a4d9a888fd8f3f0ecbac28ed63a82cf6c81afeee7179c971c0a0a7b6828e7015c1255cdc13

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsowwEUs.bat

Filesize
4B

MD5
b1b57b3455b5a3d08958f0b2f708de7a

SHA1
4cb818f223a444864cc4591a2caa5051f2000cb6

SHA256
0f4fde52c009130653d4dba83602331c391fb0c81f774cad0d9951b0c81de2b6

SHA512
2626a362f451027f98a987545fc2f7b233b449dc2e3647cfeb93d6ebc06219c10fcc0dcc3c7e3afa6c578f78d42ab6a7df218bcda96ad08f6b17889bf759fdb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XKswYYko.bat

Filesize
4B

MD5
986b6b1447e898806388290a08737c7f

SHA1
cef20ba562b5c2b754c7798ad971aa0d5d90f118

SHA256
c0105ce6971a45c96e5a9037d82aa99032f8f51a642f88a5344683ba08f9a743

SHA512
054e9d93be20aedfab2ca58f226b407df66de5565a4d1ab9569b02b99f515feb9ef8a4d7fec15ea8b904b73e157789e22644806ced7a5697ed3002d5f7304de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XYQIAEsM.bat

Filesize
4B

MD5
562169bdbe4e85ed57bf7572026208c2

SHA1
50f864697cc26c5c0eb2fefde90de9e064de0685

SHA256
8a3f84eaa81d1808ea6c7a052a01c8bc8ccf362022a6d31bf58924f17b8d6f8b

SHA512
5dbf606bab5ca25aa46a3f872ba25a832d3ceb9555bfe1c84edbad7aa4232e74b739cc26aca40c22b6940d94bc998d10a467c8d55b76a59b0c10512d553929d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XqUkwEEE.bat

Filesize
4B

MD5
dfe05edbcb518e4a0b7098e5abd1456b

SHA1
89122166f96058cd08f8736df8a0bbfa04256028

SHA256
b327dad48a573b84dffa0a93f32007b16f7fd596e5f2f56a15db53b99320bce7

SHA512
32995d7595a17eb685db54e9374a9ef3e68ca93b42dd53b102613fb24d6d7152cbe361e4529166660cf26e2d32d70367e16cc48dad7463fa767a5a5e7ccbea76

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIQYMgMA.bat

Filesize
4B

MD5
4d6fa73053833c82da7bca4bf9bcee38

SHA1
166b4a2f37960a4e5756680836486deed6f4c561

SHA256
548efc084766ea7099a2c2a919aaf81d748aa294359abb992408aadf6cb07ea0

SHA512
c04f5c153b4dcfa228a0639f1c50b493cf0d97d5b929d0de0e85742d1e5f740e54e20c1ed7f5213f11287dce64425457bb8b7018cd539c85f55e1367ffba54c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcIa.exe

Filesize
184KB

MD5
f2ea85dd16f0581ab95585b7c4028987

SHA1
ed08dc9f87415778d84206f947f7e1c4fe3e6adc

SHA256
357567e39a5327edd5974cd54356170d75abe48ae6037db1ad7ef8c2aa428635

SHA512
4d1aee7e97e0356093dba7f0a3833918799f53c9c65185cbb98d6ec5b2e9aabaf56c25aba428ae28da5789bae4c5cfecb3877f9672c347846bf25a5e500059b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgYe.exe

Filesize
206KB

MD5
8735283f68d333a80d7dfec5486c311b

SHA1
6f4584b30863759373db1ea6646a1cfbf11b9826

SHA256
5da0fa4f63156a06ec41d2adf89d648a8ed823d2644bdd615ee5f6540c550683

SHA512
0d2e101e543ffbd602b7a0dae12690c70555c0cbdf5fd35f16c0ea74b7cb7d8f47d733293bbce015aa97a48bdaa960ee518553f0cb4ec6bd28e9b93c279917c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkkE.exe

Filesize
957KB

MD5
9117dc658a4307c61dd2d471977ec426

SHA1
ecfa04aa6109b452504a20a3238d991dd594523f

SHA256
c84b9d40982e74cc850a6428c368049a6f36c31503fff11032f1d7c262fe0e85

SHA512
a9f0d61456cc4e2defbe0b96c35d2ea7582597252b3a222f69d5426e5649c020329a953d0736c3f65219d0e5c39409db0cd9aef29aeb4f922ae31f9b0082282c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsoA.exe

Filesize
233KB

MD5
62edf15b5b8b0e7c9bfe4b9f072a31af

SHA1
a37eb9717b75fd55e756160f1ae856568f1b9ff0

SHA256
9cafcb7ba67683e8c82dbd216cb9dc72d57ce83ec5973d7734655cebe322ea07

SHA512
1934d057583c68b672a69edb82bb404a11ddec95a68c242e50bb2603319c7054f2e476568573ff6832145956f54383875e759c09b60e480cbe4a40ed90f9b358

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ysom.exe

Filesize
193KB

MD5
c0c7b3ee9a717487178f5af9ece22498

SHA1
878bc0c34c6f40f01869e62104c0e5f5c453d1ac

SHA256
4d71e2b6f4a149ee9e8d7bb4b7c74b9ec6ef369ff73b2facb886da98c05b260d

SHA512
0c3c7659f609bd8bad400ad081b013fb33f7ea86a8704aa47fc6fdbdf09e8fd8f0e4b13c578cddeb3d51aabf771b7ac192f173b4db32faa162ca25ae346a1af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YuIYAwwY.bat

Filesize
4B

MD5
d5ec6f2821dfd9bc950816f1af888a0b

SHA1
62512573d7b05f3823309ea4d573a93662f4cc26

SHA256
85e47cdd62dfa5c3882f1184a302af87bf6ee0c8b76262fb2ad36fd689f1e54f

SHA512
a0eeba898b6f684dc69d7fcf50b9a0a9b4d7afae8f46bd88af675bd56afb3f7e05dc29012d6db3246585220d429c7e7ee1d7ebcfd5cc16066a9d89e0dd5b46cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAQwQQUE.bat

Filesize
4B

MD5
8d154d6e7758f317328a0680a36b3ed6

SHA1
589725aed9d502b28dded9222951daf9cae9bd67

SHA256
bff4e270198b492324f1735622bffa0b248a9901e8364b746fd0b2175298fbf5

SHA512
9bc13e822b8ef717f69fb294394dbbc813c0e7b1fd4757ab59c23fb851d177e271b590811d03520981f4541dc1feb96c85c6374713f49c216181c2200ea48bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYIYwAwY.bat

Filesize
4B

MD5
b2dc061944b245fe6c3920d42e96595e

SHA1
9504c0390e99ac684cac6e0bbf8903cf4642bfe9

SHA256
ac78aa65895c195f79d6a0c7daadf3d6822000a94657dfdc6d84ecc3ec203c6c

SHA512
e6a19777161b1a740da2847fb11fe46365df33a793c0248dfaea57829bdc536f058074a1c100831ff5ac584bdb55b0a02bbc6bbb5a5e129d00620c3be58b425c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYMy.exe

Filesize
232KB

MD5
cff811a808d7cd3fbcd2df1a65b66fca

SHA1
2d10601f4248289d5577cc5f4c093645bed47ded

SHA256
e7da9d05d6e1598fb4b9a1c93a3a2e23abbb6f685c7aeaf70cdb7d440d78aab5

SHA512
04c8d724cf51228b872f931c9a2b797afbaf526a271e069c2b10072d3acf9ba1f3eada64d69d00c6e1b2f5069fa6a927caa8866a2886ead0218d6d8ceb0312e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaIEMkIk.bat

Filesize
4B

MD5
c656f2a6a4932da9139242bf6427e447

SHA1
83f4725df6442977e9fb6e74b24df25c1350575b

SHA256
8943fec176e84766c8541459d49e8b4dbc21db5a5f37926ad90c766edde9baa8

SHA512
9a6d9ca2dff8499315567d97abe5e3b7fa196d3077a628c339777f8d1ed8a9ce768911aca0665e202131ca5d1a5fc36b30fd7fcaa01356b6e295235a176f3d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaoAcMMI.bat

Filesize
4B

MD5
852bd2cdc663b563a2fc1e874517c695

SHA1
139cb94585f79334f9eaae05a1e7c09e828b6eb5

SHA256
b8f2110d2cfc99f9f8760edb89d9c8220b3eda505533cdb36ec3234297bb9dc6

SHA512
28049299ba5495a1030c5219f973c4973275c6aca139c87fa40f740305d4597cbf1f7079e55c579af9c1b752721a961aa6461583d193473751853890f5dfcebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\agUg.exe

Filesize
566KB

MD5
a995ce84a6ecae45f0fd702550b6e01e

SHA1
4aae61b3b91daf02ad2b22d69f66491484390bf8

SHA256
c77d239bcc6c3ffa39ff96e38161445938c7a85c5281e732e756e58fb766cd11

SHA512
7222a023b192773604c2fdab817c3fbb883402207ff189d30547ae4acc149b65ace77d627c1e40bc044c06df171a836ba7c0fed95afdcfb1e8ac7ae2374037ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoYS.exe

Filesize
251KB

MD5
af16356d2406ce0cc7bdd2054266525a

SHA1
c33312947a59524e9f94981d28941cc8682255d4

SHA256
ae1e2a137610cbb30433c87c6e683e5808ecfd98d0f5261141815542de6e96a7

SHA512
23a05e6433a7fd5e73fe77c3c95a7651c3d9e80d5e2d835187cf03f6591bb3fbd4ae2b05a74cd4b53c9f507daca75d27982209c789a9583cd15c995aa9ee9c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aogI.exe

Filesize
413KB

MD5
08589aaa44f5b942cd9cd290f16a782d

SHA1
da68d63eb880dc90c5a07fb0ca40b8d502da4fa3

SHA256
44d20534271a95b45f959aceb3bd171bbebb6a925b72b551fd5835ae8ef63606

SHA512
b68b66f7739410e5b6a0a778476a25495943bbe2fbf6a61706ada42591aa822da8868d0bfaab437747c3292fca2900efec84656cdc5a9424695fa1756d2310e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aowI.exe

Filesize
573KB

MD5
6a25197974a0904330eac1520ea3e2a6

SHA1
964f7b8953027b94248582a9916b769888e07870

SHA256
3baa22f4824b0850c1f2e218a953a2b53c330661a5ad259a75ea4682e97887d4

SHA512
95e1d2ece673635487bcd8f4b314501b03d74e1fd30d30b4bd7e18bb3ee2b014e53628c10de4f92b0c68650978652011aaae3f83ac5ce17f9df84ca890cf419b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGkAcUoI.bat

Filesize
4B

MD5
37186293d1a272922c1a4723e1310b7c

SHA1
aa64f7af7e9d233927b58a31d1c4ebb3dbfd6f01

SHA256
8fa9d361dfc88db076ac0093f82845944b62714567ab83bf289da67065623b60

SHA512
edaaddffd53b83029d54fb7ed994bb82741b7a62730f034887b27c3453cc22a27105ebadde42de0e9049db72f4c7d63653072c552783d25bef879cb7adae3290

Download Submit
C:\Users\Admin\AppData\Local\Temp\bUooQUQs.bat

Filesize
4B

MD5
4d265b71a5a5a1dd3a1e93ba71a59ea9

SHA1
a4ebff86fcf209f4950e7fdbb81fb132c5e553a3

SHA256
71302ef0d99e1e4c133c0165e8fa2e261bd255871b63617e2b5040c5335d2eec

SHA512
b398f37f23b5257f7f899b627e1a358257db764550c834e239d22e14a42a16d14294f54402a6b1b808fdf253be25112d9d8dd14072369a7347a925340269dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmUAQsQI.bat

Filesize
4B

MD5
de9f6f553b4c4dcc3fd77cd6755ae560

SHA1
ccb3e1bb479d3d0791e4d1b24c3033bde22ae174

SHA256
7be35a4cb7934030f8c6cb916c4dacbfa4510f20d3ec3fbf7c2d125d048813bc

SHA512
3687d1e9c20fedec1d0934d16d35aeadb76c939b84d07676ee5717771073f495970575fc800693a676ef09bc3f4abc644bf3978759b74c104bab2bf3a1264896

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEkq.exe

Filesize
691KB

MD5
d1561267f855e65f0fcaf71a488175dd

SHA1
a805e59ff4887a99d891bf2d2822a864d925e9ab

SHA256
2b7dc167288149b53c34625f7d609bba9c5344128af4bd6390115da0e6ad939a

SHA512
f5b11debc84376a5d84cf340250a96d441c5f3a2b495f0d644cbc96b65a3803f423f8ed97f1af13823ecf80e02853b92f78ba2b70d2f021aeba4e63e5c5d1d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\cWwYYQQs.bat

Filesize
4B

MD5
ab51f11d1cef651986739edbf90da754

SHA1
c0c6a3012ab589d192ffa8ecfc8c089d439dfa94

SHA256
0f680ee5548827f05b12442fff0589df4d6f61c44f7a9a35b2b2d8aa8986395c

SHA512
18fa4c0023b6f595838c8684c39e5b2177973815d508cb2a30ae07286d48c6190263be91da45f29d68ca57959a50e22989c54af45a4af0e33c15e970d048febb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cowA.exe

Filesize
237KB

MD5
efac8821a386056921b0a8a1303b8110

SHA1
8e3007fd958953bebb8ba497d5c4e13996178e02

SHA256
86af76f9a008f2b1c9c163b23beda4f37184fb8f97a62be95b11ab4164cf506e

SHA512
b69e54555a2122425bc30d2f162b5ca60191b27a01cec94a43bb1edb00509bcef78850f5f840bded4480ab9a171d8a6651752b87708800cb7d67b7f20077ea7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\csAI.exe

Filesize
761KB

MD5
aeb36c78875c371a840c7febce6d94ec

SHA1
fc9ef57ff35a7303c4922229509dbda5cf87c94f

SHA256
58c64743174a9337280e1bbc56e580960b3dc162f610a698203c4a33fd336c3a

SHA512
59ecd2921983e0415be3987104a01ff5d89cf274b6ee77bfbf01696a6d469d38c353640e6540460370b38a1d3275753e1898b0719f6d75faf649759c5317a885

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwwm.exe

Filesize
642KB

MD5
9b0e027887ad55e4fa08f53f95d878ef

SHA1
580a4d427df8ac8988ec673cfefe837fbdc3c3bf

SHA256
7bb6a9791bfcb65007d1b3b48635395e8de27f7aa7331fa5fd15c8bf4b2ac6e2

SHA512
6b5ee3c19559d4f8f9d0940c9c7927604f4c5b36f77c025d5d518395da57e394d9b7e48fbf1186e476b124c3df817a2dfc32005fb2d986b8567e1c8a108584a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIsIEwIo.bat

Filesize
4B

MD5
489522d5a234273214dd26e8e7120f1b

SHA1
eab0468d28f565be419d0b3df8291302b22a5877

SHA256
d9d13e50a5e1d2dcfcb521a67577365d6e106232ad961b1fe019a99331c51232

SHA512
c146813cd7fb688212e07725d6ce5af949bd3ed67c76cfbb659bbf6a46f24bbd6e1fda956e509281f7c8f079038012678ae463291e4a7bfdeb0db3788505c521

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQIQkwsI.bat

Filesize
4B

MD5
15e70ab1901c038c68848667cf3f11db

SHA1
9ac4a245ca84898b7f610a7d125fbccdc45dbe8b

SHA256
bc89470fa57c4c759bde7be72dacf036daf0123b7b576f21465131224a469e69

SHA512
20a192580e2792bea7edfdc8f060cfeb37548bf9fbbbdae92c39c61c6d80d5565538fae17c781d8fd9fb0d7fee72c9f382196049b2691880a7c8e93afd3edc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\daooQMIw.bat

Filesize
4B

MD5
496803e1fea388e6c71bf09bc638cf3e

SHA1
43e94dcac035dfe2506ea25868bd2f905f929888

SHA256
250f235a08a326558b289bd2e5bdef31a5aff769fd577e432bb8d337a08ed7c3

SHA512
20c65d58d6892a3206c7666257b65e54b250535c3cd28948aef00ea97bdcaf924fe8c6e9876ff039bb1caaa17f348275e298225c1478626ec3f58d59e8fcd81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEUwMAYU.bat

Filesize
4B

MD5
f1dc174f4de842fe6f0742dbb21a8ecd

SHA1
de18633ebf64cd20fcd5818a73604ad3fda9b3c7

SHA256
89b4e96956979f10b1bcbfc2b8dc3619b7ff686baea990750d1d9625007d6cee

SHA512
0f5b4206e9e730cb501dbba9438b0411a66bfdb68f288d1a948e7b6037cb5d1c9ab42f673cfe97d1ff45eb6a835b45f6978c554c5e123a8ba09bf39501f48ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIos.exe

Filesize
4.8MB

MD5
52f9b2f31c2e7d854c94dae12e15a0a0

SHA1
b23e60ecdf19171f44b6b65d2b0db5236b2855e8

SHA256
d621009eb2afb2162b209f5ea3a56f286942e0c05a6d0fb193e24e0852bbfdd5

SHA512
2c517820533c0a0032e2bba066008372f109ac4fb1f0b347713fbc5ec731373f6873469f4bea09f7906406b6b57470b1180fb1bf17618cf677dfa2d3878eab71

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMMA.exe

Filesize
212KB

MD5
35861d0ffabe1733aa45c678842641c7

SHA1
c9cb2e245b9f3f81ef1d750646979167ecca86f8

SHA256
518451a06f879ffac9e3f639e8cd872472dbb979503d723e89ac8cff258e197a

SHA512
c4919dde8434cad904cb36cdfa549b9ac4fa043b044acc3384b3143829b7ee68c834273da42853dc012e05194eea809faf593de879f0ddec2752fd35cbadd940

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYcG.exe

Filesize
243KB

MD5
ca58f967424a7655c9d380fdd02ac218

SHA1
1d2755a2585d296beb440a838ce8f6cf981da16c

SHA256
be68afbf0330dd5d658e56080fd7f6583eee3f3aaee324ae3a44d018b4a01a8a

SHA512
5b2783077a5d7fe964a0bc2009e75271b31aec4a16e2d7cc3ced5dba2a25cac2af8093c5bc9eaab6c97832db53f37bed4809384d82514b6035f2fee5a0b93643

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYkE.exe

Filesize
192KB

MD5
4484ab3113c593ed442b7f412cab192d

SHA1
72032cb83e28e400518ec7a5fad3b81d5ba96881

SHA256
a885e2ef661ca3842a1b55e6095451ec9ef3d0e18e2171c7c8e7f51f57ad0b31

SHA512
5c460f76bc6f352a23a63a1befaa1442df53fb836080695d5665c55524551b638df10f22cf9570165218e81c137b43a7fabbdb5f8e229b85d65c0e76c0795de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\eikgYwAk.bat

Filesize
4B

MD5
fd0675e76712b7e590a36982f14b0b87

SHA1
39e79f9694f3551c744fd2893dec872f2202b1fc

SHA256
a3b1a276f8165f7f026c38ca72fe58e55ec0f6ddf667a4da6ae4e067d5da8318

SHA512
578b16feb9bf28a35ff6fac0b0f89676674950cb1e446ae73825cd7a25ff45a3c6349923a83516642be342cde35274987040b914d2c226b3e36ff671177b0836

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewwE.exe

Filesize
227KB

MD5
210f92897c6a197ac379eb7c9bafe9c8

SHA1
318f3842f5b2eb78b138e80b4e2af983eb053fd1

SHA256
28c905a4b1081fe9e35542d8aab0edd3acf2c655337dc13269f5f5244fdcff93

SHA512
4eaff542d500dc1f0d17bc7a454fc2fa2b628f6f220aa5a1b9dd473ed2461f7b29ce1494e2a4fe3cc0800b8457bc9ef065b9118929fb6ee88c88d0ed949a50e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMkccIww.bat

Filesize
4B

MD5
f19846f79974ad3ae5a45201dfecbc17

SHA1
1f5ab1b10c23eb23f1b8848a9e1f4156f4778b58

SHA256
31ab459ad24fe4ad96fe0a5810ab0ee7ecd6b1e9209d332a0e211eb6df518478

SHA512
dcc689519e5c99b55edda4f091cf2be660d294fcbaae087dd588093ac8c0e9a4dd9129ec394a43614aa7129f4a15f22fd3e6987cded47f99ce0bd0f64804ba9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fWYIIEQM.bat

Filesize
4B

MD5
046cdcf905be5488c6f983c6ba2997dc

SHA1
5d702957832b9992cbcbe42d07758a28635e3b72

SHA256
6b9782629212399ba37f553a52bdec60d344d529675441f1f5ef7f6caeef58c6

SHA512
7a5829dec0cbe90d7088b064026656cff75fbe24966a63a939c8efcd6965a09cdd0145517d65fdaed64d54eec23aa032ae25e35f1b8d565eaa6c9067667b8079

Download Submit
C:\Users\Admin\AppData\Local\Temp\feMwUIko.bat

Filesize
4B

MD5
1ed9e1d83de358d965c6849585bc8137

SHA1
d6c188276278f17ed4f5890050ae43108abe8a23

SHA256
1bb1385c0c7030525c7b0e670118c44163bd2b784b7628dcde6a237a70bb8bf1

SHA512
d25a5bd0e4bb5d004efbde8e6bdf064fda9d35b307c976658d04bbe2902d80cbd8be18e98a6ddacd92947b44f16d31596855dd4f536bd14ee2c30b0d4abbce3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAEY.exe

Filesize
226KB

MD5
6367ed4d57ee15046e7d07d16b4ca0a0

SHA1
1a85cf7387a990121737331806377549e6974a3b

SHA256
4e0485deb945537ad585dc9dbcf736be835fde56e538f94718c3776c1fd3fd90

SHA512
8ac81a66e0a2064666321bd1be4e578fa8fefea69ec653e7400999270688ceb3ad32d25d484ed9824c3ade35b86380333ad4761f4e0e2b42f859c0cf40d9cc6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQsO.exe

Filesize
206KB

MD5
fd965cbb64fe766f9a09f79655bddc5c

SHA1
1fccfa344abc874076340d2089e00b31b0b8f4cf

SHA256
45d53baccf07b84a419b9820d0f776a679a3e0d422dbed5f47c3a080d7eb6d32

SHA512
47ffb8e173473b0f0455d3458dd00e1a4aace78d7ef3d67142835b79392bca487e51b83971e66661e2f3734eb3e8028e318b9ae51c1f75546a709e29ff6af275

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYgEkQAI.bat

Filesize
4B

MD5
6b8060c4c79026d8aef3c7850e839d9a

SHA1
133444955d0a7370a767c4e748e68c0ab624a843

SHA256
d1e8663979de6e3deca104d0bf13c50d7cd2d63a213db7f1a9c276e07f1a1d59

SHA512
34c6e18978f8b3ced93b938fe18295b7a7862082e93c0350a9321d123ab7ba3db1c52d75c5d0a3f54cd7265174cec4efcf643367d7c2a21e738bd30241d14559

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcwossMo.bat

Filesize
4B

MD5
a399a28face787f00ec702f36194e145

SHA1
a447a30e277b48c769112a47ea0996a0b1443fd9

SHA256
23eb7c53db250467287d4b4951e36128b8ce41704d7ba40d9076d8421ed4b734

SHA512
2dbd84a92ed3cf3c5321367942970e8cb7541debf0007f9575863222c0e1120a04f21fee4fa48c2e1c97ebdc40c0e20a33317a0e837890d9b518f94de55f65cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\goAoMUYQ.bat

Filesize
4B

MD5
57f284a2230258ae4ff9c8de43a88f4a

SHA1
e287968eee7b3775ce8a2d73994dcef5ca63cf0b

SHA256
279e0b2a47f1fe6f4f5b871e6871e44f5e12f9b2705e15f0590fb834be00a26c

SHA512
2223e956d213e9c2af20f421bfc15e77d00bec51d09c34ff1a3b869430a382a0ebe0d1b6178fd0a6cb5862dbad85313b0fc444957575e2313d5ad0ba76ffa934

Download Submit
C:\Users\Admin\AppData\Local\Temp\goww.exe

Filesize
949KB

MD5
5aca3e85ab752776488b0ef850747a67

SHA1
f36677fc29a1663f52daabd63f0f9cb65d377fc1

SHA256
e1986eb6980ba74ef6a93b04d4f6bd2781720ac3de1396ff76512997a996cd98

SHA512
ca6a70d22365ddf10fe2c2f1ca212450fe5f4a49c7737a9f285bb4dfa6bf584ae65872107a8ce429949018277d9ff813d83866b864f77d0b8b00f060889a5d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwEe.exe

Filesize
235KB

MD5
d0af9e7aab151797eefaaadfa8def7f5

SHA1
8176eb6f2a84707e7011be22dcc035122c587f5a

SHA256
88f357b2b192e1d197859859489068c8d10bdc24bc85a4a606faf1b2234e033e

SHA512
e8621e26d31035dc6083e75cea1267cff54a18eeafd8508c66142f91059cb903a59ab59bc21fea2da5e49e2013fb1da63b456eeb5a5622e694f1ebf501b3d198

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEco.exe

Filesize
243KB

MD5
f14d6cd7e05b8f4fce9e3ea930181327

SHA1
5baeae12063fb9512e6381c69b223137275d3e15

SHA256
d560634d8426ec88c991f895f54bc2c7ce7bfa7bc4b2fe79220e83ef14e0d787

SHA512
262519d836efbb75d2f3a8face2fe2debdfcacbc7a82546bda7aa804fd6cc731da33f7dfbfaf789aa49dce26e92aab530d96f5e8c23356cbba077bf96f1434a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEgk.exe

Filesize
188KB

MD5
d4d5087fd6baa6a6f61490e3694c8041

SHA1
73717246793113ff661fd07e5fbecc4e60b1f364

SHA256
900c22d85d07e892ec566838c959dbc133c67640beedf076955a0d46d6863451

SHA512
e43b4442c3be324c10e94e95e4fde3f2d05c0f63ded15dfc5415fc9676aeabdeab575170ee6c873c59823fede267af80c69de2a0e82cb2a0a91d68cff0bc8eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\iKssEkUg.bat

Filesize
4B

MD5
f160ffe0717b8bb8bff6c27b6b06b944

SHA1
1be76c63ab1a9c223c44e30549a868a2ae811c2f

SHA256
720b0e259d283311aa5e216d7d83fe40ac38c28b7f0fef73071bd05b5e87ad82

SHA512
ae84a82711b267f8661551152969174a86b9bcc9c955c68a26a1b9c32c9fb626a4f5fd968ffa50c10134c3704b1199930eee6205c5ee03ffad2b41a471180821

Download Submit
C:\Users\Admin\AppData\Local\Temp\icAC.exe

Filesize
199KB

MD5
4bf4ef10a8003c8ecb89c94eae9311ab

SHA1
013ee62ca63e2b104ba90a299905b5125eb46e10

SHA256
4b06ec6a34876020a74c75435ee985dfb0de016f72cd46b06c402fbfff5f791d

SHA512
de5b8c92955238c7e1cb03e40176a63876dea0cadd858d191415d31206eb71f249f672e2300f350b6f78c89d751cf8aa86fa6b3ea68e69bdb95744088ba6321a

Download Submit
C:\Users\Admin\AppData\Local\Temp\icYy.exe

Filesize
484KB

MD5
074f063926765362364d09fa6ccb7d48

SHA1
cb9e7919c297ba27722b2346a449328c09131436

SHA256
209316ba771f60f0352b13fa6affd0e2df93e79f8e241043533ebeaefd17d11e

SHA512
a8f25f428340be244a97b8aa7735049e1c08fcfa557c0314c4f491f3f055f7889f33ae57f49b108b1920a7bcc3b95c000b81b6dd638452c84538c6b95a3ce0e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\icgw.exe

Filesize
681KB

MD5
fad8adfeda1642e27f71c941b72eabe4

SHA1
c26fbcdd1ba17055340319da8c56904b829e753d

SHA256
50bc842f0e91f646434db03902274575131b730a1399e2d63fcfd1af0cac8158

SHA512
5b3e2a45593e6706d72c37a30c0753b24e0f6b2c38d863b3d1c99667c7a279ef338867b2447678c173a36f219974244a0e05bea657ea260e8b13fa1af09990b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\icsK.exe

Filesize
975KB

MD5
bf8cfe139c62b05b34ba33ca86d052b0

SHA1
ce1873bfdda231e81faf2d022647d402dda8b164

SHA256
63698ae4634a646c8d44100276c9441863865bc00c29fabb041551ec60588f02

SHA512
b56c17b93c04eaa54002d50f310977c99042f88b52d03f99497bf78cfba2921a09cb11c0b152064451fe9ecd6aea23c0ce4af84de8b37dbd09565b2523c75792

Download Submit
C:\Users\Admin\AppData\Local\Temp\icsU.exe

Filesize
235KB

MD5
232210057bf8cf3b6a62726dd093d570

SHA1
01adbe1185810f5aad5cdbc13489171d0e3ffb91

SHA256
35bd71b7db3d8ffdebee121e716d8257005b32692da6a10bd906a8a8817af201

SHA512
b6476ccfa2387aca79b536aba839e11b8bdcac22bfa1780740ea413d3817cd6b676216870e7bbbedc7fcfbaddbbe3a70618d6683ff32d639b849f8d0a4e3bcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\igUU.exe

Filesize
243KB

MD5
569dd844848a2a6f436e197376753319

SHA1
652cb64fd0ce10820e56702221d0ef54b22e3a84

SHA256
8fc89159369e8001a8adbd77fbd466093752d3015d5dadebf90d50e902dbdd13

SHA512
073d07d1309e6fb5ed31ec926e620d11bb9189a50af4cb666d879c8d383699feabb2b32cfbcddd639064b47f7e2a3a36dde8578fe5b5241308200a155e43aa10

Download Submit
C:\Users\Admin\AppData\Local\Temp\igku.exe

Filesize
225KB

MD5
3ef9ff68300dca3990d06341b960e6fe

SHA1
150729d438713ab1da888a4c69abe55876b041e7

SHA256
c8e6398010994d23e2cf7657c9ef20ffe4cb37bd97f72e935ae28e8d28aa7eca

SHA512
5034960fb36669beb0bd58cf8ff36061440f22bcef47084098618a400e8b35e330077a00ecd8d7dbddbc8904d92bee80145daf1e1d0870f490d4c6906646c179

Download Submit
C:\Users\Admin\AppData\Local\Temp\iksg.exe

Filesize
228KB

MD5
4c3b860d882f72bddf463c2ae33a9dea

SHA1
dd60a5ecd25b3876ab3b715b8af8f4372630eb23

SHA256
222eb9f423655b479e99c75eb90bdf1b0ce2e11b91ac0b9b7c615347ff45b862

SHA512
17dfd7c6bddafe9d93f402f0495c426b47ba19cba05c3d5e027ed72446f278c659aa84cda7fb2323107ec5df29cf0e9b5787c7ce295d80059bd9aa42fa781eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwkkgcMU.bat

Filesize
4B

MD5
1db7388431a457607a7b03f769879e3c

SHA1
153aa9d05c8a14b6d0d20ac52ba54127d1657d85

SHA256
0f9784b0d562af64a89f08819f211ed202ffcc595554b07ddc42e13225ba8c5f

SHA512
fbed5260d568fe2183237cac45a2bd7f99ee621c58378f4fd098e4f211fa3009cf306a39e9ecb08199e0a5083f47d0885ea56bace4d8a48e59d35a48ffcf98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jWIgwQoQ.bat

Filesize
4B

MD5
dbbf5fb5b5f92d94ea2f0feb99bb9e0d

SHA1
004a4a10eb00b3b34ff8669fdab70a5530873f09

SHA256
9a31877bed79f1b514eb5c72c7f89284edc17192589a838359604add3e447e34

SHA512
d0066b34ea44772b33576b4d42ff86b7e9372c57c8f2960f48c30ff92268d1f37f09930db78702ba789e938d8c1ef9f301510deb1b85c1cd7e1063d7e998eb02

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIAC.exe

Filesize
229KB

MD5
1915aaa11fe55591bca5526133b28b7b

SHA1
1c084ef5a50bee2ce0898421ae6db918bc21791f

SHA256
633cc3725df7ecb06c2976395ac126234f5abb68102abbc8b7adbb03c14107b6

SHA512
2c992c06ba4115bb530d9f3e3567ce4905d991fad5162551611f21e09e65004da1ec11dbd980e7de684ee58c610724c90e4ad3fe6c19b5c3c57570278c9b07fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcMW.exe

Filesize
247KB

MD5
c98248f2837058ee68703886d045e3d0

SHA1
3651b4b87e968345a24074450e443ad18959de35

SHA256
f476aa0537c6f50c08f8797489d589e16cc3da564f4ac76d3e237bda97ef1f81

SHA512
572fa0a809bd545923732e4d8f9ad5e5df6faa0c01fd8b69240d1e5ca82b231c5e581e40b01e96410dfe7386ceaa1858b9a77f0781c43857d57447ad4ef561f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsEwgAMI.bat

Filesize
4B

MD5
9f6c9464b87d67f7956b931cb71a611f

SHA1
4af17b386c7f5f7cef6a1a0ef99652e9230879b8

SHA256
039ff8e7083f1fc4d107a9688b9301c388e908088ee8bc63d1f0fce996444c5e

SHA512
e8c1563125882d0b373878bda5fa665a19b51663608260eecac5c37f8722aee889e2e5fa115ec0fe7fbcd69b625ca049e31b3def26c7e3da364eff496d30fe06

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsscQssE.bat

Filesize
4B

MD5
37b586cfef11368b0a851edad4906b49

SHA1
69827b0eb69b396117969c8b10de57ab7dec2ba2

SHA256
35d62fef2bf4ec1243bd7ece30d9b429c5f9f1ba709e6ae31e366017359dcf4a

SHA512
6375a61202b2a8fd58a15d4b1de39606c9b18eb7756ceb1d5bdb61d20bc7d63d5cef936a6f7968ec5978ac5f8967400f4ff3c89d620de293159c2d413a34e9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIcm.exe

Filesize
242KB

MD5
309430e997ac2fdea973e86442f6962c

SHA1
21efd19f41bb8460ecb6cfe3eb8537a955676a65

SHA256
7490376bed09e2200a33b7a416096f138333dc4add3d7cd5c5a3df84a4cb67d5

SHA512
9e3eced7c91d285d43a9c9c4cb93b70b9fe2c827faff425d14e493647f6303f9f43bb9fe0ffc7632c55c2538c1ca13fd109193198906e19080bad4897228bfa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQAu.exe

Filesize
247KB

MD5
b2c265bc11b216a88ea97e0c5ad483d6

SHA1
fc663a6d39af5edd14bc48485d21a50d2819cdb4

SHA256
76873de96335b6252415e46a3adbcb5d65e359542dbfb7154828131b1a097d2b

SHA512
1563a8ce041019beba049a64e03849e7412af126e468f9c6055a34adc96ffc731f61803fd3e9bc7540317ee210166f249b25c561f4dcab2db8a74db9830f7a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUQW.exe

Filesize
248KB

MD5
c1bdbe0f488fe2739b8a955d72b463ec

SHA1
9c760c98c624ba2598fa7615b1b5df2615dea713

SHA256
f9fa6934cf11134f14c04e1dec470cdefb19e398690499118aad9d836285a879

SHA512
1676780d636be4c7776d3f9542423726a762261dc7e828be17359ba3e5f3e269b4c7f1231fac9bf10f82fe5babd09215468d94f68b434ad248b27f5f7b1d919d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUUo.exe

Filesize
246KB

MD5
623c545fd3edc78dd61dc42d266b1655

SHA1
64d353c8ebac07382145a1d786430556fbac065c

SHA256
53e17a3ac340f9e35eb43346ac15afe82d11017657bef706d8e605220a909e3e

SHA512
dc59ee056b6706d8df37645bad046c8e377d18083ee8772ee40573a5ff08115c4e7452e9ceb31b248b4aea8c57032a3d07e2a5cde41dea6ee586003e35b492eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUoc.exe

Filesize
234KB

MD5
83e09aa10f26f742a2adb502233c8d21

SHA1
df9fe536b71b9b4e1d48da177287a4fc7a9b0111

SHA256
14db2539e8baea3c2ca252e562db18424188f4f306c8d09bae8736528cbd1020

SHA512
bbb9347edc42bd1e3f8cff1f41c1cbb43a74a7437a95b1ea9f9958fa0d73ab78f0a4c75c5a13e4e448e0a270f21869165a2853f2ceaf44750ea562da975f5820

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUsMYMwU.bat

Filesize
4B

MD5
02a257de3c4e61b7938ff16b40b92e08

SHA1
41accfbf202bada79397b3cba126bdfdc14bf13d

SHA256
fef44a846442ecf87d726ece7453e9bc7d6f62778826391838aa0ee2a20bd0d7

SHA512
881342ac0792d16a3ffacef4eeaa1ba80a89cc14a917e476a781087ffe3fd79f89dd6977d44e54ea1bbe92eadad5071a81b98aa62b9e03b48c1a2fcc0a8ccd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\masQYYcY.bat

Filesize
4B

MD5
4560d1b9ecce25e39f08b89386cad9b1

SHA1
400dbc4d1201be3f23b7f9dcdbae287b05e19dca

SHA256
cfdc41572f8c711c44eec0f202324a5efd06f9fe931c96d469a5d0b5216b262b

SHA512
81ebdfd631064a817fbb60e446abe8bc09803d30b20f953f2eeb6ff26b98594dcf62a16e418bd416b04d8c1be3e2447966c0b01de719044a03fed5261190f69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mggI.exe

Filesize
574KB

MD5
ae1b5fada3a7772871e0055fd123c6dd

SHA1
395515c2ac7da144bac8b0903e1af8caf192e701

SHA256
98be820684d98a9c330d7468827c22b82179b9b6b85725b6423ede70748fc32e

SHA512
bb2b0059f163f7f0ab248b5d5a0c84befab7b2d22e75ae9334d44e3dbd3931526d75bf212a8a42a4e1396b4e77fd462d2065db861e0f84b81ad457d6b840ad1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgkE.exe

Filesize
194KB

MD5
172a334840f7655f98ccb2fbd7063f02

SHA1
60630af3a932c8580870871b84eee8110dadf7a1

SHA256
cb7b0ef7a63ef8f6e94d86da58f51289c3a47cbcee28089faf92ac39a736ab46

SHA512
6b1b414566ec35d1a210c03164a621af01d03bc2356580c522403bd646fb725b1d09b057f4f99ac98150c35595963011d030b3ff29b8b2e9fbc57fd078103ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\misAAwQw.bat

Filesize
4B

MD5
bc1e716f5eda605f6cd443c09b428f63

SHA1
0807de5f5a5f17df48617c717a29479016d3211e

SHA256
1a21fa8099b2e2d3462b4f689d8b8547e493dc0970918851139e74c7f4563391

SHA512
a3d365c283191b9b3595d5ab09c0aceac589cfb76cd050654cf7dad46f78f50a947468e2a112ee9c917ac61dbb8ebdfbd7e85eb4456c22c6cf85f4e7344378ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\moQW.exe

Filesize
238KB

MD5
91d79cdd798363997efad106cbd21aad

SHA1
a981db6ae51b7026b5bf1dd0a32237adcb22185c

SHA256
bbe0ee4994d3090c18d2a77755b7799e123a270fd313b0518bf22f959262d190

SHA512
09d348854753b0387e6d9dbf6013d3c8409da89054367cd7c16290cab307baa92beab52c8e229ad92a54915ce8d02bdb1677b061e7fa2c9a1df0a38fcfb028a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mucQsAsc.bat

Filesize
4B

MD5
fb6611076eeb81b6d7569c2f75a80f14

SHA1
b0b973a9cebe83507d252985e31d8880d7bdb740

SHA256
50f0f081bd0deb8f023d149493ee6085e93b6e4fe8bbb3e60a25b4e806cc6f5f

SHA512
d984f896940be953d95642d815d5f1aa11638f2b9f011c100d24dc76b5ee6f4b29f4735db17b3880188a275b6863e5d7d24b712648469705e9d3fc9f93fa75a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mugAEoIg.bat

Filesize
4B

MD5
0cc26111087534d1921a98d3b0e69f0c

SHA1
db58872b1d8975076efe8cb7cbab9e2a0f8b1ccf

SHA256
71727ebaa8cbe5cb40a91fbba4c1cc2c41d441add7b35ce60f2c7f8e66a1efbe

SHA512
1b032f5e82c220dbf2428ce04b498049f83c27e089e1d067cd8de554f2be8d727abfb0f9c3e5d75e93f275e98baa8e990b7c575e77a64a7a52f212a8673cf9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\myMUUEQA.bat

Filesize
4B

MD5
ad24f43f985932011318d91ca3ef8711

SHA1
b85dddb9928bb54aa9c3c7088508875c916c7e42

SHA256
43f079260807488ae110adcaa4d897c30ce560bd05c871ac59c51b9c0dcfb75c

SHA512
8773cf1fdbe0c00d7e7fb53a650570ff73ae0f58baea30c83a1aa5384d25480359cbfc3c2b9782c98ea33fcc2457787e1c62fa895bb46e113af9b045339dd6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwwUwcck.bat

Filesize
4B

MD5
09fe092345f3e45f22ec92320e234a53

SHA1
5d0defd042d6f6a5edc96d778076917987965ea4

SHA256
b0d9b947924652d39a08d156a427d321b5bf5a0532ab2f6f0062689525381202

SHA512
5e401131377d116927ef58842d1f36ad5e100156344f36d5547c3bb8ec280cf9e14707ce2490d92812e4be65265fbfb79b5db46bc6a5d2799f88b3b7e604f045

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIMi.exe

Filesize
189KB

MD5
27be7f754a2584c0e3c79121da5c4d9b

SHA1
37e9ae6c1d792a7b361a19c255e4661245e203cb

SHA256
6199811387f427390f1635b6698ae43b9e45343fe6816cdb09d5f95c0aa126da

SHA512
7574538bea99931a4281ae77cff8df8782b32fd4043d2f558c7ca47755cdbfdba3ab2923b029ee2360fd3397590ebf9992cd32d2026b2d8b5b134e831fbba0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIkI.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMAsoYsA.bat

Filesize
4B

MD5
78cc96b76484fdd98cae1f7a2acece1a

SHA1
f958dce66050e6ea950bd1eadaf942810d1fbbbe

SHA256
00d41b53eab04bf52217fbbf43e1dd6048358bfb242bd51fac6f2abce5c506c4

SHA512
8e7226e02e82af9b305ee7c31c6c8773cf74e463de6df2602d22d19ca7c711f36a02b5d43c95b8f9d9990c139949acc6ae96b426fb836776d4a8e33d05408ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMMwQUgw.bat

Filesize
4B

MD5
dc9032ae6aafbee7f0b546cad1d43a4e

SHA1
a2abc52b6ea58a608832290dd3e44bf3a693c2eb

SHA256
ba1e0f0e3500032dcb755deb10bf9a7976a81e19035b6d1525dabde4444c525f

SHA512
6133fdf48370ad3ac12de72307bb8d0a6dc2a9f7f55ba2b80e01a7f61eba262ceb26ce672fa1956f413cd6a94a7a5dabc1efaef87277813f2efcb5cdfdee5f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocIY.exe

Filesize
217KB

MD5
5989dbfd09fd46cf180bbff99e5bc758

SHA1
acb4c283d7cc07b1e90253e4d80ab033dbed1233

SHA256
ddee373f32643b406410406b1bb540c860cef64111a09346ca37ffef978b8579

SHA512
f3b9d8b0ac9b1ddb2a2460f081f792c7a9bd24a60309b2259e5066beddcad828ecfa2f337e285f8e813350b54a7cad3bdfdbeeed420e69107fce4fa0fd08dd06

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogQM.exe

Filesize
184KB

MD5
82b3c3326f21002952a37022422184b7

SHA1
1f7eba173a533a7446f52c523e2e92c25033aaba

SHA256
add289a5a2f232a39664f697c876e12ce7857fd63fd2bee6d0aac01f40cfca68

SHA512
5a3a921aa5bb8c7e235f08085a9db869d1a82736adc32c9efbb914372bfc95d14c650f487eec9bd4f1ce1df4c168304302e33e51853c0fe2f76e8c9bdb5b6105

Download Submit
C:\Users\Admin\AppData\Local\Temp\okwosUgk.bat

Filesize
4B

MD5
b6ea9260bd1a28375a75f08394bc1d2a

SHA1
cc54e05068baadd984f0a1e272075d13c2174d3b

SHA256
ece470ffb926e80da644caf6b6af66ef9621ce46e390205fdadfa7b37cee008a

SHA512
74b2c27f623538e65070e982f8cc0d41dcc1aa4a17ffbb132c926600b0864f7752e93dbc67433244decec4d7aac62d85f72e0b065b566748c575dc1cb688757e

Download Submit
C:\Users\Admin\AppData\Local\Temp\owwE.ico

Filesize
4KB

MD5
5647ff3b5b2783a651f5b591c0405149

SHA1
4af7969d82a8e97cf4e358fa791730892efe952b

SHA256
590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db

SHA512
cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pGsUAUUI.bat

Filesize
4B

MD5
3f6e84efb8a4bb4c05cded60d38f2100

SHA1
403283d3bb0096adab199271ca8988828f2c14a4

SHA256
dfb471208ab0f9da438fc3b5891df7d40f620f87277e9f89b12da8e068e14f9a

SHA512
905711af7f56c68f9e0fd8ff5d7818d9feabac4f3d4d2fc970d6be06302449b2b16a9502277c2efef002f48f6a2e7167b4cf546a16643093bbaebc7756309989

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMYEskok.bat

Filesize
4B

MD5
f8c01cc89049b94151ab61b4669077fb

SHA1
01fc2dd2c4dc284058302a01274e634b16200f32

SHA256
cccbfed2fe22aa4aa56a44d10279575259b0b9a04d7e9f442b06d9244d1752c4

SHA512
2dad0ebc3af94107ddb95374e0f48223dbc6324330d32f581537e1c0b2cc895718eb9ac14f03ed57d493f2837dbd3a4ba407e99f85f3c25850db4c4b52f2e5e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAEW.exe

Filesize
241KB

MD5
2595fbe4c732b63d136410bf8e734e86

SHA1
60e70ea448e32da11290ef720265e57888a033ab

SHA256
942729c4874ffb55dbf5d599d8aa304806a9a269ec00ae62c5a76eb6bc8a670b

SHA512
6b48c6a62d398fe37e0c1eb7f9191894b14c74359328ab7206ee473b5c545bc933e2193a2d081a8067789e11faede5b2befd06718a04c053b493be7fce7f82de

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAMQsEQM.bat

Filesize
4B

MD5
09343196265077875380ebbb921745b1

SHA1
6f3cd4abbdb434ba8c399b07f596169a7ef526d5

SHA256
f8b1969312bb13e3ceeadd36428df3da2e4bca9f1852418aaf7944903ae13e43

SHA512
c619539214af83cbda46a3fc2b7d96b9d8efd5bdf0ffd2f24f69128202eadbcf9ef2c943610f78ca7edce1c2f790fb46f0dd28d27aa58400c43007cbc439bc18

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAws.exe

Filesize
642KB

MD5
e30288d00e9d803d44c1d14120528984

SHA1
bec05584a946945b9e1243287401c0d4014a97f9

SHA256
294b2c210afb66a12440d4407f426a2ba6b43cb6e1dcced868b6d35c61d2224c

SHA512
2c2b62df3402375c3c0726fda922739a57555073d331da3f5561b90ffcfef6325586e2d8faccd758fb6ab46f7e74868c2eaf32729dbf38d6e500fb71ebe430ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\qGMIwowY.bat

Filesize
4B

MD5
ed4d027db6e8d41d3aee2866b61b4eef

SHA1
f5b58c3e601534315638623aa1710735856a2269

SHA256
550181505cb32f099e5769b9082b1ed7951ab9e157ccd2a3c87786056bbaf8ca

SHA512
aaaab4371d090195c554b40a6ded3409f322aa33af4373bef449fec0129be925d03ff505aa01e82e6c0d9e15b564637387a9b21d6d6f75d20cd9b3f583984fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIUQooYc.bat

Filesize
4B

MD5
282a1878178acbb45dcd65cef11ee2a9

SHA1
fcc7b607657ca2c4f5467b9420d6265b7011bac8

SHA256
448e54b76cf6865934194da2b74c6b870011c990aed9bdc32c20993e9d62ae28

SHA512
13cb4d5b37528140bcbf49e4a1d6eb18a56871075e73b57a468959d687316781694b67bbb4003eacea11de9c4b0a7f5b746e4707b342aaec317a15ed933d5f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQwi.exe

Filesize
230KB

MD5
dec0a6234eb3231a8e78186609a30721

SHA1
5adaf6476c278437bfc9e81c92f226319e6de976

SHA256
4339d3d5401596532d3f1dda204c53b201f557f056ba7a9a546e9ca288c911c6

SHA512
ddef0321e3e2cb5dc7c92c9ba8d616968b2ee5a4665f8e1f90881bc30ab8f97e91c416a71a37d5a3e9c3144f1083df59424e609d77870b824c9acbee5b3c0d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUsAwwMI.bat

Filesize
4B

MD5
f694f0f9b191653b0e7f7e78bf53a4a7

SHA1
0270db173301b3cba0fef4bf70eac995409b320e

SHA256
9c0a061662092f6d385e67ec5d2257217164a8bb488e3ff0c71efb64dfb6dd03

SHA512
4912b547cc3a4b055b3a61f40e4fcfd2c4f627bd5e1040e0e7cfd55b95e57cb2b81194b8d2645f68ab5d87813ffc7210647f0db31893d9ed0d8c4a9c8d7821ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYgy.exe

Filesize
634KB

MD5
076893940a046e279cd0b3eb5351d04f

SHA1
d4b190c7bda52ebfc1a7ed776fff9aab875eba18

SHA256
3ca635d9d968fe329507b5fd81ea19a5a5fe09d044f04fa1109b54d56e9dc284

SHA512
b44899aa8ff162b47f383847ee2f54c9332920159e031eda57c60e386174e88eef4f6a70db8492d4fa516c2a0f60d795eed23d697d4ec6337b6e41a50e8d7855

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaUEAEkA.bat

Filesize
4B

MD5
d92ac482a59b4557c380f0ebdf2a0b2f

SHA1
947f58fa78fd6d26643b10a73470c272848137d0

SHA256
6eaf7a6d38b1aa6a2a3b850da33192680c17282623fb256d88d0aa3f3ec779ee

SHA512
7c5a1de977b41d3cdc04ed4c65c4694aff3a8de59242e8c6fb89b301b5407ecc53946acebe3543799d0bbcd44138b05951bb24e9dcc4d58d05dd452caa0a07ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcQi.exe

Filesize
827KB

MD5
5b5a95604ec58e8e1312f2545f87069d

SHA1
ce256de42408434fb3fa012316e6aecb22203bf7

SHA256
37af7dd1bd04c7a7614585e6b1039c6a4fde83919570c610af4108115d456709

SHA512
8fbb67e5162c2e2a2d5f8e9ffd751f42019158fe324e53bda7b832771c32f278b2658544e9a7b727660d5a821af18420c688a04612935e0aeadcd620ffc86853

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcgw.exe

Filesize
245KB

MD5
efa5d5f4e6e5ee4f89076fbc486f670c

SHA1
3cb72077aaafce24174c58d01b4880ef42a64785

SHA256
ef662c59cfd0215d6e537cbd92ae31bf76ac1e39c3e722b8212048004223a327

SHA512
2673ecf0112ccd468c62d6b9c31cb8c5c9f6127e403aebfb6509d03c9d179dc5e855c5e86aeb271ae0da0f3e45cdd0da2643eec18a0addd303f3bc352fc9b6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgEskMgU.bat

Filesize
4B

MD5
c3a75454ec4190e979e25526a860ae61

SHA1
c012119b85c0e5db9c2ca5e086866cdc0054b8df

SHA256
aa679d584fac0b8fc8492d4805668892e0a837e5dcbd97fbd9d947d38fd76ca8

SHA512
f8a8e2cadce37d506ec2e246a417b5bfcd7ddd625f19d420ed60b46bee27423c6907369ef7d1fea9d51be23e5b7037db3ed89ffca44061ef0805e6e3ab320a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgIwkMco.bat

Filesize
4B

MD5
682b71d0e0c0f7e5a379fcdb32815f68

SHA1
ca319543494a76623968e1c503743d55b1885208

SHA256
0df4e4ae49f7e1fa35b40165d3b610b67e105619f1fd3ccc0fe1993e3fbba1e3

SHA512
31d541e6ea7fc0125abaa850886c9dcd0e19196a88a2bc33e23332d5a0fd4f9250a7c410d08a6c5b8666f15b904043651cce3166560f48f7c25afc6effa42ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qokkMMYY.bat

Filesize
4B

MD5
de3dbdbf2287ef79bcf517e5aa764edd

SHA1
5a5cef8da001a6e933f62ee745102bfa1a79d98b

SHA256
dd4f98c0a207890f324fece1cc1f0544665c043bf91c59efbd3fdd40bdcf4f8f

SHA512
d998c0e2dcf9e2be47e0ea9d9b785b64e483ba3084ee9378637c84d48c4f22329c7fa1498d824f28d175980332be44d8dcdf4560e38974fc18c82808d9506caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsIE.exe

Filesize
238KB

MD5
d55f0ec1b2ca369632726006c5f815ac

SHA1
ffb6a85568e33abffe30e9461ec74e91efbc1fad

SHA256
24e7e163f5d080154342627e7c901ba03c306a2221cb8f8c7ac5ac265f00d6bb

SHA512
4bb3cf88efa1e91a28be82853495abbaf5f0e7ade2f022a1fccdecfc12d191222b798a09fdd4623790d43165969cd9c45a8adcff7e4c2d42f8b07e86fb897f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwAO.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyksIIQY.bat

Filesize
4B

MD5
5af7805720870f34703eeba759dbbcd1

SHA1
a5a76b7cac03ada9e6d293fa61ac5e4c53b8c81f

SHA256
41062005392225771ac1baede3c18c480ff5038da4e8b867f9dd58904ac7ff64

SHA512
5180d77bb4b7e86911d0ebb6312d88cf36921f697d96a37ef6ba6c0ebb3b70074f861a41fa9769128630c7dd1341bcbb571ae121ba3954194c15647c0a9bc4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQocwoEI.bat

Filesize
4B

MD5
b304bf9de18aa19e29e42da6f269c8fe

SHA1
b1e8b754e16302d9bb03298880a9f13056964172

SHA256
6576c0d09b59f79c5566d870d8f3c03e87f8cd30c21a033936eadeb994c2a2a2

SHA512
466c8edfcd2489e7e09ecc48ac4d48a8e56e252eebcf82f6d2b15d8205f94d62c194ede58fe137d37f00e5772040c35a7751a1bbacb3a954f775cfc1fc243891

Download Submit
C:\Users\Admin\AppData\Local\Temp\rUIYkswU.bat

Filesize
4B

MD5
8f0b7bfb4bd91b24db427c033a0e3483

SHA1
f0aedd19641214046f7e84b1dc1b8d860eca2af7

SHA256
c976af17d41dfc84cff5a3e719ca01039c8690d76db114974756bbb3f96c131c

SHA512
e2a5c84d4acbdac8db7fd976cd25d73f399cb4757e335c867f2b03ad239ff797124d0258f460244699d2fe88dbe5019312a5f7c8672f39edfdb84e05ffbf81ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQEY.exe

Filesize
772KB

MD5
ea3ced8f6e507c3ad657d121445f73d2

SHA1
a759e345724dcadf106cf1e8c947b4ff2ce7bd38

SHA256
9fca83da9282716f8bbaa6064d816a0511a5bfdc4417ed243c7fba40f252b45a

SHA512
87094570fe36864c608ef6bef8449a1d5a177a7a09aae42792dd7a47d6d9249a43b9ac1f413d2cc02b5321b3a57dac2ac8940e08a3d48f22971387a19b755388

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQsS.exe

Filesize
244KB

MD5
1c78dbc67611723c249d1754fe85e4e7

SHA1
d7fc8e061c6a5ee193ca4f94601eb592676485f9

SHA256
1ce2167322b60a2ac2eced0282b603b27b48c28f9bfeda13cce20237da1d16ad

SHA512
ac575414ee893d01e204694d481023f7b59efbc48e9d20bc9498d5583f42717917042c16eea8955f31a563bfd0d6d41567dcd173ee870cf14c2fa6d6d46e9fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUwA.exe

Filesize
187KB

MD5
d2166c9c42a7cfb8e745bdfa5fda2d03

SHA1
3f7b89c67277dcf8df60908d08fdd5dc89e88e29

SHA256
b59f911626f7eada4d5820ceb23f2baeb15e5e5b6b69a0e274ab858d147eb0fd

SHA512
a63d1f96e1c72f55ebc771d779dc59920a62ac1b17cfcd521b330956b9de132e2726a0355f0cd9399790bcf7aa0a05027e04eeef66ec0ddba57549837213d25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgAY.exe

Filesize
727KB

MD5
229b856dc40d395e8c90659ec845f478

SHA1
b749d193386b9714591c879d688fab14560159cb

SHA256
fb92fe0e445af97a677ecbc5fbb36c6e5dea5754b3719de697e14b39c2a41023

SHA512
1cef0d27483d63f55f16d9a36f4468381fcd1479f1711144486d531f95c9bd27659a18bc7acf6e50733732775fd08e97843fc13a6619a12ca1ce06db8a73c1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\skUUMIUc.bat

Filesize
4B

MD5
a5bebef578a40e4e21ef889fc3743fef

SHA1
6414a694903a54581efeed8460a0a215f7f87590

SHA256
89c1f3bbff171c95954d3c2d1e3d95abcda8fbfaf454507d15e9dd805675fea9

SHA512
11151a425da6f0fe9808b6853f073a0afbf7614141e0e1aa48653f5bae5e014296550922c12061ee00eab3753359742bfd04236193b05b794ce54c6ff22f4ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tGEUIYIQ.bat

Filesize
4B

MD5
684d4fc9fd9314f308f95780a25630a8

SHA1
39646787a1e88a8a2c26fa3870765d766aecbdd2

SHA256
33b8ede335b9b1f4aae86d3c2c8f87b3d4336f56f4195b79953781aa1406e457

SHA512
dfbecca1fedec02494c2898bc8e7108779deb61aa8863f1716e882050a67d0c79903f4fe52f7d3a4ebd7c470a8914357094e4470dcf7284c98ddfd091662c0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tSgQAwUA.bat

Filesize
4B

MD5
cc10f682b268d836fb1f555d1ce747a4

SHA1
29749f4f8e81d044f884ea0c6b0d88542a958d55

SHA256
14782880891fd1123838375c56ed20011569a2411fab4545b076cfc2f1e88317

SHA512
7a2a8da9abedeec9a3418a153d3449fa1a4fa6a796ff4d761553a78fab13b19fae2b09b4e9eddb6ce5bbc85e9482b770520ea82f7e80ff0330d44ddea9ae9502

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEYi.exe

Filesize
234KB

MD5
c7ff6afe23d05a2c9655510c128aa762

SHA1
1bf58af0c2fe546a6b87de5aa6e293e27354d2d1

SHA256
d1cdc94f328a8c317614573b3199548996778c502ab920a289c3798a73330504

SHA512
ae23cc6ae1c7a51672dcd0c4d9876b06e27604addcc903cdd047996415efd36b99b47bd1ef9e9c7041e14210ddde9c6a938971f9ca0954d4049573dac48b8d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMUo.exe

Filesize
250KB

MD5
ef73cf989dab236fe7a216eaef1a1f2e

SHA1
d0619f112bcd926ddcfe2b2c6f146e17d48e42f6

SHA256
757331ce7b08852e89996185d470a5fafa9d50bd99fe1e2b271aa69af16d52f6

SHA512
3842975499e41f43827b10e9a3abd22d55c2d2971e4e296b7b689c5ae6a98c94965e5024d486e9657fd6dc3248ce6ab0e4fb85aacdc84ff191098c383ea6ca2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSQUIEMw.bat

Filesize
4B

MD5
ec9a9dedec75461a33562b69246d0930

SHA1
2d18a7b3fe7a4b0dac73e967e58e9ec071eaa38a

SHA256
351a1d5c2ab1bb67bccb20246df313f594a57a8b16541824576d09b324a8be38

SHA512
ff6eb7c7d3daadbaafc87b537292a5afac6a363e8d809f156292f53ac71a40d2b03cbb70f370f1ffaada4608ee21111ec08dd52c0c0527bb62dfc026807f32dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uScsgUsw.bat

Filesize
4B

MD5
e1b68066e2c1f923c87c3fdd9dd23e33

SHA1
bcf1a0be3a055c19a3ae0f46948e088067c583df

SHA256
2c5a6c8c17c691e8a6a2f3828489fb76635c326730bfce151b5439255626a508

SHA512
9bc1284e21b6d2a374959c1aacb3c4463aa43a53630d5c9e9cf37321b19516615214db5669c4de140f480ace67598385313fc04f9b01aacea17f98de4d76b2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYQE.exe

Filesize
201KB

MD5
1164921c62cb17a267e3c38dec949540

SHA1
1e4d68ba2ffc5f553b9400f345f262de701429e1

SHA256
bc001489e369dec419f9ba6e647487b4be4a3f6b8109b9699c2d5ed9a83365de

SHA512
55065a4c5ad9c865cd2b0cd0182a682dfec17173ba96b3c0aa086985c1bb66c9610547e44fef9793000d13b6c26cffce21fee4c52b54e6e507734d2a92267e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugAY.exe

Filesize
226KB

MD5
dcc6328bf1ff0a9930227373e435bf40

SHA1
491e03401076a4cd8ce7502497d6b1b8e11422d4

SHA256
cb57261f15992789ec9a1b0979fcac15e5fda47450a68689b637a4656d2c98ad

SHA512
fd3339fd19f90dc4a811672e1fd82a8831c1790e8404f7cc2b5d006ccfce52f4ad28b8cef27a2506e35597aeaf332e2294b39f0324912a4c123760f491013101

Download Submit
C:\Users\Admin\AppData\Local\Temp\uuUcEEUk.bat

Filesize
4B

MD5
4dd90c4c7e957feb310bc3a39b706b00

SHA1
f33d10aa7ae3db619a65688dbb4c927a140c63b9

SHA256
f6772b12cd374879b8e51549c2a38c2abffcb29432110cd256a18ad45461ec85

SHA512
2d141ee40f56a4bddfeb5c1747712788d888a439fc2f17d803c6c566d6f3f733209829a1099fff85c46a86afe732168a2d4e4c22a1898266e6ec815481e43fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vSkcYkMg.bat

Filesize
4B

MD5
a8ed8d07114e4bdc09dcd0e28cec60e2

SHA1
efb0bfe4ec2ad4ad2284634e1173dddfe2f3b124

SHA256
650365d509e7ce4ea37dcb7caad4a07ee523685ce854826f4c20dc246738632a

SHA512
edc65ceae89f0ebdcf57a14948c6e82c9351b6c149b0019b557f5c1617cd696c642fd02ec8fbf6368e0d12658763d0feade279e497723695f635cd67d849780f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUEO.exe

Filesize
688KB

MD5
d6be457e2e8e2fd40bda1ce855e63e5a

SHA1
468f9d6da56228f997044583e6b15dfb593b192a

SHA256
9d6fb7a8f458058e8a691ad4b706e6e075fbcf1dfe045ed4377461e9cccc7764

SHA512
1554388861e017fb9a14acc637b2c71823958c2814eca290f5b5c054af6153000039570db37eed4359c08763c5a3bb30754d3dae1dc34dae2b669d57d185bd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcAY.exe

Filesize
185KB

MD5
03925c83cd5e9f90de275240cc4b58ea

SHA1
8f753492929729587812a78deaebe3514c400fa1

SHA256
b1573fd6232ee14dde1a6efa185875963ec4e8a04e57f79f0fd63822cdcaff7f

SHA512
784b955a7c5ffd1772f81582321358aa69e0ebf85052b2249711d46b708e6ce2801d8a49a11159ca0d9f4dff453989a87de51a1797ad5fdbf67462ae1fb66876

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiQcYMkw.bat

Filesize
4B

MD5
8c5f41b17f580b5b6f6a58d37b445aa2

SHA1
96e0f26020e641c629643df74e9d432be86624c0

SHA256
060d24a7d4fe4979ed82e0f65bc63004350ade78109d983de6978c1bff2c152e

SHA512
e5c172c7c0b31568eeb8ea963d180de65a0139842158c8315f11fc066afec9cb215b6b817132d0f7f4bbdc1dc7fbb770d7e777651cea14896214d3c4db79437b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkYW.exe

Filesize
647KB

MD5
9a8edb55d9c3b754f85c509805d4ab38

SHA1
579cdb8dec69c5218d5c5f89caa7c53672c5089b

SHA256
b8b186885782ff0ecf27aade7f7a984bb60e7ae5ede3af01159bffd154006553

SHA512
817dc7125c4ff91a85e24b790aaf0301521a5986ea4123a9e9848ff1f278bafc8d868b3036a7f95000045ed15ffcd8dba8a9b2f62089e9650cf8234c7b7a56be

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsQAEQgs.bat

Filesize
4B

MD5
6642bf21f4f084828ecb4387c99f4342

SHA1
1190ace0c2c370e292c33a0def4fb49e8b86c81b

SHA256
381bebd47dbf1fb948681279eefd4556cc61c0fc4b5c46ae88f7ca84d58b69da

SHA512
148d5d1d8029e27d9ecbaf93217f532cbd5b5348d4caa1e27f4ce33641c5a86f642a33383ae3bc2109a8fd51e26b076ce96dd2f492cdc3ad76f255bbc08aedf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsQI.exe

Filesize
230KB

MD5
6d7dd65c2ebfa179641c88c681e40e1a

SHA1
66a29ee2dbc13eb8499e21b561c0ac8cd769acad

SHA256
cb120c81798c6625dab1391a3b165e8daeb38e224adfd441bb4a23326b3ccc55

SHA512
1bcdfc44764edc5a3196bb077d2ffd75a2f0a2126747807f24c4f9c726bceefe67d320784b405ec480df266c7391a83ee1dc2d8d021438e73150caf4c5ccf7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsce.exe

Filesize
252KB

MD5
20b083c39c77bc1f3bad6b155493aff6

SHA1
fb21ef47a6a0595e9ca23434d16a902d6f291149

SHA256
ced5e147cdc40348e864f9a4090a2d1c99c25161c3e4ee7e19a8b004d65d436a

SHA512
7c350a39bfbb6267ed732c2fb809df964ab5c6f9fa57a6ef8787db14edc69c178d118f63bd6860f3d9b89b6f7c43cf6f7b6fe8226571ce08bbeacf8e8dcc3370

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwAQ.exe

Filesize
634KB

MD5
1f3c02cd9f3cac6e7fc4a59776e1846f

SHA1
62640b7ceddcd74cf7125985bc3856cd1739acb3

SHA256
f21bf949223a39b38bad2fba92b7e1bdf61c1af930104a8629f2775cd778c530

SHA512
36a6c2663e747100ad3811dd042f9fc5f97724f406bbe13395f48613932f5d3c397721521f27b4fcae78992e35d64abcc01be38e4b4b73abedef590b9c6ecbb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwAy.exe

Filesize
182KB

MD5
e2d9f54c31d30323c82102f49c13adc2

SHA1
8be66ee8ee7da2f7da92d832cbc6815f22e169e6

SHA256
7814e2578d52a3fb5ac4c43a1e532a486bfd69e7c11af13713b8a9b51e0aa743

SHA512
63088bbdf8ead01d8ae360947ec20307d4f85c4b6038b3e8ac03314c882665742dc088247ce1e8c19d7bd13b0a834b56478eb11de76794229e5f002a0d950509

Download Submit
C:\Users\Admin\AppData\Local\Temp\xWoMcocE.bat

Filesize
4B

MD5
7af25f7125ea819d12a20aa97215f6d9

SHA1
c1103c5bdef64417f26906ccd2a9fe1e3e229bb5

SHA256
de19c8c485e182ddbb2b12fc4a519fd68dfd26d94a4452e8e643e602a0dc9c4d

SHA512
dada4be56b77fd57edb310f0e9047c293ecfc1239fbe9e2ee2262b9d2209de0ae35c578639a061c9d09b65db4c5531b1bdf67a58773caf70facb492ccb1befd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkYMIAQA.bat

Filesize
4B

MD5
1cfc70d0abf8c9b04351128b66c5627f

SHA1
e997242dd489bbe6c9337bc73a71d9dc4107bf96

SHA256
e82ec2b70358605f3e0ddc15d5cf68d28b80440bfaf722b5ccb5f41aabf8a185

SHA512
fde246d322b6b2455454f1ad200da7e12a6b4ca1a299542a9df8e8512be71b4e4f66f8f00b38f24845af60f48930a0729720cdcef707223d5460d3f4f4efc212

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAQa.exe

Filesize
730KB

MD5
b629a6a27b68a8e1d9e7457c7adc4eae

SHA1
68d264546d1faf9a7efb58e3dba431e212236898

SHA256
7e8dd24e46ad929c395aab22344c09b69a6fb9fd1cccfbee1ac2cea7a08afc3e

SHA512
92743f7fff1867fffb57546a3b89c83439a9f17e611184eb3e9219e6d98ba8c1e3904cd368f55811f2be43ac0760291a82af6438ffec139c9412fc74ee695927

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAkY.exe

Filesize
232KB

MD5
3abc23a06b6bee1c4e92350449e3c322

SHA1
a5d07c278401c759092aa733bb833f941bb986ea

SHA256
2c7e7103fc0b40e30e79511c5304b7bc61b391711457cff02e4b6708e08b1156

SHA512
8f1128bfb9911a563cb3139dea88d5ebbea8d4727ccb06fe252f6ee84606a22867b112b5de91f42dacc6228f99210cf1f41db40521010157b32fc4e2817425e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEQW.exe

Filesize
237KB

MD5
4e97a2cb03fc416bb885aa5da1437251

SHA1
65fb34fcb554cd8584ad39e0aa8540b92d6238bb

SHA256
8846ef8d85daffd9e228d8a0851b754ae713a3834fc691da4092e152e4a7c959

SHA512
7d60e19e216b1ec10defe99473096e69af207f282861fe105b0845eb11556d23296d9727eabbdb60c9724f67c938517a5d953b1df2729a5aa97c70be4d5bdd5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIIo.exe

Filesize
314KB

MD5
9950b36437ca0f159dc5cf99af70919d

SHA1
72a442c94fae079674b7e42ab049243cac2831d4

SHA256
dc15d2c3eb42ea49e75cb8d3cff7737e54fd3a8ab9370f55e0b4d6347923fc22

SHA512
2dc3278a4daf64bc474a4a181dfd8be3f837903e2f145df4443d4f6a7be3cf4461876e6503e575d0211b37c2844ed0444806a3ce78c72a398f3004ac1bdc11b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIoM.exe

Filesize
227KB

MD5
8c9024c640db660ec96ca5d55acb746e

SHA1
d224e3c95e10527ab2bd1fdf8f1e7c8296127b4c

SHA256
6ef2fca81c4db6b5bb309f7f2af1385fe2a2b3f3227ab42eae0425151f66a525

SHA512
aa75057c725fc4b04c5fd08b9ac9a7bafe0cafe599da32acabb68303fb70bf38f5db28f3995b9e56b26f8cd61b637c6171ccdae8a898d02fe9080baad544805b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMEg.exe

Filesize
191KB

MD5
0da7cd029b8e2dc57c4afea342595886

SHA1
0edc0d20765c823169cf17600173d608075f3026

SHA256
b4516fcb42fbe1c9a834d13f7f72093a020ab46bd888afe090fa963fa7c3c38d

SHA512
44daaa092ece1b311390990d5a3423a7db9df7f7f464387364223cf0e04ecd4c48fa4400c0a9ed908effd79b73249ea433d98a5b3451192879f09c60d36734dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQoS.exe

Filesize
735KB

MD5
61731603831559498d96bc66ebd7f89f

SHA1
10aeb06a01f8a669be0123e8f05ac5b7d3b213e9

SHA256
8473da2f75badc6bdd8cd967562f5837edff646456c338f0332a3b06639fbcea

SHA512
0f6e01099b9c79c8bccb85e94c6c65359905c030647b03e73844ec088ac84252af3b80d9e794dd2f689e0b81befb53a891a1f28bf057042d86351acef10cfc6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQwm.ico

Filesize
4KB

MD5
e1ef4ce9101a2d621605c1804fa500f0

SHA1
0cef22e54d5a2a576dd684c456ede63193dcb1dc

SHA256
8014d06d5ea4e50a99133005861cc3f30560cba30059cdd564013941560d3fc0

SHA512
f7d40862fd6bf9ee96564cf71e952e03ef1a22f47576d62791a56bdbfbff21a21914bfa2d2cae3ca02e96cd67bf05cade3a9c67139d8ceed5788253b40a10b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYQIAkgs.bat

Filesize
4B

MD5
b65ee0775b9cdee1ebf6d07661fc7422

SHA1
fa7b785d2c8ed85c03debe044a1eed224fa25feb

SHA256
43bdf9522193edb127c02c371ca1c71f14d7d605ec9d6423de4d55e4a401fd00

SHA512
5191d0e1d0bd165b7bff21a7f395e78881c450e9159ee220df9faee8522d82299af18117b65f7f7ebbf7e26baf833c7b793f2b324f177eccd5ee10b03923211f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykoe.exe

Filesize
242KB

MD5
ee8a3c427db7a98807ee7cf7fc3b1242

SHA1
13a15119dccd309ca87157de389ae9d369c348f4

SHA256
9396b23b83416dcd8adee59a1f7e10bb98518bff07cc837f506c6b2453c54fac

SHA512
413db65280a973247077a24d3f0eed860cde5d05aad5ee4cf69dc2285ed88b39a60c9259aff6275067a5227aae450cfa355ffc27fffd41c47d0c55d99d116586

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoEk.exe

Filesize
244KB

MD5
1e33a1a3ee7467870def33b52ed6fb80

SHA1
8eb6cfd96259743049b3b7be9eec3b57c02e4bd4

SHA256
252bf5816cd7dce855aac1a39584479fdd6a321ea20581f4b61ebc32e283d105

SHA512
b4cd72682d8216c18e64ca1e8011085f6ce6faccc16be27cdf43a99de14f1711326667e7a1d98554187897c4337359fa18e473a16d28331b7fcd9a730a1b3852

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoEkEYUk.bat

Filesize
4B

MD5
289b59420ff21ae9b17eb6323e5c8f07

SHA1
7d13bec7073032e09dc406f9bc3d26d17885a0d3

SHA256
546da03735b54c0e215cd5f9f81de9aa917c778fc4155603867a9928e4f47daf

SHA512
c7d4102d40bb4e84963a8b10e3d95ae2d5ac8dacd62c072f153a0d3a7738546ef6089d19c266dbb9a78f1c8c2ace85b965c887a82f878d9a496e36f29b0b7395

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywAS.exe

Filesize
246KB

MD5
c34a3ec529aa613cddb077a2bd0551ed

SHA1
e6c24a3bd4b19de6b2fa100a066e5a261b9b40f7

SHA256
83d5ef9c56fe16fc7bd0f66bc45d0f4f167d51f4e997501038a82ad0413fd4d0

SHA512
9b2b9f7db0f6f6d5ca8d0b25edaedb669a92191ec41a95babd29780d73e95a22a90be20cd620f3a91f2c8fa502a3c783871cbebb1f27a596b22d5d4248945973

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywQg.exe

Filesize
825KB

MD5
73d71f7c711c5e7d5d4fa5b6532048c9

SHA1
050899c5d131449da7a6e33e0fbdfdb81e387f5b

SHA256
b3b2748034ab8cf679aaa68bc1669c68d8e2fc68cbd05c30c3957d6199428ea7

SHA512
4f0a8dd103b37030849fe4fdb8d4613b59ce1860aec854bea5235adf114a0d16b56aa9db2764bb4d0f40c153c840357d79e324bf640a5ed6293a8a4f6657bf1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zGsoAEYo.bat

Filesize
4B

MD5
6dd250172902e822f376089e870589c8

SHA1
70d7ab0137dc8e68e5d2f95403d576fe6a7a67dd

SHA256
ac4a3a4f240a9c36f8371d44f9517ceeff483ffc33fd7e455b4d1b6282b54e07

SHA512
470a08c8ca3e6d8904febdd40ec73c75db009e4f6fac01cc1c28acded92e98bd89edc1a2514a7b75fbd92e15d2e6fb92d3587519fb1aeabc39f17399a166bd1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYoEscUM.bat

Filesize
4B

MD5
7dac07060c056e1b4c83708869096cd0

SHA1
a640d238ed1dce79cbdc6b3c4982026e3cc7fbb3

SHA256
e1aebf518ae374d495fd6e8b08d5e316cc9af08f2cd5789979b38f01f632944c

SHA512
a59d192ae71377af0e6828c8ddf735dc4ef71433098f1e1573a5e761fd66a29461a077f7b4e4c8f166cfe6d2676eea8a37269839320f20fba3ba2c6c237efcb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoYoYoUU.bat

Filesize
4B

MD5
fc19897282400a6d9bdfdd3fc3d0592f

SHA1
677a57ade17b21fc6f2769522a13a268b8976bea

SHA256
a79dbfd4d30b087d45e80e06ddb4036fbaa695ee96df5b1e1b9356d2821cffc2

SHA512
b9288dc11a697022b41c4821c3f952284c9c3eaea6fbfeea06ed6a8b49427395f4aae1d5cfe632a52d21695292d9582e132065e8621987484bdbea38aa9bc4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqUsAEkw.bat

Filesize
4B

MD5
4ec44928df38fb10e2394517e7282317

SHA1
e8f4524e50b56080fd40bbc9c975e5393dc47ad8

SHA256
3deabb9becd5ac45427a54ea863fd4f9e9bf18eba2446839512bf50e83415b78

SHA512
55f11c1564ea992e25e7bad00499c384aa7f9ff91968b68a3da59c12d7f6d7b0eb2fa9d542924a47cfa08a7134e3ff3232c8f4b2b45a11361ffb5665a74b349a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuwMkIAI.bat

Filesize
4B

MD5
56afd7df41edded304184ee0225d229e

SHA1
988b1f85ab846d92ae0fe295f3e9b8fae7ef35ff

SHA256
51422ace71ccffbe61c4bc7df6a6860485f4e614e36a19a18811a5d9389aeef8

SHA512
ba3326aefc276b1cc6812550ee733481f43a27d25fcfd25d56e52d62ff2c80dd7d96fe4e1d0f76213196573926dcf5cfea955ed8956e542200d5598d11b92d2b

Download Submit
C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

Filesize
8.2MB

MD5
424577e47be6537ddcb76676e13c94d4

SHA1
605170e7f80250840e44c82b47c7eb1f25c1afbe

SHA256
36e60e221948e7cb78756dae6026388b02e03a5031a99f1b3c6c5e560bffe008

SHA512
c72d51a43a19cce6fe6729e8986b204b1ac514865129e12ae1c624f79625e7ea9ac81c74de7af6c7029cfa946da6c020035bfa9773ab8493c11ff5e7a0139bb7

Download Submit
\ProgramData\mOUssUwk\lUQgoUsU.exe

Filesize
192KB

MD5
347c83ac3b3d43c22a22e3d6a8e66a57

SHA1
a0380bd9a7981312b5ad5ffb13a2561d651a80b4

SHA256
4c577d94b71a6c0de0303d12cfb831c1915ec1a9efb77a9cd039b3eb654ab8c4

SHA512
0b53ef41126b503b97b0accc098b84d8b00f5f0d0816dfc1230ebb4b7b04a6c15b2a63c5b8138b7f9da9e78e82c116989c4b998fe5f1d3a620c66d64055f0f85

Download Submit
\Users\Admin\GCcQEEsY\VosoMMQA.exe

Filesize
198KB

MD5
22988123b320f389c47fe5fa5e45d897

SHA1
b170548d4db1e83a123511dc5c75b339086d825b

SHA256
ceeaf678cdadcf8b993f2edbde1e61849f9d8264d9d6cebb8b2bad92295f47c3

SHA512
c19a090f14b236aedf909283d4b241c3c8337bb643fbbc5a004bd05e799452a45ec8863f5d386b7d6c68488324fa2843d51b959bad91c980b0cfaaa9bdd8e15a

Download Submit
memory/380-102-0x0000000000260000-0x00000000002A6000-memory.dmp

Filesize
280KB

Download
memory/380-103-0x0000000000260000-0x00000000002A6000-memory.dmp

Filesize
280KB

Download
memory/468-515-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/468-484-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/700-104-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/700-137-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/836-127-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/836-126-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/912-420-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/912-548-0x0000000000310000-0x0000000000356000-memory.dmp

Filesize
280KB

Download
memory/912-388-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1028-278-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1028-245-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1060-650-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1136-255-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1136-223-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1208-387-0x0000000000160000-0x00000000001A6000-memory.dmp

Filesize
280KB

Download
memory/1208-386-0x0000000000160000-0x00000000001A6000-memory.dmp

Filesize
280KB

Download
memory/1284-444-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1284-419-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1328-113-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1328-89-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1408-418-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1424-649-0x00000000001B0000-0x00000000001F6000-memory.dmp

Filesize
280KB

Download
memory/1480-199-0x0000000000450000-0x0000000000496000-memory.dmp

Filesize
280KB

Download
memory/1536-291-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1548-153-0x0000000000270000-0x00000000002B6000-memory.dmp

Filesize
280KB

Download
memory/1548-152-0x0000000000270000-0x00000000002B6000-memory.dmp

Filesize
280KB

Download
memory/1616-5-0x0000000000480000-0x00000000004B3000-memory.dmp

Filesize
204KB

Download
memory/1616-28-0x0000000000480000-0x00000000004B1000-memory.dmp

Filesize
196KB

Download
memory/1616-568-0x00000000001F0000-0x0000000000236000-memory.dmp

Filesize
280KB

Download
memory/1616-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1616-41-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1644-4859-0x0000000077A40000-0x0000000077B5F000-memory.dmp

Filesize
1.1MB

Download
memory/1644-4860-0x0000000077B60000-0x0000000077C5A000-memory.dmp

Filesize
1000KB

Download
memory/1668-629-0x00000000002B0000-0x00000000002F6000-memory.dmp

Filesize
280KB

Download
memory/1668-348-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1668-373-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1680-549-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1680-578-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1696-525-0x0000000000120000-0x0000000000166000-memory.dmp

Filesize
280KB

Download
memory/1696-526-0x0000000000120000-0x0000000000166000-memory.dmp

Filesize
280KB

Download
memory/1740-163-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1740-128-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1884-608-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1884-639-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1916-56-0x0000000000120000-0x0000000000166000-memory.dmp

Filesize
280KB

Download
memory/1916-57-0x0000000000120000-0x0000000000166000-memory.dmp

Filesize
280KB

Download
memory/1948-505-0x0000000000160000-0x00000000001A6000-memory.dmp

Filesize
280KB

Download
memory/1948-504-0x0000000000160000-0x00000000001A6000-memory.dmp

Filesize
280KB

Download
memory/1956-232-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1956-200-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2084-435-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2084-470-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2092-460-0x0000000000310000-0x0000000000356000-memory.dmp

Filesize
280KB

Download
memory/2092-459-0x0000000000310000-0x0000000000356000-memory.dmp

Filesize
280KB

Download
memory/2136-630-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2136-659-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2224-88-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2224-58-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2228-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-324-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2252-292-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2360-506-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2360-536-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2396-154-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2396-186-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2488-483-0x00000000002F0000-0x0000000000336000-memory.dmp

Filesize
280KB

Download
memory/2532-314-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2556-222-0x0000000000160000-0x00000000001A6000-memory.dmp

Filesize
280KB

Download
memory/2580-30-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2600-315-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2600-345-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2620-67-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2668-527-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2668-558-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2700-433-0x00000000004A0000-0x00000000004E6000-memory.dmp

Filesize
280KB

Download
memory/2700-434-0x00000000004A0000-0x00000000004E6000-memory.dmp

Filesize
280KB

Download
memory/2712-461-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2712-493-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2732-33-0x0000000000270000-0x00000000002B6000-memory.dmp

Filesize
280KB

Download
memory/2732-32-0x0000000000270000-0x00000000002B6000-memory.dmp

Filesize
280KB

Download
memory/2748-569-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2748-598-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2752-589-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2752-617-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2764-364-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2764-397-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2768-177-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2768-209-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2772-176-0x0000000000260000-0x00000000002A6000-memory.dmp

Filesize
280KB

Download
memory/2784-346-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2784-347-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2820-363-0x0000000000190000-0x00000000001D6000-memory.dmp

Filesize
280KB

Download
memory/2836-669-0x0000000000170000-0x00000000001B6000-memory.dmp

Filesize
280KB

Download
memory/2952-588-0x00000000002C0000-0x0000000000306000-memory.dmp

Filesize
280KB

Download
memory/2960-301-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2960-269-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download