156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
Size

205KB
MD5

718aa9360c9b9167fba74e98a4269156
SHA1

ff2e1027a12c8be2b4efccf03e4bc1bbb934330f
SHA256

156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
SHA512

44f636a161ad26935c878d6d86368f361c8c21088339f80430e9dcdeca8eb71c345509dfe97e388b954c93369a25940fe7e0814595ebd84ac98482f322c995ad
SSDEEP

6144:IQa17oXxiEh/yJghcs8wmlWwBTy1n71+KlKbMyC5Blp3kKyHSO32xwArJikpkVOZ:I7eBhh/yJghcs8wmlWwBTy1n71+KlKbA

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (51) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation	pagkEMoc.exe

Executes dropped EXE 2 IoCs

pid	Process
1256	pagkEMoc.exe
1964	JSIYcoYA.exe

Loads dropped DLL 20 IoCs

pid	Process
1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JSIYcoYA.exe = "C:\\ProgramData\\iIEcUIUU\\JSIYcoYA.exe"	JSIYcoYA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\pagkEMoc.exe = "C:\\Users\\Admin\\eCQcYYcc\\pagkEMoc.exe"	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JSIYcoYA.exe = "C:\\ProgramData\\iIEcUIUU\\JSIYcoYA.exe"	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\pagkEMoc.exe = "C:\\Users\\Admin\\eCQcYYcc\\pagkEMoc.exe"	pagkEMoc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	pagkEMoc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2596	reg.exe
2784	reg.exe
2848	reg.exe
2920	reg.exe
1600	reg.exe
2432	reg.exe
2636	reg.exe
1736	reg.exe
3008	reg.exe
956	reg.exe
2552	reg.exe
2092	reg.exe
2348	reg.exe
1532	reg.exe
2552	reg.exe
1452	reg.exe
1800	reg.exe
1436	reg.exe
2648	reg.exe
1716	reg.exe
1436	reg.exe
2760	reg.exe
2924	reg.exe
2180	reg.exe
2688	reg.exe
3056	reg.exe
2648	reg.exe
2224	reg.exe
2676	reg.exe
1548	reg.exe
2324	reg.exe
552	reg.exe
2344	reg.exe
2508	reg.exe
2208	reg.exe
2860	reg.exe
2164	reg.exe
340	reg.exe
644	reg.exe
2648	reg.exe
2496	reg.exe
1556	reg.exe
2456	reg.exe
752	reg.exe
1756	reg.exe
2344	reg.exe
2780	reg.exe
2824	reg.exe
2212	reg.exe
1508	reg.exe
980	reg.exe
976	reg.exe
2484	reg.exe
876	reg.exe
1768	reg.exe
1920	reg.exe
2668	reg.exe
2700	reg.exe
1708	reg.exe
1892	reg.exe
1312	reg.exe
2236	reg.exe
1520	reg.exe
2256	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1008	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1008	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1272	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1272	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1172	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1172	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1304	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1304	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1180	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1180	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2628	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2628	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
468	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
468	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2476	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2476	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
952	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
952	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1312	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1312	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1304	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1304	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
572	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
572	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1556	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1556	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
328	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
328	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
484	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
484	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2196	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2196	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2712	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2712	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2720	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2720	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2796	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2796	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1608	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1608	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
828	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
828	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
320	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
320	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2600	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2600	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
908	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
908	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2796	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2796	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1656	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1656	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2004	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
2004	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1908	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1908	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1304	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
1304	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1256	pagkEMoc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe
1256	pagkEMoc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 1256	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	28
PID 1920 wrote to memory of 1256	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	28
PID 1920 wrote to memory of 1256	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	28
PID 1920 wrote to memory of 1256	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	28
PID 1920 wrote to memory of 1964	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	29
PID 1920 wrote to memory of 1964	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	29
PID 1920 wrote to memory of 1964	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	29
PID 1920 wrote to memory of 1964	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	29
PID 1920 wrote to memory of 2640	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	30
PID 1920 wrote to memory of 2640	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	30
PID 1920 wrote to memory of 2640	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	30
PID 1920 wrote to memory of 2640	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	30
PID 2640 wrote to memory of 2704	2640	cmd.exe	32
PID 2640 wrote to memory of 2704	2640	cmd.exe	32
PID 2640 wrote to memory of 2704	2640	cmd.exe	32
PID 2640 wrote to memory of 2704	2640	cmd.exe	32
PID 1920 wrote to memory of 2688	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	33
PID 1920 wrote to memory of 2688	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	33
PID 1920 wrote to memory of 2688	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	33
PID 1920 wrote to memory of 2688	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	33
PID 1920 wrote to memory of 2648	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	34
PID 1920 wrote to memory of 2648	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	34
PID 1920 wrote to memory of 2648	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	34
PID 1920 wrote to memory of 2648	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	34
PID 1920 wrote to memory of 2616	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	35
PID 1920 wrote to memory of 2616	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	35
PID 1920 wrote to memory of 2616	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	35
PID 1920 wrote to memory of 2616	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	35
PID 1920 wrote to memory of 2524	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	38
PID 1920 wrote to memory of 2524	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	38
PID 1920 wrote to memory of 2524	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	38
PID 1920 wrote to memory of 2524	1920	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	38
PID 2524 wrote to memory of 2492	2524	cmd.exe	41
PID 2524 wrote to memory of 2492	2524	cmd.exe	41
PID 2524 wrote to memory of 2492	2524	cmd.exe	41
PID 2524 wrote to memory of 2492	2524	cmd.exe	41
PID 2704 wrote to memory of 1692	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	42
PID 2704 wrote to memory of 1692	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	42
PID 2704 wrote to memory of 1692	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	42
PID 2704 wrote to memory of 1692	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	42
PID 1692 wrote to memory of 1008	1692	cmd.exe	44
PID 1692 wrote to memory of 1008	1692	cmd.exe	44
PID 1692 wrote to memory of 1008	1692	cmd.exe	44
PID 1692 wrote to memory of 1008	1692	cmd.exe	44
PID 2704 wrote to memory of 940	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	45
PID 2704 wrote to memory of 940	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	45
PID 2704 wrote to memory of 940	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	45
PID 2704 wrote to memory of 940	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	45
PID 2704 wrote to memory of 1452	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	46
PID 2704 wrote to memory of 1452	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	46
PID 2704 wrote to memory of 1452	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	46
PID 2704 wrote to memory of 1452	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	46
PID 2704 wrote to memory of 1572	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	47
PID 2704 wrote to memory of 1572	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	47
PID 2704 wrote to memory of 1572	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	47
PID 2704 wrote to memory of 1572	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	47
PID 2704 wrote to memory of 748	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	48
PID 2704 wrote to memory of 748	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	48
PID 2704 wrote to memory of 748	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	48
PID 2704 wrote to memory of 748	2704	156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe	48
PID 748 wrote to memory of 2136	748	cmd.exe	53
PID 748 wrote to memory of 2136	748	cmd.exe	53
PID 748 wrote to memory of 2136	748	cmd.exe	53
PID 748 wrote to memory of 2136	748	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
"C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\eCQcYYcc\pagkEMoc.exe
  "C:\Users\Admin\eCQcYYcc\pagkEMoc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1256
- C:\ProgramData\iIEcUIUU\JSIYcoYA.exe
  "C:\ProgramData\iIEcUIUU\JSIYcoYA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
    C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1008
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        6⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        8⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        10⤵
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        12⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        14⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        16⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        18⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        20⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        22⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        24⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        26⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        28⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        30⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        32⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        34⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        36⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        38⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        40⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        42⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        44⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        46⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        48⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        50⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        52⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        54⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        56⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        58⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        60⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        62⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        64⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        65⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        66⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        67⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        68⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        69⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        70⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        71⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        72⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        73⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        74⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        75⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        76⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        77⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        78⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        79⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        80⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        81⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        82⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        83⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        84⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        85⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        86⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        87⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        88⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        89⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        90⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        91⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        92⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        93⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        94⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        95⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        96⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        97⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        98⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        99⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        100⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        101⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        102⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        103⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        104⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        105⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        106⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        107⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        108⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        109⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        110⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        111⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        112⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        113⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        114⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        115⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        116⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        117⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        118⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        119⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        120⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        121⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        122⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        123⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        124⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        125⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        126⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        127⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        128⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        129⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        130⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        131⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        132⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        133⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        134⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        135⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        136⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        137⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        138⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        139⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        140⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        141⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        142⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        143⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        144⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        145⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        146⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        147⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        148⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        149⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        150⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        151⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        152⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        153⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        154⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        155⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        156⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        157⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        158⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        159⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        160⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        161⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        162⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        163⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        164⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        165⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        166⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        167⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        168⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        169⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        170⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        171⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        172⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        173⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        174⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        175⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        176⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        177⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        178⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        179⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        180⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        181⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        182⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        183⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        184⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        185⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        186⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        187⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        188⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        189⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        190⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        191⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        192⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        193⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        194⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        195⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        196⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        197⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        198⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        199⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        200⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        201⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        202⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        203⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        204⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        205⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        206⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        207⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        208⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        209⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        210⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        211⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        212⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        213⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        214⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        215⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        216⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        217⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        218⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        219⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        220⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        221⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        222⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        223⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        224⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        225⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        226⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        227⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        228⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        229⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        230⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        231⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        232⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        233⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        234⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        235⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        236⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        237⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        238⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        239⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        240⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        241⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        242⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        243⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        244⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        245⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        246⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        247⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        248⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        249⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        250⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        251⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        252⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        253⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        254⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        255⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        256⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        257⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        258⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        259⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        260⤵
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        261⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        262⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        263⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        264⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        265⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        266⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        267⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        268⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        269⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        270⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        271⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60"
        272⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe
        
        C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60
        273⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        274⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        274⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        274⤵
        UAC bypass
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        UAC bypass
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ymkMoIAs.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        272⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        273⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ECcQMocw.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        270⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        UAC bypass
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eOowQIEQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        268⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        UAC bypass
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yUwoEMIo.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        266⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        Modifies visibility of file extensions in Explorer
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bUQwwYAI.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        264⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        UAC bypass
        Modifies registry key
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BAAkUIAE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        262⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PYooYogc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        260⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies registry key
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        UAC bypass
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fkIQgMwc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        258⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EIgAcscs.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        256⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CuYYQEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        254⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        Modifies registry key
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aWMsEUkc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        252⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YQEAUIwE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        250⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        Modifies registry key
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RGYIAkQc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        248⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        Modifies registry key
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nCQcQAYc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        246⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fmoYAksw.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        244⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqksAsMc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        242⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies registry key
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MKUoUscU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        240⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UWEUgwAY.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        238⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        Modifies registry key
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aQkYgIgY.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        236⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        Modifies registry key
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OyEwocEo.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        234⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DaccsMwg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        232⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        Modifies registry key
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BgwEgooE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        230⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PqgIsEgc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        228⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vmEgcEkU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        226⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        Modifies registry key
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UmgUEwQM.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        224⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wmcgMgQU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        222⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iuYQggAI.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        220⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iosoAwcI.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        218⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NQUIMYkI.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        216⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hIAkUwMc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        214⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        Modifies registry key
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xUoYEMEM.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        212⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lUogcwIs.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        210⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iaYEIUck.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        208⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gicIEsgY.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        206⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aAUwcIUw.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        204⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UkMgIUIU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        202⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies registry key
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lGMsIcIo.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        200⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tIoAcQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        198⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FWQwkoAU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        196⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HoYsUoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        194⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        Modifies registry key
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AgMIEcoE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        192⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wKUogUwA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        190⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iMwIEYAg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        188⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YssssYsQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        186⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        Modifies registry key
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DskYYUQc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        184⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGgooEUg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        182⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DisgIYEg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        180⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pWgIQQUo.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        178⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WgMEkwwE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        176⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QQEMQIYc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        174⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies registry key
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EQwcQUEU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        172⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IMwQQIUA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        170⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XssgokIs.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        168⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pwgwcIcQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        166⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LIEAwgws.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        164⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RAAkMkQs.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        162⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        Modifies registry key
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LoUIcAMw.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        160⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cWYMMMMA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        158⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QKwggYgE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        156⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wCcMYcMU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        154⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KmcQgckU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        152⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sIwIAAIo.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        150⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DiYgAscY.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        148⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VCYQgQwA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        146⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XGUAMQEE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        144⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XYsIkEIA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        142⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iuMkcgQs.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        140⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yuQoYwYg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        138⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kEoYskcQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        136⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KMUIUwks.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        134⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies registry key
        
        PID:340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies registry key
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LEIMwMIs.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        132⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LyYYAAMg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        130⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jkgUYcQI.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        128⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VMogcYYg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        126⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        Modifies registry key
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qMAwIgQg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        124⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cwoYAgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        122⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwckMIkM.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        120⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MOAQEYgM.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        118⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fEMkYYUg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        116⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DCgYYQMc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        114⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies registry key
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        Modifies registry key
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dysAcsow.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        112⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NQgIUIow.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        110⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uigoAIYU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        108⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oEQkMEIg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        106⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SmYUoAQw.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        104⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wAgcwQEo.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        102⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies registry key
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwMMIEwM.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        100⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LYgUgEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        98⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        Modifies registry key
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pWMAgUQc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        96⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VCsYccUs.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        94⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies registry key
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zukkYsko.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        92⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eiEYcgEU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        90⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ogwwMkUo.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        88⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eOQYsgEM.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        86⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies registry key
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WQUcUYMc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        84⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QMoAwkIU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        82⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BSwEYwUc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        80⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        Modifies registry key
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tcEwswIA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        78⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nsooIQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        76⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PkUUwQso.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        74⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yEgkwQAk.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        72⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oIgUcwcw.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        70⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ysQMsUoA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        68⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cAYsEEIw.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        66⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KWsQEYAU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        64⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RoUYkwck.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        62⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Modifies registry key
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lUMQoQEE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        60⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwYIQgIs.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        58⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        Modifies registry key
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DkYMwssQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        56⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WYIgkIgo.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        54⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sUMIwUoI.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        52⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uYwUsEoM.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        50⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iGcAAgoI.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        48⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ugMgsgsU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        46⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lgAcwswo.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        44⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYMwMoEs.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        42⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies registry key
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PGQMQEsM.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        40⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\leIswYEI.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        38⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zsQUYkAo.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        36⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CEwMQEQg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        34⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SIYQwUkc.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        32⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IYcEwwMY.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        30⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AmMIUYEY.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        28⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vsoAgwoA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        26⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FUggQMUY.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        24⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FsQsUckM.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        22⤵
        
        PID:340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xUoMkMAw.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        20⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TOMcAoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        18⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UIEgQosk.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        16⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CsYMQQEg.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        14⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sYUQEEkE.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        12⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CYUUkUAk.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        10⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMYgAoEA.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        8⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1616
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1356
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:620
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1228
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HeYkgIkU.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
        6⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2224
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:940
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1452
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1572
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\LycgUook.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:748
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2136
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2688
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2648
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DgAAYMYM.bat" "C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1431859794-607821202-19479188561218572113-604286347-183101610429571968858320613"
1⤵
PID:1712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1199382258-95603123019540744887026513781137592894-1884964122-21138624431346176539"
1⤵
PID:1012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "23822893110303447491014280274-1750909946-157308926515283941807486131231461765540"
1⤵
PID:1692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4460525661417772158-1689998327-20980037241693590958481089335-688545567629951858"
1⤵
PID:2152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-476656585-1267201525493869196-2005736529-119428934220370744281052358768-1190969328"
1⤵
PID:2788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "804042505-1709876774-2108121825-491563971-1108048090-1367560533618346908-1096099875"
1⤵
PID:2640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10582492523747285731112401108491224714-16326508951832684161-18310453645752539"
1⤵
PID:2560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1636770607-87488336011932473931129596358467576043-1656404524-1166413046-712292533"
1⤵
PID:2348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1826535216-6717101761801030755-1373422252-889542215662484226-919895025278198776"
1⤵
PID:2788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19896606102203289531062371898-146065811-19733846531739749286-1505256767133643128"
1⤵
PID:2236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1699368402-1220489503863216724-4347135232023881823-598156180-2621702401798721611"
1⤵
PID:2388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "249986329-1313080214513502386-25855632113371769271541072504-297699735-58905254"
1⤵
PID:2368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1224614436676476696-1406525291-1101998225-498019537-1478551489-6114437521082443486"
1⤵
PID:664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-154755084-1087213194-459705603-2056149000-18004016041977519073-4786646291356178758"
1⤵
PID:2816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12721358481762582735-20198091821048777608342202004-1743383358166228395-1612679722"
1⤵
PID:1712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "746608038747176459-8485025401486828597-1746616162-98456438610381151081614951005"
1⤵
PID:1600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19750791911408658262-1834577928-1813337687-200359046-343324907-13917903591098103358"
1⤵
PID:2292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "973442374-186148486636539528-67413212315058406191646157673-138133220-2067761690"
1⤵
PID:1016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "297165691-86050613020349288201046575934-3915042121435073884556440520-1183014834"
1⤵
PID:1528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-73551217511665117235237605271563793841587991977-20740548231833076403-1550233526"
1⤵
PID:2452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2002383663-1943426803293490494-9881089441518697039-1452053629102872653-240914032"
1⤵
PID:2224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "76199762-1587706464-138107733-1268785858-2044900230129179212021003433077366287"
1⤵
PID:1028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "346299516-13681464171103110463-396636598-954804947802249418-820282670-413333947"
1⤵
PID:2748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13579746181750256283-1362721183-1844727407-1603374447-142576971611575603831326288548"
1⤵
PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1999876012-27963999919372845711268072594-13705115841933394887-855688316872066389"
1⤵
PID:308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1637894271-1077321729-146076031588288659-398138416-9236384681613877656419717392"
1⤵
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18012480581322092316-1283080930-1575301146329600077547207889-5994377681302889574"
1⤵
PID:2844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2045092424-188506373537339481286047224-19660348153009683081714485071820545094"
1⤵
PID:2108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-26417669-602381419-102136216254717060213959170701726053444-8196093051339420680"
1⤵
PID:1520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "888256262150671759864859332-2926279661692478598518840828-919196721532716610"
1⤵
PID:2308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-984264085-12009029451864312298-1815447454-20964617-2001152442-1934690195-616345138"
1⤵
PID:2176

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-373228940282032029-109666068-991259242-7542081111938261449-1575050098591990841"
1⤵
PID:2348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-84889027419168994941240294734-1861574967-1364000253-1547499312905064481977761184"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "380215391960841766-184660183797841012658140136-127569040116865006661029565610"
1⤵
PID:2084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "257087158337632345-534413302-12862020185035055311057231997835554701136581419"
1⤵
PID:1244

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18568922354448152241087424346-1500521889-116100926819830641091353182689-956823591"
1⤵
PID:1604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16444717801543990534-1887911514711700676-172929113018382208921276369306-2061163064"
1⤵
PID:1768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1163142783-327431605-1518426262-40601154114324222-790491930-245133055-755247641"
1⤵
PID:2824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10575506461668297811-86383019-6683013921719282872-1851488399-1582686366289217250"
1⤵
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
329KB

MD5
5318fbeeae72d657fa9491ce03cea566

SHA1
b8a90af836a0e55eb6e41ce629666a418dfe237c

SHA256
3deb393e1f8cabd69f1770cec79898236a8ea3a1769c8e88ed46246e19bdbbab

SHA512
a6ef2cca905c86612ffaf81f315e20da2476a6af12fd982523be2908a7a370d05120cc2ef433230378403464f65ac0a67bd795b368dfc03c1b3843f047add610

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
224KB

MD5
defcf776a6a7d3a3c23c156340a63721

SHA1
470933f110aff692155a4d219652b86198253157

SHA256
77ac74321e82413ddb4ebe5dc2e5fb2f825f0e1343ef6c6845232f0726f61eb4

SHA512
d3f7925c49ad680dbd25eb2bb741a1cd3cb79b1327995b924e9a1c64faba306fbea622f29113f465076616ed9b4ad469da53d4f550714ae0bd443a756d543e7e

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
330KB

MD5
7d5c2959797065e6f1c9d93358110ffa

SHA1
51344606d9bb617529322cd57576e1e078ca765a

SHA256
676e75b0666d2d9328d18eeb3e8a6fb5c3cb39d3d09af2542b17acbc4ca2c5e3

SHA512
367b0c07daad1c495967dfa179f4336b730bee791918af59ecde6d03a186eaf0ebfe8b9213e31b591c3940b5756039ba3a9ae45104c81f9fd404296ac0ed5f07

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
214KB

MD5
c962ebf95d09b7e83ea8cfb70ff37324

SHA1
b93f894e2155af02dceb3260510e5d25e11371cb

SHA256
a05b8e6b8bc8313fb1b053d0d5982515e81506d7973b190d2c4414e6620770d6

SHA512
c330ee67498c2d67bfde830a4218053207fd0a0f4aaf91a51ea25ef4b38e5b27f8257f1bd91cdabbe72c86d7039d8454b323015fb18b39d47595d88d28006000

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

Filesize
236KB

MD5
cdb1a81ead6cea7b8d6bf1c57a358008

SHA1
563690b6781318b5f4387b13caec3926eb526085

SHA256
c4ee5a5e523e4feff6d6c55337c435cdc757b0a1c870894add385e9c1b855d4c

SHA512
6344acbdc3598065a1691849fffaab9d5cfa8276d98f4cd572a7778dde9a7bed486b5f4a10ea1826f96a4b38b15752c3bd9a5eae6cce035e7e13bc985e1c7f88

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

Filesize
245KB

MD5
19f77778c6f4d3298be5527d743111fb

SHA1
6dae719a0bdb9665bc2ad6746e921ff870f6507d

SHA256
7ae7a41720aa3356bfeff8f070f4ae993f9e5064532fd499fdc4eaa96b537056

SHA512
488f0717f57cb43ad188d35b1fae3d9d9a2b160a8339848e32cc3c127a02684afd55765c7764f70508cde0f471d802a662c545f7e0f95cf927270c88e37ac2f7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

Filesize
230KB

MD5
ad8bffdc183a38dd1fd82d762065ef75

SHA1
7c58584150e4cdfb5b8f4081ace2bf085a1011a8

SHA256
3db6ea9783cc7b91dee048bb0cffd890ecbb2222539b9d0e0a08ecb655ba3736

SHA512
c954f26db85b64f578ae807f2e429526c6f13cece7f61694b185cae0c533cc6d4c1ac8e51bfe8331ef94996a8bec0160d8e7d814a107b321b5824e8de728e131

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

Filesize
246KB

MD5
359b9147f1abfcc6e0d62e791cd9e2d9

SHA1
a3eabc7eb7e77e2cda7bcea83bfac0cfa413cddb

SHA256
de5fc086a2d80cab917da91b8b684aab66b5b7b96a66d11ea2bc70f1839faeb3

SHA512
96cc42e7a6305cc7ccba94d42aac7046b197f93869db6b37c2039e81373c8972c5c2c479a6c969aa018daa7aa21353501d6bf4403b5a4ddf04edbfc5f2678fbf

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

Filesize
235KB

MD5
7e988304843d1a0af5d380697b09048d

SHA1
fe785febc58d135ecf31d370bca07c5a0d93cf98

SHA256
15a768125ccf4e6878eeb2514ffa3d0b4734f0f5bd6c09305d8c75daabb58a14

SHA512
954cc015a49d0483984954f391de417856a6c0e7ef2a789a0bae53b04ce10d68ff636fa472a3657fb300232a90f750cd5bf2e8a610ee63a50589f689c0be2a3f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

Filesize
232KB

MD5
8ff8bc23c5a0ca8d13a8cbbc1854a786

SHA1
5df04c37315c50593faf19777392f49fd2b09eff

SHA256
6f61f5d0680b077d79c220c8a89a064eced69ffb77b29624d065c8085c83aa47

SHA512
eb745e40ae0d0a4c0e7377dd52e8a9bb4569f8236f2ab860ebf5884466fe26afab5c106054bcb4b59e111d67e28a3c3032f15d45487728fe6c17fc41cb49350f

Download Submit
C:\Users\Admin\AppData\Local\Temp\156324b5a086c455a11bbcedaab64f41c420eace360588b8fe81e94b78adab60

Filesize
4KB

MD5
326f39263fee1b9a53c578b4dbd67233

SHA1
5f9d41ba6319890ac3a22b16c0a937cff7f8b13b

SHA256
521340bf028202202d35a2bb614a5ecad9caeb2152b055dbfd6bc8bae1a757a0

SHA512
4708bcd37632de8e0070a206bdaff1af0a1b080a3f53142314b0bddcef571e65aaf74cb52eff51e6e55bdfd0d2fb4d4bb1e7430015c8f409a69e1ef5efc19805

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEIa.exe

Filesize
783KB

MD5
12d2c2d3ac75518e544ea5619e747372

SHA1
be6195b3c2f7dc795bfa1a7ff3ca92cd6a5a8357

SHA256
8e8cbf57eca3ed7da1a8b9e35f147d5811d5051705b851a1bda82ec9796af2f1

SHA512
9c1280b830ff0e61db476a19dba951c9ab0bf2389314ed04576ceb1f680de4956ae3acc5538c458ce5655b7826992e4fdfbffa91cab402084367560c090e14aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUgI.exe

Filesize
199KB

MD5
c07215d2fff0b09754b84996c88866b3

SHA1
aec77f1bf8fe930612ba99dd7e1953007896ab6c

SHA256
2bd0817331e2b5b5109a463e88a1435bac126d982d2868ddb470669dde8ffe50

SHA512
879b48b2f9ef74df9a1d6716ed548ce9b3cb93d7dfe705a4189435ce59886e47b21c635b67f69aebc5df67687835429f06521cc590546adb5ebb58d6c22404f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgIEQMgY.bat

Filesize
4B

MD5
b36670d0aa465c7ccd519db83a220b79

SHA1
5e07a36d3ede09a51155f29c2cbcdc1c9f5c4e39

SHA256
b4977b848cedb27ea8d3dd4359059b06298f0a4a3be1b6130ac74226298dfc09

SHA512
fd309ab0249a41d4ce590e442c8f58bbe4cb160a6896f3bd790a310a3c5c7033282e5544581dfe37fd28cc56cfeaadd5d4d150ec1ee983889114510acbd368b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgQk.exe

Filesize
193KB

MD5
06aec465a77dda9fcc44bd602ed25ce7

SHA1
a2701e337f0ad33f040e87ec0c3e0a3e4339f66c

SHA256
e745a72db8a45a737909792807ced0e821326db5f15e5f073e2231707b1cf83c

SHA512
4914ae7b427210a6e80190fe9eab9a6b49fbc45d66d68cba5c630676bee72f5bfce00cff60ff5e761c2775f760384e5c414f8489d22064a6c5361115eb49e0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkYcMgYA.bat

Filesize
4B

MD5
28628fc1e427871ad05425843cad7a7b

SHA1
60537fc558d09be885f5286aaffac83775f46c38

SHA256
ca0e18297810c43af5784b6fc7da02013ca1f45ef78369f3044f3faad6d67458

SHA512
2cc3eef080778de60c56a26759ebf339367378371115f9b2884253eb01e86a7f15e833a17ac4d7e79c84d8d3b83eb75d6cb93b6375b2d62f0dc9e91bca43e6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoIQ.exe

Filesize
250KB

MD5
5e1e3e131a68c0a2dfab23a3b82d56e4

SHA1
c00b18fec3e28604e8a85174b3e544f8331ac108

SHA256
59f8ecb873ef98206def41c0f3f052cd003fe7c1b31c89e68edc2ed5d603d4a7

SHA512
e38cecf6e0a834441718afc1f271ff9c1ae2e86355b9d9cdc5873f74eebc3ac77a2b25c8182aa4a55e915791a7611e6779d51e77e1ef5028f713f8cddae94403

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsEcokoc.bat

Filesize
4B

MD5
bd13f7e077e88d27c9d8a70ebd918637

SHA1
040670004563a309c3e6df5ec6e8b13371c7630f

SHA256
9adb5244cbc700e184170389d09565b7a74cb123fd7062b85735cb88bb99b5e3

SHA512
56eb615a51c2b057cb4603d50dfb05171ff6207ecee8772d5122b3bceacb5a57d68d949d3e80e5cde1514c63c3dbf23b895b5f4570266ab220e1d65b99f6bddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AssccgsU.bat

Filesize
4B

MD5
cbbac791e371c0a8e534eea72a2bfd81

SHA1
ddbe10839137ed4f837985283b3507a7269b2bf3

SHA256
294f77b8808be318dcff04271a82a3270923d605bb0c08463df4de1c3342a553

SHA512
7ea13b52beac2457afc66184347f8452df51f6f4d9feff1a0f3d10cd8902eabefd8ff7548b3b90ccd1fa654a26269960be1b7420bd2ce7a01b8422d087cecc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\AuIEMkMw.bat

Filesize
4B

MD5
0f7ac0f8e079d8f4c9c0f96f3d14183c

SHA1
12797145b1ebc919109759c27537c33d8c243059

SHA256
0bf5bf4179728b212d67ec0f3f6a2e224234a9a5be041051537715f06797f049

SHA512
e697262c56050ba99cd110bae06f8010a2664b3227130585901c1cb84d078c3d98cf9ea91413fce76f8827e9a2456230244c686755e242aff6edc1a47e8ac5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEQYogcE.bat

Filesize
4B

MD5
a868eb1981bd7f4f437a4b963d6fdf1c

SHA1
a4345bccb35c736d136c11b8195d83032b1a7444

SHA256
f15ac9e7fbe6e2f09241c49930db72ae9bb178a1fc9970bf443767d31e92f3a0

SHA512
a78ae6466c43f92a6a5c7f1e0ceb4cde86bfda3d64c9d95b0bd4a4830172678eae1deb7490966c2f08c259b575fb6e0e2e4c7001d69a736fd5ccffb647418b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUEQUAoA.bat

Filesize
4B

MD5
f30630117a06a03fa0b6270f1d704d9e

SHA1
871dc72038851ba967566c5e792627d81c96341b

SHA256
cf1806b2b29641fd5b5c75b22dfbbce0ebf0ce572d7446b3c69df2a4d5a5fc40

SHA512
5382bb5be20e24e6dcb99e7b5b6b997686850a209f63ee2486f2734bd173e9400bfe3bd3b70fb030eca3f16416ad7177eb135a27a6d74efa5c66b5fb0a9aaadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BmwwEcAg.bat

Filesize
4B

MD5
6c4e237a8b57fccc82c987fec1c4b399

SHA1
b9f062f4347cbb98f476e40c31646a04508e5d67

SHA256
f52f1df1fd2615b7fec1106bffb4c606f1f476fa2d0d06ff1ee94b912a53e7e8

SHA512
a4635b4bc823f59dd8bb3590b2cb0b7cd69ae5c9c87862fa043950bffff869f2cb7a734c0040af10c581ce8dc37b67fa20adc049bde7e24775434ff6f52d2037

Download Submit
C:\Users\Admin\AppData\Local\Temp\BoAgIEYU.bat

Filesize
4B

MD5
a2b17d2c3a48ad77a073cb283916e999

SHA1
0e1b2d1020af807051bf58142081094579cfece3

SHA256
73ea8cc0db23ab65bf8ba955e40b7e824252a29acbbca0a1ef0f9f1e0e9c5644

SHA512
17ac590842af6631e46086235efe6e4f9c79bd869a4df261682fa0f0c65216f618f81f97a858e47ccd3326932bd5fd657e340f9c55dea9d6628aa950700c0f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIQwkwcY.bat

Filesize
4B

MD5
63bda044424c57e32cf1656ae24635fe

SHA1
b4b4aba006d6cd0f6c5a7c43defea6a65984d168

SHA256
84f53a352d16aa538899b15bfcb75fc3e8a2dd04134dac1c2595325a7cec90f5

SHA512
84eecfd2bad93c3cd22d061d3721f2a30a46e8de673057ca8c72d5d15d2a3c16a05ab9b94fe158eccda6948d07f97d90aa5a79827def386a378c6fc86ecce314

Download Submit
C:\Users\Admin\AppData\Local\Temp\COUYkUoQ.bat

Filesize
4B

MD5
58ad2b6d42a031b2319a7d021199048e

SHA1
3f9209f83eae0b7c19aaac41d8935ad4ae992012

SHA256
680f8d63494e8b0c910637fbefc13e600089378c160753f7dabe290ec14eb040

SHA512
3f90692a729fabf1da5aa3d765c4abe741548e54f4884ab110d3c1849b4f55ccf1a2abb036a6b9544d12d3773a6ca721119ae52f209b0b9c8bc859662a09b2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQIAsYsw.bat

Filesize
4B

MD5
4123e39f4e44cc213559b8add4e31c16

SHA1
4822477b447bcb69feae92abb122d4088000a601

SHA256
67dbeb701eaf9bce1e6aaa3847b66e79460fc1dd71aa0887f1f1ed5ad774db69

SHA512
7e3a55b21410c7dcfaf748c2036f0e623f18aa353ba6f7309ed5a98e0a98f9f5708e61529c9fbeb1d87e504cd4cb7eade3f4aa018fcbac66930e21dac40ae6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYEsEAgo.bat

Filesize
4B

MD5
75feba860f0aebba6f67257cdae9f765

SHA1
f4914c19fbc158cebc66d84b32333a95ff9b7b4f

SHA256
d89e960bc6d3ca7ddc142990693ac72e7dc0ef56eebc173ce7a7a2ee7ff19ac6

SHA512
f2fbca0276177871c4900e9a4f89e6bcb1f29dd15b79ce6162ba06695f169d8387a0e744c72784b9b6db57e7e08134fe6b273026128b3d86947ecf5b0e7622ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkAm.exe

Filesize
649KB

MD5
cefa2b8c5a7e0dbba9c365f4e3535b4c

SHA1
d9ed8fb1bc7e80348dd89ba3248d8ada0a7a4590

SHA256
e8ecf20e0b384753e509519df8dbd530d31597f73870ba2305032acd63877414

SHA512
af0b8af41be62becdacdd47a857cb7e9db24da3dab02d5945a59e2b24ba013ee36618a444f5a3e9342e87ed8a746c305faebbc747cffb267fe44e77678d1e1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ckws.exe

Filesize
231KB

MD5
54296d0065a08ae7ebcd911d5dca32be

SHA1
9e5b7ee23828ec8082e761833aab90412c05aea1

SHA256
799b657772e5e1774f9947d26618e7f7e23a5aff1dad0d3a7826fef836d31a22

SHA512
64087fa4f2244b4dd4df1417d760a7e98ad45867e7532a8d0d5c62df8f532ec822c5ea845aab0ebec66ac62a375a98ccdf2df0ef262745fd3a3ce468fa7d91e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Csgu.exe

Filesize
236KB

MD5
65372b9660b47f87ae95c338377841fd

SHA1
5a4826a3c564f7c2e82fdcd43486a416c9c87c83

SHA256
6a43972519e28a7d9430ccb7170808c9a291b344c4a2919e3079f6965ccc3281

SHA512
2a5f895e8c7dfc199ed57ebdc2cdd0eb431da0821ce016d23ed1e2c378edb6ebb596d0a8f7c627ab9dc2287de04f85c378623dac408c349c07ad66b4443dcf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQMcUUIU.bat

Filesize
4B

MD5
8de372b71768672018f5ff43fab4cbc4

SHA1
aaeb4851736e32a18d782e65e3647d5a3ba12722

SHA256
25c89e3a469540389c04c7f57edd95abf50e6a05241dde4736b347430343b437

SHA512
6db55091912d893494a1fe3bf1fd508a50d9a4810c9da3c88a1c3dceb2d16f0c945146c35d0159d8faa26702c42fdd694c12cee67425051982f13a1f1e5a3b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DegEMIMw.bat

Filesize
4B

MD5
c95867634a593f5228b611249733a218

SHA1
a2cafe19ae1881d111cc91443eb4bb6efe79b70f

SHA256
dbb7ea38a2ed74834ff0014911459e8a48b465f9f4a62ddc978b48df3eecb7fc

SHA512
2e648be37abab221a0d4310bb8d3682b54076f3c90e93f604147729d1f132695d41d14fb494b8a4d9e44cecb2d9f776d580e5ccdadc1d8e74bb6d38b8d5d4b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgAAYMYM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgUAUUUM.bat

Filesize
4B

MD5
5af11963a836c603fd4e9f4ff2d630eb

SHA1
0f015c3fa4048aed9bdad719e711e7b8eff8d7d9

SHA256
7384c2a2e663a45d586588df9f7ec2c4da5b922da8094817aa10477a6d86958f

SHA512
f88c961580b3b3770f4a79c0a30da200448542763217d816e330df9307f0ee8a88c9b3d5ad3312658f805d5846f0bde3a5c9e6d1b7d31d530f163346a5926d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECwUMcMY.bat

Filesize
4B

MD5
e5a276bffee82618bc021f6a21668897

SHA1
c7ac9a3790912544eae8683a585b5c5856b45a80

SHA256
d6c06f9bca8199dc6123f1b2b11896ee8ff4dbba81eb8caadaa97b1d3ee58a8d

SHA512
6252be5eed76f83265e03b64234b75fd198807a367a19fc79a2f2dc7399c7825c69efdd60131074252c78b8f3f91e5959f0823d614e553289fc745d39fb7370b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEIwIMwU.bat

Filesize
4B

MD5
ebaf6e2c478be672ed02ed1ddd5c4536

SHA1
39f87800de721082cb07a90ecb3db78547572319

SHA256
dfdd61c88ff27f58e27de879ac1ddfa3719f799c51cac15464bdb52542ca7eae

SHA512
4b42a6d38b7941e4f6a7e9dd8877e5436bf0e97c81d8ce72d2398804309d1159245992d603181a2438a1bc5a3654a06af4466e77b0e55cfffb9b74e97aae62c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEUU.exe

Filesize
624KB

MD5
d33aed57ad5b72e8715fb3c59cc2d6e0

SHA1
11f1fed4eb721c39f0f9ea4adc41708f1bae2745

SHA256
ca59b891680fd51c58bb52aff64837f956bb48ab6838d1b3f0e277e2f9c15f46

SHA512
66d80cdb60abc133596ac1fa49212a3b43d7adecd4645bad76d06cd26b24d8b25e4c67ac70b22b05f9f1c22da4582e1f3dcf9fa6784f75ca9bd7e15dd8082bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQoK.exe

Filesize
206KB

MD5
e31f530bc06e1441a469ea824527987f

SHA1
ccdf5f1957420037e30bcc0a4a0305ff07e655ae

SHA256
30ddfb4eebbe93a0c51274814974670a283780fa8749e3aec60ea3088f918023

SHA512
73e49dacd45610ba5b46b469a9f59c7c61c4317099af1116718cce19c04deecca2931c94628c6b8b846c809b2ec2719eab2cddc56fcb5ec8a9f6fbaf3d88b582

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWMkAQQs.bat

Filesize
4B

MD5
e1f30d28927337db43495d0202c8d976

SHA1
33146f0a939523a91772624f37d4c786b9e5433f

SHA256
b4f6df73ed54367fee95fc248d4c8c1fb087a7ed6f5314dca5ed7f3f76dc2ccf

SHA512
9bd22e2f5ea060b0240c7bc4a3fc7b79bf252fb945c4d22ca21fc8b3a25362a2a5c1561408092d7509c011a4629fbfc1f564fffd89eff0ec4e403c0264966edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYQS.exe

Filesize
245KB

MD5
731f24f574dcfdd0a40a6699ec77d488

SHA1
db22d6da5823426848df08629f54456327027106

SHA256
0c4361d4ceccee0bdf1dcadc2a8282a6b766afeb276a31748a53d3b5523cc340

SHA512
a4a2ffb451977d64b5e9d81333d6f71faee3e1263ff9b5f85aeaaa4cf687ae40ea72f63a812b5a0d86752116e4fcdf8a2fa6e956850b650b01eb0475c8627290

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgcggAsE.bat

Filesize
4B

MD5
3103fe747021712f633fc8e49d54beff

SHA1
560c4b2c60ae749cc198c815963496a33aef36bc

SHA256
ac20c43330421bdd413c05a8ca86d718cda15f940cfe6a1db1ba997561c37d69

SHA512
587d87436b9a48b4f211278ff32886931c982d3703e23c3915a5497ddad2147b4d5ce3ae1845628adb8bf25a745111de3b077b961731db9ab5db757a26e27452

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkgS.exe

Filesize
243KB

MD5
898039b2b0ec331236ee49d8a21b69f4

SHA1
81e40448bd8f0597a8e5c967cb7d7bc08b806bcd

SHA256
315086bd198d7ef29d70494ec1140138ad9fa5fc22b610ee5e721c6e1fa47007

SHA512
531075e151e9b49a9d923c1c5f916eba418e39e8597735cd01c68852a5072169c48b3f06f8e0cb666e47193daf6271486f9d7e863555bed637af1c39f8a3fd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\EyIgMMkQ.bat

Filesize
4B

MD5
bf31807976d9b3ec22fb4745ca79fc77

SHA1
1ead3c31e62de0abb685a106da95cd5b8cd69e53

SHA256
264e42787079f08ee423225f5ebc5c026c383551707d276f2a6a4c4e5fc42253

SHA512
2be1dff04cb55d263fbc67d286d9853f1a6ac8c5b8f0cd4f012840028d902d375a4cf79b55075fc040a21f34fc8f2e67fd1358cee06f05dc2d6508aabb131c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEcIsEAo.bat

Filesize
4B

MD5
c1e8c54b7aba0cd586eda38cc093d4c4

SHA1
da041efd6229fe436faef8117c390ed80d11c87a

SHA256
a15eda8a5386cf0788ab8a29671ac194ffc2d5987489e2defa234f71e2a2da4d

SHA512
9c30a4d34dd8ca498326e18d091cf1ddd9bca070d9a1fef82e862a97eb258fba19ad4c2cde17124d31eaeabd2f7fdc19c2e623c7a4c31fc811f585a3cdfb6aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUksYUcc.bat

Filesize
4B

MD5
38abd3c6d1421678dda8cda14cf3af23

SHA1
8405bd8e3ffb58ea6cbcb18ec0da9ce6cb35abb6

SHA256
4891d2fd4afaf9cb32fbd4c506143efb0361b82283429da10e0d6fd7b54c35a0

SHA512
b875d2643248410650f17376de440107d85c4b5b01f7af0c463f6e9f74e33f5848c7b7e4a8a88c18d9e091abcd5dcdc53a0031e96e87435903c8f1679e90f37e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEMu.exe

Filesize
226KB

MD5
bbcd9b191a4bfdc327e1595666d591dc

SHA1
da5dcc022fd168e49ce1d2af1281b3158cd57ec0

SHA256
b8d60ae39a8485fa1d74dcac7a951084a9f6e84791b62382503e78e6087c675e

SHA512
fea9bb96812c932080b558efa09600bc0936b712e98f64e8ab05a64ba2fe8fd716049da5e0aa3352d12e08f0946b0c597341b61513d4a283f3e1b28fd9abfacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GKkEsowQ.bat

Filesize
4B

MD5
5c529cf564e409161eb9a38392d49407

SHA1
665e866ffeafe27ab9e194f0604e32b6b3bb0f00

SHA256
6feeee06657fdb85bf86509a9b9cff609f1f8929020688ae1811dcd12ff154a6

SHA512
38e4eb5f632bbdf9c7b5208a6c97c4edc015528fef507e05bb7806bc2a4f9da5fd5da26840f30dce2f40080f62c0cb51e4f490557fcc746dc9df09753656eae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMIE.exe

Filesize
237KB

MD5
c78398174967e32bf41d6535e55a0d01

SHA1
2e9203d2cb864ac3372d5690c0caa51c688892a5

SHA256
1959b2faba6328fd834ff37eb7bee0aaf1f3d215b347ac6b5160413deb577f12

SHA512
7b0603a102695fd66696f7f1edecff360fe6b1d5509434a5069500a19fc0eafdc8726d1eda8c60dbf030fdb70eedfb1febb9a62adb8464516b4e4ca18ec4e55e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQMi.exe

Filesize
236KB

MD5
1f6b10c52a651e40ec6ce3db995205e9

SHA1
bcdccb8961142981f2b7ef6979b802bc21bfb02b

SHA256
0544f469fa8620df6776ee1fae2e60352979fc34ea1929ca2c1a6d437548daaf

SHA512
422cd9ebb07cd2d73f4bd9161266e0dc0ff9a1c03a1a838f0db26f1cf73a72d066aa0fd6499bb5c1e47f47003b68e554957f0e3faf22bd7a87563163d1480853

Download Submit
C:\Users\Admin\AppData\Local\Temp\GSsQsgog.bat

Filesize
4B

MD5
f22e25ea6b0d57b4c66eb5a1526697e3

SHA1
d03486b608c9e767de609bc759be85b84f67b45b

SHA256
a0892f44dd4829167e5086375e9f17323b0530d460f42238805db0296df18cf7

SHA512
4218226710c0c4051a6c53e103ac56ac8825948631b604a3c4c9877f8c560e1bafcd7c41886cc58c469543e840ee99903bb0c83f08235b5f5c585d34562afe85

Download Submit
C:\Users\Admin\AppData\Local\Temp\GWwEQMQo.bat

Filesize
4B

MD5
0d599045abd3d219ae93d720f27240c8

SHA1
c4c9e3b5f65961bed3035f9e737662e38d0e8412

SHA256
51cc2989d243525ae6a209212c0fce0c2239c8a7bb0c667b00ecf18d49851cc0

SHA512
dc07c251454273ec978e8e98eb7a746e3026dbb353e040733b7b68952c8fb91c2c04b51d0a7aa6fc1ab960a7eb4e9ea9e9e61477a1a48185c7f50fe5f580e44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAYG.exe

Filesize
254KB

MD5
2f295966bea93971c9f0c32dda8472be

SHA1
3e86677a028291313325de35bbabab7c467061e9

SHA256
7751c80de71c0c51e3710219b20a3593ffcacfb7779e52a56783755374c6edcc

SHA512
eb9136efecb62f6f554e9735f61193adcff751b974a5b54c70209a9c4255c40272b200bfbe0e0446e2ab366c079ca2ea25843b455bb90c8d2cd6aad90836e8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAcE.exe

Filesize
227KB

MD5
49f93a8687b51c8ddc42aa1444d6355f

SHA1
11a6243444e97c48b71eae7d8cad8d78b73765df

SHA256
2a9c82491530c0596eb35b0c27c59a2b35ff843c904b08cfe1aabeb27c655fc3

SHA512
310a25b16f90fe0f6b5b71c691a83841cdf1c340e6368bbfb40205caac4f4d8f6cf18230b9d7569650d8b0a089087709e01cef95669317d0fa4e46694ef8aaba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAcY.exe

Filesize
230KB

MD5
7abbb67e5b7f10c8063a0e4afd290bc6

SHA1
fa915954d5a078f9befc1840c590e71cd93cab88

SHA256
a2bd72350c1a2fb8ebb065c900893daaff71cc5db617c3eb23d4fc5790d86ba1

SHA512
d9144ea34f757567af7f5fdd71cf3136960733acb53e6de110185dac0aaea18c2137cbb0f2a768a8ced26bb9013da1b17d7c91698207082a56e6336a955d5859

Download Submit
C:\Users\Admin\AppData\Local\Temp\IGcIIgAM.bat

Filesize
4B

MD5
1e022e13b9ffaafb82a7378af3ac05a1

SHA1
aece3a6892a95cd554b5d8d8ca2ca0bc97e1e197

SHA256
431620ef413dc8683f7878661ed56c493ae92c74ab04b96728a2ab8dda2de825

SHA512
657e6901150a44ffab37db1012c462dac08795c12206e4f0a7cea097af2419955cc8ec07b1ac879165486b11ebb89414d3e646d0b0c93dbe31bf09b1a9c6a69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIoEMYQo.bat

Filesize
4B

MD5
fe357341f26249f5f7c9318c87f61338

SHA1
19dd7e46cdba446726c93d532b7546ed1ac528d6

SHA256
69ca8a9986dfdf36a00e8193862b179071a0ca641d1a05a7f67ca4d3d0f7cf1f

SHA512
e4518df5308b3239e18f06b24f2c23de865087b8a543d7994033f1c836c041cd60ceda7778774cd69631c3df093878a84457337bc10609de9ed2d3aaaabe4f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYUI.exe

Filesize
202KB

MD5
ff7d4398defac717ba4d83e26ff7109a

SHA1
6182eaec5cc1de9037e501594076d437af9c61f9

SHA256
11febc75c2b2ab6a7213fd4f89b09abb6933860fa77dcc5887a7b3a388183340

SHA512
657726674931e630a2fee84598b19e7e4a10e0ee97a20c3da6d796d9af4fe0df88b567a019836707de9a692783f7f67e414691c764de18281ac4dcb41207440c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IeUMQYoA.bat

Filesize
4B

MD5
69db6ed8a6073e2e391c0c9ca9596ca8

SHA1
ad24a3c20f79d1aacc2930719aa9d406e5dbec16

SHA256
a7536eaa2ae05ea3201d28ab06f38b83fbc2f20e38c00af4389c562cba82cc92

SHA512
99bfead343b5c888969ca51e74639a2ecf5073491d9c73290ce10fea68a5a81c0ea0e7467b735b7386188b06c706fe71148072eaba790d1d67fc7014ff2755d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ikos.exe

Filesize
201KB

MD5
2f250fbd904163b6f050fe31a7f548e4

SHA1
a48f264a41fe1cd47f416efb75c6d8413f4e806c

SHA256
1af7b97ba1d204aa7fc6cc17c5ff0dee45290d75801e9a9116dc3674f8d20eaf

SHA512
c4597d30c497978b4275373aec8cee4561d1ca938765ff7090bd5d52fa11aa0223c2e8bbff258944d10d21c5382ca36e3879add55cde16f338f6f5e06baaa824

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iksi.exe

Filesize
238KB

MD5
ad4a75848d72dc99c1f2c3b919816857

SHA1
1b962e0dfe8ae71124348f74d434ae7f8706ad40

SHA256
9bc787e13c5b4031c81a5b14ccf9b9421c8f5618541be1a51233d3bb71ad4e38

SHA512
1edeb787a383cd7f4539668cb901c51825dd52ce4b6825feed89e666e9214fe2e99f9a6661ba2ab962e11e6e4e2f36b094d9f44341f476a6c484ac2957c39606

Download Submit
C:\Users\Admin\AppData\Local\Temp\ImQkwcME.bat

Filesize
4B

MD5
55ee1fbaafd4b1156f0ab02369676b5e

SHA1
ddb5a40b0ce159b6367425297c1aa353668a5ddd

SHA256
489cdd8cf945fd53f2aed7256f5a5d2f6b8f428ff7868469cc41903a40f34059

SHA512
263945bfef4c63c796596af1074493f45c9ad50f7c11ad9b2d68f7616b845c7f507e5aea0b3fe14a96c35216ae3394fc9b5ce4285417886e031becf56408f7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwAIUAks.bat

Filesize
4B

MD5
7a6b0c94ff9b09fe99a8247b4dd26532

SHA1
9a9a6626bece693f95d012a8909f4efe86aee62d

SHA256
f51287c4c9b2d178acb3796cc0df1147001cc603e3f8f41274a23183bce27eec

SHA512
4613f1167cd5a41c964dd15f3b6c5278789434841368df66a780be801a61c921b40637d9412cd7d1b825d59373d38157b8a27a2fbbf6a87baf86dbdd84e929e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwAS.exe

Filesize
215KB

MD5
ccbb45f42ff7611ee84d9b20742ef740

SHA1
703c138b76babbaa8f4b7855a439ac1140b39526

SHA256
d9697b466688fadc1b5662a91affd3baa903c858ab5a11a4a57a02edc904cddf

SHA512
f388d71848a7613bc483a445e0540e6e13ee09057f916dc1084a40717bdb678a0a3b9942beebd3b322b93bcdcd7a3c7032553877d9e1f8e66b8e8eee12841d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IyQoMYgk.bat

Filesize
4B

MD5
8d014a4acfb3db76315529f8250177e0

SHA1
69e20c1f6dfeff5299bbe2029c91605f7f6a29e9

SHA256
50ddc6f40c094f3c6d85c24a15861791f7b50fdb4b61738f4a5ad3bcf21415d8

SHA512
ea59f320daf4cfbd7bb8a4851bc90a05f58770c30605de9553aded4813c21f6a10b5dd5ad2fa06e3895f379fe1f11c373c39b1d35e0812e0ca08928714c08e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIkUUwwE.bat

Filesize
4B

MD5
d512832157414e83678883c50d9d4ebd

SHA1
bb7f3ea1a905c253671d30b5932bda104a57afa7

SHA256
1c06f09c891d79bd97c65b62b650532d0f284ca7708c5a7afa5b671dab148172

SHA512
0aca726fe6dfa23706f232d1cd0dcecacecda9e80fd99d26ee351cc5b56d0f1a15b01be7ef0ca7684a4694e5bc64b3529ef8c3b0651ce7ce650cc62c9858ffa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\JSAMEoUY.bat

Filesize
4B

MD5
e037f6734100c2d252f82051ab78ece6

SHA1
f224c9c0f56ed59da327d136a2acbc40494510b3

SHA256
a37a8e41dbbcda6333767e7f8b270a4bb0cc1dfa9b1edd47b4a79da1ce5bbed9

SHA512
45dd5409a044b4fbe49639172df713656dba45a9a20c37b4200df884320405996c043fc08d7245de9cdda20ddb11a5147222104955eedaa61b8155bd978ae779

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jmkkwggk.bat

Filesize
4B

MD5
f16239cea30c908a7b9d0a1ddd0a209d

SHA1
900b6f6a0feed9ca07fb9af61b46c11b4b83ab1e

SHA256
1126225feb30838aef47991799dbff511b217cbdf0c774b0cd1a666dabcf79b9

SHA512
6ba32f444693786b273f9e0fc38f92b7c443b117fa31659b1cd24ecb7bcd80732664dc06ca3222f527050226ed28ba100cb75fa296aa129bc59e81556719ddb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAQYkoIw.bat

Filesize
4B

MD5
acd6d0b87c3d7833cd1f30468439160b

SHA1
6f041943398f31e1b21ac620f96ef058b9d92744

SHA256
f7e792c52aeaac31ba0a5b9a3c80071be50b3fd251af26e1db414a7653006d58

SHA512
e3aeca5b85439ee71cfb888e99167b369fd01e10fd5b9dcd7f37a1fef8d0b592cebd0f96abbf9d580b108effbca391550af7b88291691cab63485a0f2e4dfe82

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAgIQAIk.bat

Filesize
4B

MD5
c92f806176afffefa6054dc550f15551

SHA1
e5a918cdf347117b7111e5bbe47e6482ebdb359c

SHA256
f2c096f60bd6aabb74773133a633ea67141bddbec32f8d8e67eb555360727712

SHA512
cdfc97f8752a729c8f2d10b602565778c684dc4cbc36e560cd3f40082cee98e7caa461dee6497743e91e9ad41c784680729c77669538e9cd5ce5d331c50b691d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAgM.exe

Filesize
235KB

MD5
f61f75566981222dfa6d7777448b1768

SHA1
b4111aa3df4552d1bc3b2ac2f11fb5b59ac84139

SHA256
e8be29fd251fe98ae07cc56de495f22b126d9344ee86ee14f82fc7f0bc4fe6ed

SHA512
c4ee821e1093de1c626ed7483ac23aa080f720ed076c3e1c6714798018f57203f5e5c2b1fd91f62e46fc48bb84b06b8e5a75580904dc683b794a25f2fe3edfc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEUy.exe

Filesize
202KB

MD5
df4e07acb5661a2056df71ddd976bfa7

SHA1
96eea57036c2d3345fe03f135d0c3f0ca4eb1521

SHA256
6d65b471a2ec5a200a8a0c15cefe87dc91054d8025d394b1607c6bee48980544

SHA512
2321c6459d4be208f6819dc79eeb0cf186d673c9de05c2a5794c95e3fa5e7b2e2e288fef063b0499f7fd857c47b65852c13fb43749058b0edf9f61a601528efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMse.exe

Filesize
242KB

MD5
39fa7be2a0ecc7aa16d3378023889a27

SHA1
f1fb76181dcc0de6de3977008e5a94459edf65ef

SHA256
94a0eb5ee23aa11be1ebf957e0cc70151a3269c5c98f04f297ab969767b939d3

SHA512
f54fb630c86c5e132eb59b859c477c8e4b6055fe55b15ac4e1b5953f2cc068aa87a612599f51511bd8904a91680ba0b3d0607e896c84754b2e6c5e98498d5e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQEYkscU.bat

Filesize
4B

MD5
be60ed3bac5162da18e6f5cabe36dc5c

SHA1
fbcbdd091d77ad11eb43365c62c00de29b8929f1

SHA256
ba2d2894bc9ffd854eca75ed5316a4c64e9089e52cc0ac85e5d20d9e75befac0

SHA512
3fcd3f3bbe13266f665aa9abd7838b0f922e29ad521bd7421b5c61298ed5cb916bfb25cb3db0a9efe49bd3254abda818cdf0de38154bc56fe1dd0a18af2a9b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUUE.exe

Filesize
195KB

MD5
2d650e0d3e2d6c0be9134e7f4bc6f28c

SHA1
97e82b757bd1432c3b35e31032e7842c6c4791f3

SHA256
bf1aec4eef3f155e8b29ac5e9e0060489b02af9d4159948e4abcc1ba12185bc4

SHA512
c91443f87cd533d275216c23609d39129b3eb5227adb9f9c2535143acce322f0a7bcea11ec769905c053910f161a39cdc794845c78c3a44fd576960e74bf9c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUwO.exe

Filesize
195KB

MD5
a7ac8f09897ec908b36b4244e07ac40d

SHA1
57821b25a56fa37a3902f05974ca2e17171b20ae

SHA256
aa37032bd39ab92a2076a3131d57f08ff7d985db7a8d072d13d9037591904fad

SHA512
d4aaf12edbe1a1dbb12b026a3903f376ea00ff3537c1e664336098dcea4787a850b1ec26fbf63c23b1f934afa217661a98a71d044dc2b57bb893b607d03dfcd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcoG.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kswg.exe

Filesize
243KB

MD5
1f04b00565134263e5c7b0bea8b31558

SHA1
198655376bf5f12f65c3ade1440fdb4937377b0a

SHA256
b47ea8a0e909abdb42e73663bdcb7147aac51e54dd473126fcbfb13c4fa0ae51

SHA512
5789126c2e3f6456bd6c656c7f23c093c5b2e80eda9fc76748edf272f2bc0043ea42ac221f6c5ee6cb1e7bc007f01705973ac181926a5f09b4d762e76f3e89e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kuokogoo.bat

Filesize
4B

MD5
5e2fdde49950268078a087f889df7ff6

SHA1
9c0b46cd81a2198eab553b77062d9ae4cd8394a6

SHA256
fd8455894e1efa2a6ed0c271b4c53405f58f814c8d30fa1bb3fbc44858855baf

SHA512
9b297ef6f4c785a6a2e831d2161dd078a61277447ab259c8dd7b2f65885862b3c177cb94d0a660751ec11ae7583d8ba929cb82221724c6196817f426f1a01c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LGsoYosw.bat

Filesize
4B

MD5
b2b2297bf96ab8963831714d69a0166e

SHA1
c65d42ae9401bd7376b46504b5d251a9748a93c0

SHA256
f151cf0330a206fe95e091ac590a5feb623cc7f42549928a5a74ee6fe3b907bd

SHA512
80b4b9aa0769cf1728dce6d88545a2e22963744cc209f67046feb3a3c9eea43696545b5b37f0002d2dd1d1cf7ad1ac26becf5b034975145b13cd8fd2fa9c104e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LSIgggcA.bat

Filesize
4B

MD5
3650307b1539fedbb5b1d71ebfd963b8

SHA1
2636c5d5b6aad614524f0e16611547927cb8049a

SHA256
ac00213da50e5554875b0ec8b1f192479952de7b7386c2b69c4bec399e45e744

SHA512
dbe63b82243496a37256933e110f0305a8f462876e79fe43f5f6639469e6482fcb869ead07f19cb903d585c3575540fa5a9e3221d27cc07891ca5c6bbb5c3553

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkwkowwQ.bat

Filesize
4B

MD5
1ed3be7f3f197be591de3fba07a1aa93

SHA1
fd049ad934dff702574cc2e248e2f3f2ab70f0b1

SHA256
e0bd04a2d8e6defc7e83248a0dcacece0a366928c0f6ba07fd145a9f89d9153f

SHA512
de4583f155601506f771b5551ec17f6346d3b88607a0543e8926b5f8f6b1a4f312ff87490c8e06346a98da89389029f9b38eb6d9f92141b8a7e1ac84617fa05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAwY.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUkA.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkIo.exe

Filesize
227KB

MD5
76a58cc98cd58754a2f894824307e165

SHA1
d683210a3b389449502eea89677ae35e7b509ada

SHA256
3e7c47b8af6945cdd7ebd60054d5e70c7381b2988b03ba37d0dfb25335a613dd

SHA512
1caf89279a49245bc4c122776e672f07a041d8bd768cc626998e97e0eaba6d2f814124326bca9234d346eab23de3351f5a921332d114b003b1799df0a82b6780

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkUc.exe

Filesize
893KB

MD5
2eb77dab3e8ccb1f62916a96cd15c689

SHA1
4f826b82d9eeb64376cfe49f3f07c56c06c9b936

SHA256
9eb2be51d7bc01d5d3c5a702dbb9aa6eba9dceb17dd312304d5e50a9510ed692

SHA512
53da6dcd9cd1641fabe18162f6bd68f7ae342768793ad2c47ba038161df754c2a09437ebf3215fee9cce936f86b7137bd3cea3aec9867670ea1e8ef3c3ad3fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoIc.exe

Filesize
243KB

MD5
e10f383e2313c69850d1d1cf7490007f

SHA1
831782810155aa0dd0d5419ba0d97e63daeae4ff

SHA256
3d0172697de63833461f3731350262544f18266a5279c867053cad6c2b823099

SHA512
ac3974ba8b0ba740efb3f1d4290be2e3f7f4d867701d324a8c24e412e33987b936f719d02461f240376233a1297871689907b177d2a6e72b22a7ca5669a4cfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsMq.exe

Filesize
320KB

MD5
bd5918781be6d3c4f8443642fa7b2f64

SHA1
e423e33974e6877f55324f25037a28f667e0fcc5

SHA256
49f0938fc432c2b917d8950856ded2809b97c396e9e34d6347d618b73392a125

SHA512
54e5a2267015a25a75ec53d476dddafde2da59b851c28251a7e1398e9e7fbbf0d3b2e4ee08bb74c635550c88d6f2de647381caa1221b494f71fef1b16caba54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkQAcoww.bat

Filesize
4B

MD5
5660ee67f8490d19c55042cd1e451bb7

SHA1
fdae1fee5db09dc14f730c2db6f5e45411f37620

SHA256
30f9a500a8451a48e20c5c90ce7e13c4f39c9ce05e06e1a2936d61eb1c906555

SHA512
cf409256f3d4a5e2ea2e7c41d5204114ac025b893c60ddee34489edbf6de0f3bf9764e9c331e83b2492b494701b8691ce20d380fe638cfa8a6da135fc0c63c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\NqwgoIEM.bat

Filesize
4B

MD5
e87da0bdffde409dab5b7d088bca1ae2

SHA1
79a4f360c83a2a5560f4b45b8abf26411c66ae7c

SHA256
f4f36742a9598c6c8aaa33172a5cd74498927458f0ce21c3d70bc9a731c575ef

SHA512
8f8ff3fa2cc9af51e72fcd073c776e829f430d3175b1961e949b4a02e01b561185d79da46f84fbf53dfb048015a5dfa916b8a9e4b1b506c7313b1db2109defe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMAA.exe

Filesize
245KB

MD5
5159c2a3ac522fb278ae4058ec1c15de

SHA1
28c7c900141c61c5850a64131f396fda1311c54f

SHA256
51347edd29d64fee93ce34aba66a7afaf679f5e5efa3d43f4e2528a54a1a0409

SHA512
1dc721bff091353542343707be2bd4a19737a1081e4275088057cfda27a3c727ee3dc777aad397ed7378b8c61781d378de179921b73e706ae902211386c02f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUoW.exe

Filesize
328KB

MD5
33c6aec8d683184dbbeff40097478da8

SHA1
beaae34b57f3b2ccb7a5c340623b099af288388d

SHA256
6a34ed01e53676b7acea28869a0bd449fd7bb5630d6030b4d283cb8f521765c2

SHA512
a3852e5f6599f41c580a6f93f158f4b05887127000e40012bd2f7187498bf3039b868fc94913d5bf2bc6f41d30eafb40d1e74a9667d803c761052b1232b7fe31

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUsA.exe

Filesize
236KB

MD5
a21ba4aa6fece858fef3da648b5c3933

SHA1
abdfb9037c8fdc6636b38f6a39913f48ce740325

SHA256
585eda33c7058916541a8620359d74420b3b8c3f3f3c53eef0514f9c6f5510e0

SHA512
1aad4bf863ffa429e145cb7ae3422263cd7996fde808acd645cb8865f8b37814231e4ca645ea631eac5968f499e977062149738e03c182cd159946992f324ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcMC.exe

Filesize
206KB

MD5
ed119c8941b1478e1ae1ae2891e25976

SHA1
6f55082804f59170dbdcc7e43c4a19d78d1fa2ef

SHA256
2dda4cadc12399c8d9b44b6b28aba9ab623e2cccc639cce26b138f50218736e0

SHA512
9b9b185788fdd38d9c42cf29eeb89b30d8b04a6ac365ea58ead4f2f688c3ea2c308744ddd584cbe5a2830359cef6881d880fbba6a67f94efe89646bcde5b8917

Download Submit
C:\Users\Admin\AppData\Local\Temp\Okce.exe

Filesize
188KB

MD5
64c41166e1156a9f98dee9ccccdd9ed6

SHA1
b40d079c864a3f4022d088bc363280882c95a726

SHA256
fdb3f9c3c006cc3e0237232a3e5bae546ba2af430e09b4109ac12b17a31311e3

SHA512
80ac2efb0e285d80e9c3652f7905a41205fffc69ba5a378cb724696cb27f824b9fba0cad9f6233155bb91fada8f830ae04000ac9e3245284f8864c0310df77c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OogYgcsc.bat

Filesize
4B

MD5
c2d68a8c346dc859efc7ad4492218000

SHA1
a05bcf0c7afceaf1663d71c77f49b119f3437c21

SHA256
c1f42dade315c0ecedb456036ce508cc8c4b180d3c634c33b1b9b8166e3c3e51

SHA512
246d93de296a640bcbadabec949c311128951a2a3c8ba928fd2de254def020859b7995e6710b0f079709cc0cdff3ef05c16dfaf1bc1e4a1850c5cda6796d9fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OuoUsYAc.bat

Filesize
4B

MD5
fb4cd4e084fb20c2141693d52d1336a2

SHA1
67aff030b22915901aebe051e4ae795888fb2263

SHA256
117bc20df79d3c9360589652755b01dcacb95091e07e4161c736eb0312ae37df

SHA512
3a75dcfb31526bc65541abc5a446dd1c96037ed6879c9a829a015f1c19f55dd36d8cb09c488cce4eb48530a222d7f52f5e493d68fcfa6f697f68b4d36c5287aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Owoy.exe

Filesize
202KB

MD5
ac3b7bd26b3a0d9c18463edc20df97d1

SHA1
3e9a5c2094cd1b31c02dd92232365bbcb91ee805

SHA256
a6cf90b297785f1bf530af41d85c71caf412fb8e46bccbab00deb7c9cdd9c835

SHA512
903bf37d0f86ff8964c88e2469643bf962acf32a010d6692ddf0bde16839784b2afedf65b3ad786e4f2575535b9a03e40306442ca0a6699d2b0d300e9b1c1b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\POgoIEcc.bat

Filesize
4B

MD5
c8e759c40c7a8b888a90b39830dc67d6

SHA1
9d9ae841e3bbf4ced8962c362e100bcc26072f40

SHA256
7c32261c89165d685b77dc9f885e8df171f8c98498b7f22180e3ab26dd676165

SHA512
3ec68527c40344b734a573e85ab2bb5dd41bad70de46fedc13421d9324df795bf7d5d478e05657ae6c692b932447933c2b0a0cec3677ebf8f4bd0330094870be

Download Submit
C:\Users\Admin\AppData\Local\Temp\PecAUEkY.bat

Filesize
4B

MD5
bc02cfeecff2c1dd30173915c2ce1638

SHA1
0779ce7c1bf3645f534201ffb57a06f40f502aea

SHA256
2b8a344f73e1b42641e16fcfa7b09d56deb11fbefbc82c8b9f38c852400f220f

SHA512
6f305fae805c3870f24a7e04cf4fcb36383de5358fb5ead1495b8b22f13ab90800acc811b3cc9f471ccb04c1e0c0ba8cf85b13327f63785a6416fee95273a9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PqAwQEMs.bat

Filesize
4B

MD5
1f22510b1187a04dbb6f6f70c6cb7a86

SHA1
c8aa1acf756dcbb849f38f63c4fe05c814f1e289

SHA256
39b19e119a5e078bc1d6dcbe3d8a82005e36479928ecca63ac936a754fc4f546

SHA512
3002769d20590d376c15de7cfb76a73d0dd42c831b1c2c8ad3c398dc5ad08b236b8039245fa3965afc1cf80ca979d666fe1431b3270a25b719e18d5e54293428

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIEi.exe

Filesize
242KB

MD5
6e81c47c043fd707caf890fe94e37495

SHA1
688370e94624aa6acbf6d82c1b086e6cc9dec500

SHA256
96893595a197abf5cd05b266a4e90a687a97eec5ee2043254c13fe69842e762f

SHA512
96afe6d53548b444b78ddbb000aed93c06f4db551d08ac37f17bad218316858cb65d43d877c67e48ffb6953c4f40f2055a735d71fa27dda15a265907bb4da4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIYM.exe

Filesize
203KB

MD5
e939d234a94429fbb86028a88ad91bfe

SHA1
4018d0746cd5e4b8d42db21033424488ec3c5041

SHA256
3b6228e88a0ddb3aef61566a8d68b3519ea620f0f6372aa391f2e88ae2c022e0

SHA512
009473381eb112ce879eef39db96643aa25c67aac9b4d48b72ff7008d93dbf73575179a2c5de5402de766d2ca6c59ac39beed265944c4d0a04fad1e5df326941

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIwkskwQ.bat

Filesize
4B

MD5
7a7d28b73ee954471b056b6f90fe7d6c

SHA1
16b716f4ae4c755045b1b39f0524fd50a1203428

SHA256
4e47fa9cccc8003093fc0ae27b6df2ac0dcbe61f72a955c09da58b766b60078c

SHA512
3591b0776b594ebe61cbf80ddfada58f7a5b7940a3dc4ef91d58e83b72ad2adbf5a78ca277e2ae8bb77bef3b6d9517ecee00bb57bc0449f69b67dc6869d406a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYUY.exe

Filesize
228KB

MD5
b28537bef0bab73b4ba69327154d77f9

SHA1
18a6c75a76d4386dfd575b550e9ab226e68c4f97

SHA256
44603d8f1d3da12336f527bb48b16362482f2a6e6a9afdf5d4e584ede3ec8908

SHA512
82d98714c455c19876c0f8931250615b24b98e4d4848ebf7ddd3af587dfe6f1634e8b891a7be79ff67110cfe4ad370b24a90da18124d95bb0027f8292e6570ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYgO.exe

Filesize
637KB

MD5
36c5cf66761189137604255354c2fd69

SHA1
2fd8006ae801f8f9bea3050833ce6784836d09a2

SHA256
bef5cad07a351ba18adf44d06e3813e7e1f773d4550ca1d36f86ef3bc5098eca

SHA512
8ecbf602affa2488c85ff25e2a04f87a6fca0f3362d2d9f5a27c0446fb1506fe5e9be2431dea6d9d9ca64b81e81e9de544d78b3d03f5f8be04411ba8f0f32aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\QasUwwcY.bat

Filesize
4B

MD5
caf9adacc00da42300c60cee4d55a44d

SHA1
a9f0d8541c9b2c5820c72878e2cd43e8ea17e9cf

SHA256
0baa1ddef9dc7b354a2f38d40292340fc3d93580f1f83012dff402c940ca355b

SHA512
5bedede889be2a4df7d50920ce46f86bda9ba0fbed53bc29fca639795a65372c3a4949af0e910b918ece5cac7570de9934d0e51b356aa91dbf322b67b2379d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcwI.exe

Filesize
198KB

MD5
86e564c19d00e8e2270957bc8952b3e7

SHA1
c8f33b8125aeff0134c08290eaca8fe057cb4182

SHA256
f113ad18e5d12cd7899ecf3ad15d89a0a3633044001e47b26ade34f99bc6f9e4

SHA512
b3e663c0547961636b44d8be35e071086d131903318975a7120fb386d406da70ba42ea6a0fadf97c9b9b5abda005990fe3705751902e0c56225832f33b9da632

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qkwq.exe

Filesize
245KB

MD5
79be40c39caaaa11befab4262fa5df38

SHA1
ed1bbaf919ab91372a48b0a77e84071b12fa632c

SHA256
961571b9c6e417300eef0f525a1b10a35bfffeef0f84ed0b33b255e9965dd86a

SHA512
a8aa5673308f7a58e0e164c985c694d75c6e29fcd72e63e75317a64ba12c44f7a7a0f1da98eb8e0c1941bdf7907026c5136b78f21c080bd45d65523915b62fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAgA.exe

Filesize
252KB

MD5
d8ee6adc853ab47c0e10ff93952cde13

SHA1
0e43bbbc3231598d5f2890f72869379f667837eb

SHA256
8d7dae8009e7599c7436b7faffcdf3af8daac3ba121bcddee236aee9df45e0c9

SHA512
c7ab409908b08f8b075b2c51eebe8e11b0e15d6e7585fd8d8a36b7da835663d4985b58b4ed991ee80b7f23573e6969a1a9db799613da6810008ded3578a201f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEQcIMsM.bat

Filesize
4B

MD5
7b32524b45d99ef3c1df1174d1dfef83

SHA1
628b9276179ad9f28cf8b769a3b7449046e42c66

SHA256
9567a8be939bf789ca01aab78841508e4c5310832f4abf5ed2f93d68ad4d5411

SHA512
89160eb47653e76433b9db550d4dd9ecd46c4e809a1dcee0c25cad2e80845f907803c2e1104714b0894b4cc2494f79cef43dd59591052c42a950ef221fc205a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIMcoIAs.bat

Filesize
4B

MD5
2cf816744aca214fcb280aeff72ea3c9

SHA1
11763e467887015c82b11b05bd5d3c274b6b6d3a

SHA256
d5577b53067bb80e9b2c1a49839097d6db099ce69e4a06bc869b6066cf1575c7

SHA512
b109218d5d3673527ad42a02ad831b0fd492480a6201e0a1ff098f249a3cc558b613311c33198c4513699fb68b2ccb72965d0fb7d8968d6cbf86220766a97730

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKQsYgUc.bat

Filesize
4B

MD5
cc35ad6878bda00af57d489d4a15f668

SHA1
e149b175244590679514b66c9a4f9b49b5820a88

SHA256
fbab541b9fe5f7a5149bb170c15ce6d65910134292876455aab6e3137b708000

SHA512
4574769d43eb1e4f4ac0b7e7b88b4382f95c5e55eba8b567fd3879e033acfa2ae1cb99d53c0c70eedb0c91addce6add0a5f6272291b907649890d7b385f4755f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQoy.exe

Filesize
184KB

MD5
56666e158645e6f10b6cfb345a3e823e

SHA1
7f603c1fcb1b1f02a1b272f4055352d6aff03616

SHA256
30d71ba1b624ef9bc12db2329bd86d209b3544d4bdfcd9d38b5708b15052a6c9

SHA512
bd2c5f8ef63bc9972f7172c7dec51c849ae13388be82fdf762ed86d9e7d53633d4423505fdc6040d9c90de0c46d52468ff4239583f9d4aca6ee26d7bd3d30014

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYUIsIUE.bat

Filesize
4B

MD5
6e3ad7aec4471700260e6d730cd409a0

SHA1
1cac007877cbbc061a27a41f89bb190c78b7093b

SHA256
8c99bf13b094eb8a530ea9c251f80b90a52c67ba67a123c8b87a278e0436ae6f

SHA512
a2abbf815d89063070065cc693294068f9180e1df29fb2d6df175f5ec3351ced3dec5c09ba01dca1b4e753e1805ceaf876da2d29d3513ca804a365f0e8caec6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYgQ.exe

Filesize
253KB

MD5
eac9d3c7adf6f9d4e155fc00505cdc38

SHA1
14b9e7f2710044ab0f1d230ded6ebb97ad2fce51

SHA256
adbde472d2ebc161010bcb99d5bcc4f0dc1a466d4b3cbacc8ee42d90a2926af6

SHA512
ddf824fa9c9d6262e6c2bcaba0421d5aa5ef216f8a92abb3ca12e10b2f5e0e0922c71b0575ef779810aae6e12144ff4eeb3fad2cab1e4c780db0ee75b6df8c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYoa.exe

Filesize
229KB

MD5
1c753f263605eb5e0e88e0aaf4fa4a21

SHA1
a88736a9bbd6ef6d419e0ef259b2c8597acb25e4

SHA256
8b2e5412d62cc18c46cdac83bbd8f62bdf68e1215314a17b90961d045c678f63

SHA512
fb110be5b3aced3dcebdb914cd76737b37c5d01749b13caf83500a8f5801be2e595139029267d15520dce2d17ec77c0e467bc84ed7f50d811fe2f457180c6d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScEIkgMI.bat

Filesize
4B

MD5
1c1c8e3f4e2e256b5bb9dfd33801390e

SHA1
25d67d02e4a6a2a629949a46f2b2335d813b0c7f

SHA256
eeb8b87aa07701c24116bbb01bae2e0e2ffd22353671197f5164cebee0854c14

SHA512
3e74919e892658c8db0efbb195b1664c4e029a5f2dfce684d9dedb228038c8a40c1f166a159909d582c85b92f744721540569bc56ca2abbabc57c12672d8062f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SosU.exe

Filesize
239KB

MD5
7aa4f5883dd2aa6e113d87fc85306167

SHA1
d1c76799816da7f3fbf9b86afbe188fa91106903

SHA256
7ee1f6b69355aac6073f5359015ce7085427937e448f29beaf41c8309c21a7ae

SHA512
da6d36110d1c578c697077062e75ad7ab14595e55e3d43d300f20719fc60c633db74cc14ecea714490854e8dbfe248cbd062e233d3c19bd52e736476f92ac8ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\SuMcgoIY.bat

Filesize
4B

MD5
182bd953fec01eb856fcfb84b376faed

SHA1
8fb735224edffa7e67158a1d8008d858d0b09d93

SHA256
c2d703c17af3dfc1d36438568432fa7823dd202ea42cdc0b3ea8ecb8fa2fe642

SHA512
facc77425376b0f4b3422d45f19b0b35a377e5986da99f2aada08163284a7b1b7298d6fc4a70e2fdc8f9c81a16139b380982f61e0cafdcd0544a65696f75b4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwUw.exe

Filesize
242KB

MD5
0380d24b32b4165db7e1adbcdf6584de

SHA1
5fc2285750865fb89229f72b7b11e9eb07f75f91

SHA256
f30f399391a39e027dfd90d305bba113fc8c643a210891175fa579dafcd72e09

SHA512
843501f6c139d5d22abcef3ddb3e338b373f4bfa20df0687d8d8028eb6de7f4af6a011ca48c04e2001742f7f6801bb9b2915169253e710cb04d203adc061c74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TagAkkII.bat

Filesize
4B

MD5
8264b665ca838ff97824f7fcdf50bd7e

SHA1
fd587aa5f34b1829264067f7bbb0bba4a792ea96

SHA256
fa06941e8b6c0c5f4efcf9f5cb1df737548fe6f7bda2924aaf275eb023c8dc1c

SHA512
b23d0e70ae80649a002133bb019f1de608a03ab727b6971eb47d61eaeff47425e0d25c06295989a20b8ac90f082ede4d57be41c89232b350093423b0931a3de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAoE.exe

Filesize
1.7MB

MD5
d4ba10aba2a2ecd0d61f06aeb5c62b32

SHA1
94f3f8ec659e1a54d16dc7f156a3b5257c5f3b5e

SHA256
7ac74ea1b0784e2e2ddf90c56765b4cb03bbe7cf2c8bdd888f13109243b5f699

SHA512
b617caa14f7eca52d6d2c193ec02c3a4b19dcea7d619637b527df37c9ff093cb72cc5b44e616921edfbe9e56eb1230d8ca7d4d051e03c4f0a030a47ae32da581

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMUQ.exe

Filesize
232KB

MD5
b13bddb4232e845ef4c0f24a3939afa1

SHA1
3fcb2699dcc84dc21bac260880fc3027a0b5bc78

SHA256
86cbbfd808ef9648417d2c01f32344d7b87294baa27f54edd34a651422fac264

SHA512
98ccfa9f1b31df90b50230970b2eb83e30939b5f2ee79a6e4477dcd47640092611a22267aebc5b7a3c0dff4b2c6ae5f45fab4ab62435aed8331b11b8cff22f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQUsYQIE.bat

Filesize
4B

MD5
965a70ec8d4066ec206ab4083845c3e3

SHA1
3c484fa653411827e8a6eb740d712f2cc245dab9

SHA256
414ee5e124e20ffc187a32ef7e1612c9c5d51756660ae8c952bcdfb4e1f77fb8

SHA512
a8d37a0e7c47b85159325b4adfa1b873efc497239151ab94ba8c46d2d338b876f17db8d17b5ab70b26305549c77c46a1bfedbd50be890d5c43e762939f6db054

Download Submit
C:\Users\Admin\AppData\Local\Temp\USoAYMEw.bat

Filesize
4B

MD5
c6f216ea106935eb5bc2cda0e9fe44e8

SHA1
db2f4c005eb16a747efc31d7879530b505e161e2

SHA256
33236e13565b1f4de33c4b06b08e944521effc7ebb34889ab7f90848f2a18028

SHA512
e4b63f74f81a278a457590718915fae519a3a36458795e08d119c9f3b5139e99dc3368cad5b8051fe6bd6cfff88f539ece715846b2207d8c6545c642d13f665e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ucki.exe

Filesize
234KB

MD5
b5538b26cfd26f445c000c14d18562ff

SHA1
74197e0696a469d2e30d7c58ba77822b3092b7c5

SHA256
42a826699fdd0f02d73e2fb4e8691f30e5a4d12fe47feed061ea05a91c29dcf3

SHA512
e3cd736998361f25addd1b9415a93e098b740868dcf8241c5d1770767d5726a300096ffb222e08b9fb0cb89b41bc9cd77a0dc176b7e63287e1f0ed04b011812e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgQC.exe

Filesize
1.3MB

MD5
ccab0b3350282978298b6b0e50da27ab

SHA1
0f38aa58e36a52546d89b1959f2dee9cd44ac786

SHA256
a09defd1e7bc8fced4617d875a39d13229ff4c4733ef539c4a0edecf6ae44fbd

SHA512
e5cedf51cffd5da6a618c945888efbeb06e45a5115fa30fbbf4d56537147773a73e4fcdca1b14a1d1a865f4338a7452311cdd57d513c95b84b91f6deaf60029d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ugsm.exe

Filesize
941KB

MD5
56071191b4a1e84404ca47652480c8e9

SHA1
500bbf55f1a6d8516582ad94c795b4ec4cec0bf4

SHA256
6af4b15f5397da645f1f689f8072ab9e35c112f85367406c33c8cd222174f7fd

SHA512
c0a504a4364675d13d347a5d8adf04e59089303cba05e56f53538f9bc0fd3c7b69bc89024d57e7cbd96d97b31883f8162720b077cb0c6096b448ca52811250ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkwkYMEk.bat

Filesize
4B

MD5
e1f083345571ceb01a90630813cc6eda

SHA1
9a21206972d768caaac17f20b7c434912431514c

SHA256
3a572bf74301dd8b0eec1f1cb034b9352012ba774948bc7af877b8cfae8b8b66

SHA512
bc3af9b81956756d4f759bcdac645981c91d9338af8eb0aafd927d90e27f1bd0c6ce7d3b422cfff42b45a5a73cbdd8da22c080739964bff8479bc67e73310eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\UuMIIAUY.bat

Filesize
4B

MD5
13b0f77586bcf072df1f47010f654af8

SHA1
5d6ee1916eee5c3bc44520d35f4f0d2a16b54d76

SHA256
ddce59984eceb6541a5494ab611a03b92146240e388a27b846ed59b9ee4b60b9

SHA512
66625ca9cf606ca3835d0d8b3614aff101b577134d53895a675a83b999a5a329585cbe965a9d058bbd26fca4955f1826aa80090a7e5ddacf367da95e41d08da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSQYIoQU.bat

Filesize
4B

MD5
78df61a9468994979122051332826c79

SHA1
24fafb40fb92c2f91d8ceb599646fd058427a7e8

SHA256
f33bef12940ede65f45756c2c523ad308722b4c4b0054062bd966730d0125090

SHA512
1998f188f2815c4777278d8576379a565625768f2ad66e5bc6cb6118637e294b8c24ad77edd3a056f9c374edbde169cd82b57ada57d57d9f1ceadb8feb1afb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Woww.exe

Filesize
1.2MB

MD5
2624c9fbaf9fa36e52aea9c6d0d8fd7f

SHA1
1e384c38af494d872bd8f48d13e7566b62dd6bc0

SHA256
42554e11d353e21b3d6ca825de60005a7e83d5ce361cf6d9cfd7025fa3b48472

SHA512
452aa8e1d61c94e9b2272f0436f0ee290901abc48e79402da3d10d2e5a585dc2e3f58742c8e226d03624aad3833d9fd9deb4641df251f0abfdb627f5b5376e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsoO.exe

Filesize
229KB

MD5
affd85552c3024efa4ce90fe362072b4

SHA1
00fa814e1168143d6451cb82c1dde64da439fbd1

SHA256
f107c2a8cf5f92b8aec0e90943cc5a7ede71832e25ef140d87006a54d77375fd

SHA512
21b6e2508b7994a413674826a20a3733a1ac4787617b707c399f3db8fad3859291bd8cba9dfab753b8d60108489d1998d86a988b1920e51693774229494f2a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\XOMYwwcE.bat

Filesize
4B

MD5
22cf91c34042c444ce4f2981b282efd2

SHA1
196ef62a5d12fac32877180e3596958484a56cdf

SHA256
67ad7c418ac1b9f85a0a21a071b0b62f219206832272a7b232e29e5dfece790f

SHA512
2303c267559873046d8582d04e45cd3443e9e70f641e26b64e7af77d073d17d7a33a7feb281f216edbe5d31ecf80026621903577acbe5a34c4fdac8f8943a4b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgEMgkAM.bat

Filesize
4B

MD5
df8da296ad3b49eebdb1b9ddf519d912

SHA1
1884018403cff7410caf4391cf5f51662950ee2c

SHA256
2b6feda4f60936c4ed6574fde4145e1a1f2d5d0b24b9536d21761adcaedee2b4

SHA512
94799c3dcf382ebfa0e592bc3a4a5e01bed96fab9808e31c4245e6a3843b57e12f4587032f9689e85fd67846c2ecf808db9bfe6a0b3429fa68194f921de2e6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkowIAcU.bat

Filesize
4B

MD5
91d03da6c4ba41579ec1020d4ca30097

SHA1
ab82bb97f5bfd0818861c4abc84752b8f592609d

SHA256
4bcb889d2c0e501365205568a820c7f46bf7b1c3e779722410b861a5e4ca91ca

SHA512
c0c74a974724b01b2a6ad1893e3dd18f2f26971bf54baec5e6f4f971cb29041243a33310470ab5e49da1fc55579c9c1dd969c5fd3061d4a643103a082c1b1c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUIW.exe

Filesize
234KB

MD5
21ad40ef077ce188e585a6feb385d753

SHA1
e5d8faabbba5ec9552efecbd470c33606af961bd

SHA256
d4b2eeb6d758f12cf5b50ce51d91adb8bd55f3723fd4d3cf85901b94f5bda63b

SHA512
673acd8eb16b5d4c15451949100531f407c6d9c73d87d828ad57d7b11d08b73a6a0ab6b4fa592bb4e0f685913a05e6fc2419d98fc3c0693b99b37cfdcfb0e8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ycgs.exe

Filesize
192KB

MD5
c6efbb9021fc62dda8866c5a7ba6be5b

SHA1
559c6db47ab38fe42bdf41c6ef959c77350b9ecc

SHA256
a06091ba9e930b8e34079673883b0cf943bf58bf01428ab489a2a15ed7d04d51

SHA512
ee76357f60ae73b321950a056af9c7b96f492791fc5d912775c296ced6b775c754ed716c75d0dd00d3fa99a66ddbf7d0853714b92789199bcaf744da4a7d4517

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsAC.exe

Filesize
250KB

MD5
b78e38540ba176440c3619ee4138aaf1

SHA1
66677fcbcfb34f6f794ecd73569d6481150612c3

SHA256
d8368357355fb296fa1cf0ab3a4c05f78293243820be6034f718729538dd45e1

SHA512
ac4e1b49adb8e7b86eb0d794b53229eebf40b4471afafd573f85296604df1bf3030d0747bb2b5a0e13e6ea09440591d129eb67aded4d3f9b0ac3243f56ccb198

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwEU.exe

Filesize
236KB

MD5
0719a983434a9e675e3420d356896b26

SHA1
4ae6f05364b972bf4cb9ea0d51f18ec2bf5b52fc

SHA256
51eb34771123a5b91cd5930ddc18840569ae8c24a0f5a86537e7ab697f6999db

SHA512
ecadda2e6bd3914b3fa76003f1105d970c7785c1a278b8fbd66b03ec9fa99e59cc5aeaac1b22d5fcff8ea327f1643d706bbf38f7aae1ffabb09187fd2bfcef81

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyUsMEgY.bat

Filesize
4B

MD5
a2b9f22d6afade5f03932bf18282c55d

SHA1
7988410e85c43769920939080a3a647e61b1644f

SHA256
85ba7c456a3c6c60d06ef7e4d06b32aea65edd79471e4dc9a64ead97f8c71e97

SHA512
7e6418c17d235bf5ce324d9a97db79cac17a9ea674587634d2198b167e43658856e5e46c4ad1b0bf54dc739fe0e74bcd9256415604a1422ca1a71630af7a1806

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAQMwUMA.bat

Filesize
4B

MD5
b1ce3cc75dd32a9f8b825e8865a7d60b

SHA1
221246f436fd4366cd899331f25857dbf8011561

SHA256
5694cea461f16e3413e1e45e66fff09d7815054605cbca36301aec22c32095a4

SHA512
43bfb789af3af698dc68169139d66f739b809f43baec9d8eb9e4c3fef49bf25aa843b260509ed21f14ada13433cdb234c0c364a2b9ff204b29a80df7e76bf824

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMQswYcQ.bat

Filesize
4B

MD5
8020ce8a7f9d919875e145f11e7db577

SHA1
8e6f543051c9a84f7b0bd3512a6f51f8421fd093

SHA256
142906fde12560568ad72d76c9a4d85122f020cbaa81b604b23e9c9e0f69582c

SHA512
fc1264572422fe0aac4509234114b13f884ffe14977379004a8adcd729c8218a808869f6518554dc1649aef31a11973cae9a6a40149545ebe3292c219bbf18df

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZkoYAQUw.bat

Filesize
4B

MD5
7d21063a12dae3dc0b470a62c4ef52cc

SHA1
1257acb5e98c8d0bb5bb8fc5ca364c341df08045

SHA256
586014d6ecfd8b3b32ff3a6bdca4680af380e8d67d14d27efd7c6ec40cf6988c

SHA512
7ea9a5b422c2dd79ac45c814ac93b13e6ed6c37ad91fbffbd6a2489bf7e8d1b2dc735575e3ddac1dcddb14d76720f28c26a9fafec2f93b96cf93793eef6b07cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZuwcgoIU.bat

Filesize
4B

MD5
45e37f29f47d07d2bac67d741372004f

SHA1
fd372127a2ea8e0ae2384e013ea418880e9ed3bf

SHA256
9e912e3a19e67d3805d101e52b92c183248a121a3f8088a2eade0dba701d68e8

SHA512
2a890c95cfc69028a08cb23ebb9f07f1764bc78e2b660ad6a288e84f1f20f8de758dfd8b7c4ceada85ea29ec5b22cb3e00de9eadb5377ccaaa3bdcb60d0f3d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAUm.exe

Filesize
237KB

MD5
97a11e96db906758ccab28b13cab2728

SHA1
5658030f7814f54f0c75733c37a904929f6a9757

SHA256
c09e72ec4cc60a0e7cfe40211bb17e2ea0ae91f4eeef1366b3c57c5cf2884720

SHA512
999edfaf6bef7442b55368e76f70d3b025cd0654e9d2abd4c44675ecdd4ce16d2f2768e2123891a2b9faaafe21f14596d94d1a7f15ee442c64ad6f635b7e71cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\aWgkQIwI.bat

Filesize
4B

MD5
71864b119dfcc178a14fa41efc1d6698

SHA1
849c1de2dfbe83ce483a85d286504c62df46b3a6

SHA256
1ab97c713154164129355f09179deedd658752586cd0f4a49084b884120e78eb

SHA512
6f4daacaa11aba13d5ef3e330d3cfa181d7eff8e8262ee6d5a0ab0a79a63ffd56a2114178e7edf4f0ffee933867162e8ff422d6ae64fad2d91710bf070ae72ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\agII.exe

Filesize
1.8MB

MD5
9625d7b2b3bea848de302c9bb60748b1

SHA1
a758f15a8a54983988e051de4cd6a5bdd56e2a2c

SHA256
3e23052ac2ad49c74aa2e4419afdc9700cf65accf395607b750125a31e9e05e1

SHA512
30507e1202c27bfe199644469df12cef1d9264c7e96daaf4727bff96419f7000134d60ddce51a00a05b2d96ac495a0169efb69cd75a175cf1ef8d77199044b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\akskgEEQ.bat

Filesize
4B

MD5
ce857c724e071cabe7620444e5560d7d

SHA1
b5defb003dac9bccbfb26d5b2aeda1318847d301

SHA256
618d8413826667fa91b229c11a010c7ae735bc6adfe2178c63f23f5afbcc3bc9

SHA512
7478b425687879f1e7e8d9f059c7f3cfdc8be7f7bdeff15f08b051dc7d97b9f13dd5a6fa4b579830108966775875c4778cfe813bd7aef8c05242d71651f245f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAs.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\aosAgoME.bat

Filesize
4B

MD5
1ab15736419b7b916b0e99f84f883706

SHA1
88b809f1a63d4817494fb81339cd0509457ef79e

SHA256
60c8fdea9a0f881a58d050065d8b9ce2e7a01032cee115cb162a1a54438cf3f7

SHA512
8d2f2ccbbeae21891208f48515930f208e3b9b492a42fb38aabb3742a313674b183519c87d595cc35350623e94a7a2db7aa60b133f7080896d0c706a8c89bde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\asQEocwQ.bat

Filesize
4B

MD5
1da60225b936e5967d0d87cda8eaf645

SHA1
ab3daa29b898bc63493332e9a5dbb5a7786a9bcc

SHA256
89cf299368d47e126da58493a488338f768a560047abd1d72bffbcaed7b0f0d4

SHA512
1cfdde364e1aa6fb20cc836a22fb428aab6097b34ba4fd238e3f1e030ec02ebdc545e75ed4fd5e1976292a3cc80fca81ecbc5a71ca2caa985bacb8c59c5b8795

Download Submit
C:\Users\Admin\AppData\Local\Temp\awAcMwEw.bat

Filesize
4B

MD5
6da2742fa6fc1516b4283b543a6001b1

SHA1
6dc6ac64edb6a2946b3093d017eb1e611f6feb8e

SHA256
d2b4a874fa1d57f48fb878fbc341701fd9690e07778502af2939515c3e4205ff

SHA512
26a395c4d4585adb84349cf268c041f29a8a019e4d79da34758e8b8a59177e0ee091eac78458209468d9e5d83ef57ac16c3aef3ac08abc9581b58ec91fcef10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEMwwoQM.bat

Filesize
4B

MD5
fa6aa0ae611c15ee87ae390f2a35899f

SHA1
c119797fcb6773bf368a1528ae62936b22c9c2ae

SHA256
2dadb560f2e62305d777254f9409d84b9276d843d0d73e72a941ca5230df0360

SHA512
e23081097db8043a1353aaa535c16d920ca55760e479a97087bb1e870c885c731a66804a8e49929fc070e6e033f35c3d0cf9d57cb7db032b2b0dcd02aeb24a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEYgAsQY.bat

Filesize
4B

MD5
c6a3f79a9013248241d68fae91e6401a

SHA1
2dd860acc7c2db12bf5cb338a10ac23d9b963d33

SHA256
f42acd41a1cbce28a2f1b7dfee809545698ae390863575d192dc87d4abb908e2

SHA512
56002042e5c4e5a40d2aa81b54993794edc7f451882570b102e599fd8ae1b7630220e7ee43441534e00c5d3d507acd972319fbd4ede881f04b60941a5d048d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\biAYkwYk.bat

Filesize
4B

MD5
b2bf8e660960ab59660fef6d5db888a4

SHA1
08c3b08003b1521b22d20bd0a64bb9924c066572

SHA256
3fb19a73b727bbd4c40bc6358b4f70ede5f86587c1234f3cbef96bd53f12f2e9

SHA512
b814f91b508444d501d616b8438dee4ff0f153c4e42abe47b46e7c238f90e9fb450e62d1973b57001aad33323860b53a81916215f15d9e3b271ce4f32a8da6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmYIsQAc.bat

Filesize
4B

MD5
3f9f2cd90a85113a7cfa25803d6681dc

SHA1
39e8a7153de3665525f12865a0f9c0d6bef926c0

SHA256
ecbbbef193b23f1d1b541fdfdb44432e2514e1c11d3fd7a0e3ac7cff1876933c

SHA512
e4a129452050e9c45ca41d97c384dca436042d003bbdb9dbc08bd387b67a43dc11dc71816e5badf2a4cfdb4f43042fc19cb36fec3dfae8e8cb65a5acf18fe39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQUo.exe

Filesize
799KB

MD5
8d02f960674f8c9bbb20da97f7ed89a0

SHA1
de3e3d3553e147a9d0822d9252c34a9dcaf79623

SHA256
2f0f4271086944d71360ddc52dc414b4e4455b530b3207e635b8cb2c4dc65ff5

SHA512
5032f81e38c4e1d245c9674eaecfa1b48ca3d4800ffd475fd7573abac1d6fd552caae60c5313e03c29ea49b45f6a3f92ccf297bebed7aa18b36e1f6da7b06b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgwgEEEk.bat

Filesize
4B

MD5
96b2f557fb2287c25bc9342893cd88ea

SHA1
02390dfa4e44d0e815e179d1fecea5ae333cac7a

SHA256
22d6dddaf02c0042badf81f15755a83622008c94dbb2b5da598daa2b76417aa6

SHA512
f35fcc1526e127f7b6862a38fbdf90fb7e6000ad92b272ad07d39a816c2c967fed8f12f8c39cccb07281e258db19a276c1a2fe5e587d055992f64d7b27016600

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckYK.exe

Filesize
231KB

MD5
11be546bc8145ad38046ce208b1a6ee4

SHA1
6b34e0ced7df6d484d4c4425abc1817e57ffd86d

SHA256
78719aaaa4a5f50f4f4a7f1d9b8563d11abedc0b0bb2f4bff5ede7b4e136f2a8

SHA512
87ee27952e2457091b0c5716a7ab6bba07734b2091adfe4ea02a4019243df9d5196ea3f300146a81f82f5557f7fb6bbd5e2fece0704ebb03f65b0992dfea44ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmAscgow.bat

Filesize
4B

MD5
9c31a153b061c1653dae2c6985859e83

SHA1
1d2c145363f4828457d398090328d1ac74b435e6

SHA256
468dd75266b76597a7f06bdce09acbdd2fc025a388d3ded5a790e4442927513c

SHA512
e0b95619707208e5aa8e6378da6ce894aa81bfb80a563070f671b57820a69730e7428ebfdd748c72945b06e8bb18211f4cb12238a3f80f83e168bdb240d36450

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEgQ.exe

Filesize
249KB

MD5
b06f53efa39d19b9e0833c37c34c6478

SHA1
d68eb76ef225f272df3e8d3080ced96cd18c32c5

SHA256
6cd7c5e87162120e2b69d7b98c6b070d343729eb4b28a999635d67289afd4d5e

SHA512
3c7b20fc9e2c55b72d5fae4e09eeb8e0e879354a4c9ae22205999e2c28248d6020df2f8385d7cf52f8a14d56e98511bbb1370e71cf8043b1b25b3204b856f738

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecYs.exe

Filesize
233KB

MD5
a9faf75f273351e0995a7446b8e06672

SHA1
aea23700e50694f6a04a91a0e1fda6c998f37dc3

SHA256
46d7e187e0b32072c1efcc4f984525d4d2f405d6d618adf5f655777195739e96

SHA512
a975c419cde3de1a39688c852f761eb49603d4bb32f62aa44a8f0945c2c9304e932b276b26e95cc224aa37a17d02031695ee4adcd89893d674f2afca32ecf18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eocoEsYw.bat

Filesize
4B

MD5
3e87c5813eb840b7e0c5792479a48f05

SHA1
b3776e9bb8d6258399240382f6adfd144a82028f

SHA256
1619c987249a164e29f64759c6efa55b7df02d22c8b54d20cc10394a962021e9

SHA512
b174453015c31de776a4a98c78d2cfb6d21cef4e47c7d2ddd0d9189bbc232672d687b09be6a2effe8786e6d377c6150f797bfcf8e0ec6a87af42d008a19e9c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoou.exe

Filesize
8.2MB

MD5
ef2572823b7f5acd2d62581077b99f96

SHA1
d0b91fa54a80fa253783e47e8f502cac156e7c03

SHA256
c4bb3a791fa65f2d621b4629d55c100e4fc9233ecb526ba1064a2e0bf4dc71ef

SHA512
859a96a33c4ab2e803600839f41dae0b5c43a26e90a7dae8ed81c0241faf3612de29c89dc4beacdab5f80fdf21976d5aa5ccd18086ef243b4b55c96d1cf80d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\esgIsMMk.bat

Filesize
4B

MD5
0b6da20a16a495c5bb1d137654273bca

SHA1
8c744103e34c93d26656982a674e2aa6b2e5307a

SHA256
101dc3dc3adedfe7fabc2ea56300bf092f3fc3c820402b0b5651153ce77ada98

SHA512
f2968d07e6982561e704f6d9aaea53a74816bebb538763cdd86d26fb2d163d05006ad3f1a34b0772f7f539ace546bd5c4268e20ce9c9d65614e5daa29b03462e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewQE.exe

Filesize
697KB

MD5
1078444147f873fd2dfe47d66988de98

SHA1
8b8e556758beccb21931ce71d06af87e6210d2b1

SHA256
8e79805c6422540bfb78c1a4c9ba01ecd59abde297b656047c7c87e82d858300

SHA512
e7186fd5e81f1b41b2e700dada85b206df46391fa1f2d337f5ca8d2857a1a0e8a4c3cae46e12f89dd78551eebcfed45dd539213a2dc024bbd945fdfbabb491fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqYkIQwU.bat

Filesize
4B

MD5
4e324b606c673fea924355bd3e74620c

SHA1
05fd339684a0ef8fd655b52531f00b0b8c0f74f9

SHA256
8f08653d7e2a72351bdba48da95fb1838077805cb508287d53d05d426e9a45e9

SHA512
18bc3d402291988c015959662f97865710fd9b23d0ea5b8c8ae5ec96e526dab0967f127c41150daf4e58188707604e3319398f0c63696c8af5b505eeb0cf1d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUEW.exe

Filesize
741KB

MD5
6c92a4f9618506f21096a16a7db36fd8

SHA1
7397f27086146a9021b55a1c0c913d6dfd99bf9e

SHA256
83106cade23669e4e0f332a8fb20cd20dec838a921a778d426b570370a9fcf04

SHA512
2f71086b0d7ac5eaf80e332b03dfa7eddf4066e6e2c0b0939aea13d91f4514fcffad5a1183b7e8cfc5989d56792b749a37671294c027a5af6884670ac2e75b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYoE.exe

Filesize
1.2MB

MD5
50cec8d4e67dbc4d7f7554392590fa32

SHA1
f5c6f04e503fb751bd53683c3b9992bea69093a5

SHA256
f54dcd5eac769c98d401866eb97acb7d4b45216d65aac939b5e3759e5eed8a7a

SHA512
bd8153fb847f170a98559b21ae997a5ffaad39d3f2d4a1edc93535ba4a930210b34bcc2d4ee99a6a65f1d5db8179c17830d4014927fb32e2d4200b4ff80607cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggoy.exe

Filesize
231KB

MD5
77deae6ad7b9cbfc5b3bea2ca79b525d

SHA1
830544468b1532f93749a349f629c9edad46e574

SHA256
238621a39a7e460fa9cac2a202a2eb6563d986d56b22e6b7cf62ea1630e1a4fe

SHA512
573083283e4622311fcd7326b3e0a2701fa0942341706f81c1363632694e11eb0bc30dad3a2704b1c592bd246dcc0ad00d5ce2bdd06e867943ee81365298169e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkcI.exe

Filesize
189KB

MD5
d734d337ea02708f417e619f1c177e2a

SHA1
6b531954e445a1588cfb836068e8ba9873750cd3

SHA256
132cda7e404cfee0be217d0bf216b3847e89248e2fb256aa5a454e13801afcd4

SHA512
d8831f5bd4f3ac1c175836d24361b32b8c73ffd6b75ed3964eb4624cad4b2c42be8ab959723331f92ade584b795b7f672d576b3e9120237759cbf12a71f2c4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkcm.exe

Filesize
647KB

MD5
2e8a9899da9470859dbe13bd10448044

SHA1
eb9b22bd073b57363c0d03502274ac8a68fa8f9b

SHA256
50c12e71573d1cf3e248876b57ed24f33fecc618e3eb1ec5e2003616edfa4221

SHA512
1bf396dc0c5a98d2c07445557afa74ab7156981db0d975d985fd214a3917ad1d68b35e8c0441decab8844dc8c74a5a020e80950b21991ba959f0d3c85e90d3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmEcMMMo.bat

Filesize
4B

MD5
66ee4cb8ca2d20142d6a5a846c415399

SHA1
d5d3111d19840e9438a735575d2382bee654d360

SHA256
afba9a3f63d0f957f481f2c47cb5e4312071c163a204d207144e0d068898c0f9

SHA512
4ed3f47e683e2a4656ddceae954b49859cd22aa7ceb462c9f5967bbc3ad1205ccdfc4e73f4c1515f3fe65eccb0f4316631ecc43e10eb551f4d01593925af9a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsQA.exe

Filesize
233KB

MD5
fc20b95f72f9e4d2e9773888adf1d756

SHA1
bd86d7413e123233cbd042fcb5fcade25b2b2975

SHA256
d2fdbe0a1561fc435610648263e10aaf721f7754c7db7310ab9d4390cde598ff

SHA512
ea4eb6d74ebfc8387130203b64d6a97a9d57bc5c95015df0dfef24a09944395b24a34a68d7dd4175c6a4ba15d7f184cfd635be9d970e1efc19d8b00dea0172ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\gscC.exe

Filesize
220KB

MD5
720601e8725e1861e3386f7547a8de84

SHA1
01ee4d98266d8bf90220341e675bbfbb99b72af4

SHA256
e1d893eceac4d6ccd23f1ce4257468c488bceb95bf331ca3eb6428e09859b36a

SHA512
81794af6ef694b389add2dd87b29bd2fdeffea386b36977d41202f66fdbc9ad590b521b2d17a577de9ed105a174bc56e9a656f6eee17d733ba8f79f47c216ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQogocMs.bat

Filesize
4B

MD5
f9c31b84b63fa27aa4eb5dca4622ed92

SHA1
c257ed12e331bdec208a25afd1d73ced02d55ec8

SHA256
c3216df3acf29dd80cf325371bdcb102c079de2efcd8861eaee6145017bb1dc3

SHA512
6c3180b6cc08e52abebe0905e10582ff98793e7af23e17d2631f20daae9be467df1c3ba3c3a3b2aadeef72afcf444849e0674d02851643532843862aeb755a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgQMcYgI.bat

Filesize
4B

MD5
039c37ef8c5441efc39acfe980a1230c

SHA1
618f0f6bfbe0015cdff1ff5f50d3212a78553613

SHA256
93207730c59b0238de7c12ee210ac433b33d403add52f90fb8f5bdf53b6f696e

SHA512
2830321dd98553351cba405188a4700a4dde69a13b79dd71be1165adb32cfbe51b7f564064ba3469cdc814e909db21c8e88a053d23ab7fbf863a5469cc93ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEoK.exe

Filesize
238KB

MD5
cb9c94d1bbb5c7610e36947edbe6b6fd

SHA1
a62c840c065e8da2266175f73f39ea0af849ea52

SHA256
7e48d5fe590231940076122f2f5fa133fa60e2b36c12391d155ab8707589fad1

SHA512
a8ef6a1a93accebee82caca9dbe802474b2927ab36172c779cbbe2171e4c70089d6c481bdc349669cfbd680f1e1b78efd5df258a7b387f4952586f1d886b23d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQES.exe

Filesize
236KB

MD5
730c78cda21d3eab7d567f659faa93a2

SHA1
6635e7c88eea93a9c60015c433f085d9571eb0f1

SHA256
775264f98e749438de7aef134d2f2e39f6cb32322f63b8716a471409e92f4aa4

SHA512
5364b7e3a3237673548060a9d4b2432ed2e4af4c76e3f51dbd36399242e5bdcd168e8999f28443d955ac05e11bbe3fd888a971289b5bc577eeaa8dd8b78ed708

Download Submit
C:\Users\Admin\AppData\Local\Temp\icMm.exe

Filesize
234KB

MD5
6249edebce9d0da69b98796e29ca7afa

SHA1
c35677f06af01f2bde95d91019f2918b2cc9b158

SHA256
8d9921d6d8b5a8c8cfe552bf630efaea854600e2fb2411d2f2fc9da28bcae449

SHA512
3fbb47a7a05f6301ee375f22ecb068971e744a5391330ea2bfa31d8a02b8b8c0249cf27024328acd10a900558aaaa346427fe072fdfb08e248904ac25fc95e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\icsU.exe

Filesize
247KB

MD5
eb1b5a07efbad2b023e6508c2442fe24

SHA1
589f19af81beaa8be12bd50110558a5da36b7316

SHA256
a6a93a046b1727b25caf52bef2929fcea48e219f2a36684a613de8c40f027f72

SHA512
bff4d420aa2080d4e13a7842f5e458cdce35a70055a983fd34b5a9b051093c04536af638c94e45b698caeff1991785b84f129b64077d782d02b77a7fdde90beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikYK.exe

Filesize
204KB

MD5
71f935447f0161c0bf5676b763ff3e13

SHA1
9d1b332aa9003db9d1ad3db6d6665b869728dbba

SHA256
4609321fe85b6a9c242e43c071f13680d4f18e481004c5b44ff52776a2253712

SHA512
e1737925dca8a6ed054f6e56d29eb4d15b0a819babd5f8245218259d99a2fde46e2dcd1903307589780c307dc476136bf8b135d57555f55eb80176f9ca70a644

Download Submit
C:\Users\Admin\AppData\Local\Temp\isMgsEoU.bat

Filesize
4B

MD5
dc44b870801cb593f28e88c8a49db03c

SHA1
1468f4f11261b5e58704e3aed62d6f51959f76bc

SHA256
55a700bc515f8f7f0079a187e9db718f8e7312b35b42aa37aac1b3e569a91654

SHA512
ba1aa1b05e1e0c8fbf7ac783c4d0bdc6502e84d4fdff3e6612f69e932f98a9606ff8da2d8b680dc5ad387fd330d7ed622d55ac82e119873f7171014f0a2f0ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jOIIswoU.bat

Filesize
4B

MD5
9ccec0e2b0eb3d2d9284ad8487cb0a61

SHA1
288deba9b75c34e9a62d94379059cb77c265141b

SHA256
79b307f5031c08ca6f8d7affbdd3d83b388dc5fb29cca4254c1af2c8d1de9b8d

SHA512
2fc5193213c63fcf24d68b4756a697478045959285187ab6ad62ebea0542097748b02b40089e5ecdef5c30f3b289f288f5b4f3ccbca74276688f0e84542532f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmYgsUYU.bat

Filesize
4B

MD5
1d7b97290cfa69e16f2a5e5f6e1c106e

SHA1
81c33fa065846e3f848e0f78b35e9001a52ffc61

SHA256
a1084fb9eb9e7046a4c07b4f009c72a76bd33e2f9b96d611a8eb582ca046fa7c

SHA512
ebdcf7456016f050475c467c5a4658cc3576b567c6bc0e219b3d82ca681fb824bbc25a1b807716b3d4d1f413947dab40880754e03072645106049c21cfbe131c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jycAYIkY.bat

Filesize
4B

MD5
7ee1c0a6ce0811be8d276dddb9a2c69b

SHA1
f0595303083a7cec06ffbe71fb7fa76076f3c12d

SHA256
3930c2d1a3c206971cfd3305eb55c7da83a677bfcfbc4bfb373a3b990806c5c7

SHA512
94887424840c9838b3bf0053e503edad6600473062fadb0fd1d086d9902af4d7bf0d2519908a34711e287293adaeb2a89f037b6ca409c6cb43d62fbca661128b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAQK.exe

Filesize
513KB

MD5
0e655e1ddd57a6c3dff70c1296fea973

SHA1
326e05ed943161d79c8e11cf03eaa43b4a0aa8be

SHA256
8bb2bd9860b3c3e4bcb8eeac96ffb8cf350a2389ac41923590081103df896e04

SHA512
c0b03ae631a9a2ff33ded151480ced68dfb53bc740cf013ad60d919d501775b309682d9ea7fc6be1d3366ba33b11f7761cd0452933018a4ab039256d8feceab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEUA.exe

Filesize
836KB

MD5
6c2a843d7cab1d5e08854b2338061cb7

SHA1
0824a7905d96ff4041c54516e40092a885baa39a

SHA256
f0718c319cdbe43d883aa1465b05cda757752b0411fbdaa6f53694715aaaa9af

SHA512
034ef9ca5873d2573f196d3267f9cedab3680634ad14777ff7fbff287c3a202c0ded248c3dcf075266c1d9bd8174838afff3f471c5ac9ff0066bdd4f0a610de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIIq.exe

Filesize
241KB

MD5
21d6bdc349290c3fd23630a6239a654b

SHA1
13ebc79cc149e5465f5749c697e80f45bee24854

SHA256
40165646cca487e747b55abc02e1d04588a7c076864e7a45926fa3c23852e25a

SHA512
e00b52958f33e91d9fe1f1ad2b3fed29ee416c1af1f40db4c1c983a7d2865334a82b3feadcdc2c300869884335fd5b96850c4cc959679998c87725cff2bff93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOoYUgcI.bat

Filesize
4B

MD5
cdc065d149fccfa4248daab53c296cb2

SHA1
dd13436287400e48075ad9b8756d70984cc72388

SHA256
964a618450d7dbc6b7eb0d4e86785c8b8efd76db7504e2935fb85d20d66e39a7

SHA512
ae09d779dd777a12d014c6a58274a98b1b64b5d2e90e64894e1a3444a883182c1c3ade9309d570e900f66dff4c40372e83141958c4668ebf1162082de0e708bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQQY.exe

Filesize
242KB

MD5
9c3385a2f323f32d37b3601f4d956925

SHA1
da404d001548fd293e1028312edd490799958e0f

SHA256
3aaec71a602a4f4d93844f384b4e4f5a230ad044857fffe071ce1ed4b7a623e2

SHA512
b4b8a3d5263ca2e1e576ddead5c4c8a28fc8919a560e49d7d2e1699469d359feacae0e9b090421bc0b3af6781b7e7462a35ce25d5ce23a0a8847416e6e150b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQUi.exe

Filesize
230KB

MD5
b5d52411bb926a38cc75079ba177ee67

SHA1
42a870f004540fd1bd0af7061b1ec17e79c751b5

SHA256
1ee791f3a0999c04593fbe77589ed33a16814de3cd304a7497d1affb485ff291

SHA512
47a31fe74e9b4e0f74cedcae6c8a5095b70e3639283d0068692d8788c03015597c1ae47ab7f412342c1da1e663dc600f6dbd2788005f6c00a1d7971003465216

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcAMUgsc.bat

Filesize
4B

MD5
659fe032e49874f022a1865b47bbdd9b

SHA1
408adcf1cab32155d0c4381cc881462c8a88363a

SHA256
1206608424f129aa6fc9ecf1d44e144ce5a5ee4498918bc0e26fdb629a395115

SHA512
84baa0edbf523cbc8c95e4a3c6ae7a060a924c8815567319de504168b6f8960b317cef7000b87dd82a797919fb1260dc4006209b7808d73f76f43b4ef4764a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkEa.exe

Filesize
199KB

MD5
b68d5f1341097a9a9b2fa76137820957

SHA1
c53aea5e6b17c31380991d4b8c4be5a7c9462d33

SHA256
d8c814c6632a4934aa2ca5f19fab5460c98b63bf1e3ab4901b6ace7e9cedab39

SHA512
68523ff023459ae1a7333a988d43a3f4b0897d1a1419e4bf8199f3aecd8ae40d2368af0d84759d9cb7c42d8891725494561ec0e7423740646333f3008e3ae236

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkYA.exe

Filesize
227KB

MD5
e7c7b5a7f4c4d62e8dbc82553d6b2dc0

SHA1
7ae598dfc4671b5f7aee51044a4472fe80f9aab3

SHA256
d0b3bd447323071914894c3d28f9db3796edaac526b4226d7ce975a04d6c2138

SHA512
94777ad6209e9ac4458daac956f61be62b7527c035ff93b0a58f6cb68b54b3ab8df9dbffa0c0783536784b49ec91bac63110d2b1b0065e76dece874b84cc9519

Download Submit
C:\Users\Admin\AppData\Local\Temp\koIS.exe

Filesize
921KB

MD5
5866495e092d5c9e31e99098e9e9bb4d

SHA1
13292f08ce41cb436d1d56f1ffb60b10481e8013

SHA256
81fc64494bd31e28243aedc0fa7d64c061e40d7491989fe6ed36799a3550969d

SHA512
3a9bc9106715047773353a67b4c5b1d76e500cf7c61e91ba56c63a8c158ea7d61bf569322f92163ee3fc9e9f29998394f079ea2ff28d038c2cf50ef51f570ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksEwEoAo.bat

Filesize
4B

MD5
a2c1e125fb44d83253e63b1b9eb220e8

SHA1
8b667d7a5ce703ea18d61824685c6861478ddeb3

SHA256
9eed813a89770c53c5d1d9b34f524d114701cca8bfd40c9619da0f5d23ad42fe

SHA512
0581c03b4130193478bce478e2903b3cf446dd909c4cf4b1c2254964fa35d994d7b0cad0ddb6e97d22dd8a155968b24e35980a1a2aa81009a7475f8e1ae8ed8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksUUkYco.bat

Filesize
4B

MD5
638e3e6ce08ad9009954be7091480bfa

SHA1
38b611db064f7f5f50fed256e973a4070e7a5ed7

SHA256
8ec7b40e3bddd87f2115bf920e3966e967c7f5baa21be00d59c6164ba45cd8fd

SHA512
fc30e7c243e131824d0173606e15200d0003422155923457fecc04cba8ac1b84f1d76c5d3a45866e691e899745c30100c81064c61cde2de36107d04120fc533d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwEG.exe

Filesize
237KB

MD5
7a4aa04d8fe008c95b81b8cf40e7f192

SHA1
e95da3fa1daa646cf1a88495c45541c9e63fd581

SHA256
74fc1244b759551f7603c289841cc37ac076eff827bc21dde4160585db2e5dd8

SHA512
78ffc7291030359844899783e125afa40c244a4aa20ba9864413505ff86f0b3b0dff1e045da5accf50143e5d14304f735166fba2f4327c26dc152a3a95834f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lKocEIgI.bat

Filesize
4B

MD5
a0d42e07dc7cf5a18d6eca08e5ba8e42

SHA1
64b36dff87c0621fce95ade4df9fc3227f5091fb

SHA256
c46c212bc9bd377cd13133cd86e7d8ed3b25ebab02b3aae5ae30f80612ddf04b

SHA512
75c65221e4aa45ff7deca09e29738ad32e8dc9538972d2622e47f9af6dffb7f2bdd19511fc1350f36cde21e179fb3f8b2eb8cc43f365b6928b2e6473534ac462

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUosQkYE.bat

Filesize
4B

MD5
f9ce1b093a7667eaeaf996eb0762b223

SHA1
21db5f1a577530d26d83d257883c39569dc698d6

SHA256
3fcc7916e205932c1160012114e117ae6b983f766739a9e0e4c18dd1e1416010

SHA512
36b0fdd8410b66e624686598d79be4bac028fcaf9a395a9bc2748e869434f9c1227afc809c59bb7dd70b7fa82a4e89d20b0055b85693a8ccc5fb541b5e14b6f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lesgQgoM.bat

Filesize
4B

MD5
f5e6362436bb5890e293bb233080cf71

SHA1
bf59e203d06f364aa35f62aaf67c2ab68b29cbb5

SHA256
813edebb362f5c44ef90c7cdac12939fd6e76930cb7b2e1ec87c10034cf8eb00

SHA512
214c82b5f9ef2bbbf2dd081eecfcaabae4a782ea3c48a824d8f6564f19fc1e7135692edf813c9e1860a2dace72e4c554177a5cc4939e963f85b7be66184236ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgUQscoE.bat

Filesize
4B

MD5
d18ad7ba0fe14d531eea49a655cb574d

SHA1
ceefbff35425e3b6ffb7095acfe21d525b545c27

SHA256
d39da622a669674d611e7a8a49b559f1e4130b6dd754a09d2b8c4e8f1809e2b8

SHA512
f61265b3a71c8313872e4a4172f4d48e9e3964d833923d0202c8958362e8f1b14b3514b451dbff69d85b60be400607dc23f2441ad9c2c717ecd35cca9dc06a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\lksYgAYw.bat

Filesize
4B

MD5
5b5dd5ebf296c88200e29b08494ece02

SHA1
391fe0e2cc9254a829e62f96f351173a048a3c94

SHA256
d95f11f6789db4da8cb8b60244a085d5ace15206ab507c86b994f8e665dfe8c0

SHA512
f35768b63692f87db53a4cda503b9480b0c088f7a86ec5bd4d3897a3abefb9c490fa1637febe1ea6662913736d7f677980078075e820fff50f02c01589201d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\luwgkooA.bat

Filesize
4B

MD5
9a77c8ec30ae8eaecca1acdb482f828b

SHA1
e60707a26a875e5f750b9b48978c42373f19f205

SHA256
5bec554abf96fd96bcbad97ce8ceb943fb5ad8aa953546c3df1d651b18d93bc0

SHA512
7fa3b1204620083d6083d085f14d4b3db99c2ebfc15849058618f6104ad71618b9d49058aecf45b08b7abae6b217c47812fcc6bbace9950aa9ef4eb26d91f032

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAUA.exe

Filesize
217KB

MD5
5dc5742861325ebd983305f5bb220740

SHA1
fc786fde7d8ea7cd704015ed802af2cd1c30917d

SHA256
35658d9fcfc8f57b287bcdec8df0cd6ac8ffa3d505783bbe2f3137e1db89e7fc

SHA512
8eca75191e7dec4a14795f0477aa5c93e671d3c3d78fcf2be19a0510c5603a3f3eaffebbd8edfc2f9030cba3abef9572724a18a861e7340d35faeb34e93facc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEYe.exe

Filesize
228KB

MD5
f82a1fd585137ce4a10fd8c9da198a14

SHA1
4f7ddfd0f35151402e0c917eae082f864bfa6d4e

SHA256
3b1f0f749ce18b5c3e5a7a6dd20fc6b3744b804763b1f55f2ff9625aa51d6339

SHA512
3fd49698a96bbb3ea6ce6ad4687c3f968e967af70aef295b58e162bf65fcbe9cc6cef753ba62538702e3e4caf0719d7bfd062df6f7ed5abb8f627e8c29dcd167

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMcC.exe

Filesize
216KB

MD5
b2dc281a8523fdf06a9eeaf33b274180

SHA1
14fc829c5c94622792ec960622f18022e3a0a909

SHA256
7d230491f30ec31939dd0bc066737228c5fb657505ccebfd7c346e3bb4c6503c

SHA512
50c48c39b65281bc164c19ea4773b65f1d59c7bae22db0929cd371627d9d6ffc70ba93615f70266547229dfaf71882b868a6547b0c1b3defbabac1b831b14f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKAUgUQE.bat

Filesize
4B

MD5
382b5461a3b3013d3a92eaf1123e6558

SHA1
8de23d62706fc41121d890c32b6f67d90e983326

SHA256
48d2b7684d662c6d837d5c4e509c765f69139685d2f5ddee8f050aa24aec37f8

SHA512
21b0d6ca529a01e9fa9b9d4edc996790ede45e208b7ee3459b092af7b973ed46b7697d6c1e5003d8b1ae959e2028c34ec49dfa0726f29408860ba9e787c6cdfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\neowsUIk.bat

Filesize
4B

MD5
1d7d4ab3b9166d2fd42ea054f9c9618a

SHA1
e49b8cd0d306f52260656034508a694d27248895

SHA256
9d7c4a73260df612e654ce70437b1dea7b67fb952a3c6c24c749f5df378898cc

SHA512
428e73f182249db4d139ec9d1929a7b4395d6f009009e363f53549dc99e0f66c3bf3ab2fba6dadcfa1e49357be953f35aac3906aba442246fb111191ede984ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\oGAggAgY.bat

Filesize
4B

MD5
dbce5bae08b8678ba68b923185f5dbab

SHA1
a78c4957d4a400efbaf4473eb4848bd24591d532

SHA256
a1f372eba70bbb38b160fb6112cddf4694238b4b83e8d8e475ba9607fca04942

SHA512
69167958a2188bd1188d6f83655d7f578ea4d141c27de8dbf2bafb74078a44374af93e582362b5b1c5cc663768ecce17022cbd85a68245a61c3e39a940864c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQYu.exe

Filesize
250KB

MD5
13d69a1d34dab212095b1107875f3785

SHA1
03cc5c72a1251cea0b345fd0b5c6688d820e9976

SHA256
25571d7a950ad2de6252230d0580f72b2060b778d1bc2326f06b65bf1cdf0b5c

SHA512
6dc76b745f389b6ad9bfdd6120b1c5a0159c717868ad3182502c1fc1bc7bc9c0b6cfcb26e677cbd5c0265bc1a9eb291afe0d1e7ca2e3334ffeff41f1eb604537

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUEAIUEU.bat

Filesize
4B

MD5
f37f0eaa86e621797fd67cd2c7f87c12

SHA1
3b22e7cf9352377df9601e9b4f156dc14f34e32b

SHA256
82ef9d7481202ee607f7a04c26eacc805aae30bcd9d553d7657e10f33b9801af

SHA512
8e9877273f62f953beac5bc6b26f1293a1be4b3cf164a00e90bb8d9e7ef18ef8f1c26626a1f1ee76c0dd14c82111d102fad72acdb4118e7bac2738248126c90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooIo.exe

Filesize
838KB

MD5
6839edb054cda4bb6ea526d6f819befb

SHA1
ebd7b22435d2e705119e1affffad5f2e088e0c89

SHA256
86f1e76671e6075709933e4dbac770b6874d39f64848729eadcaf9da33b91c2e

SHA512
22db904381a36a2c0b486a8191398442a82ba91cdc8eedb73603809e4b38cd344d6f5171ecdfe86822d86e631afa3a942c884c410602015b15413fb32b7209c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\oosq.exe

Filesize
211KB

MD5
067af17db8cbc4666ba9b61d4a4b7b23

SHA1
c59e10263ce5c3cf5fe6edb8ed9d4ff26acd3f75

SHA256
4492606da0f655b9babe6899cc9f5ed1ac3567f54caf18c88bba4369a1ec56fe

SHA512
f2316a73c6298554e707fb3164a55548cf08692ed254b1844197e1db5aafbe339f29a945bf038f67026724801c85cb4a86ef9f576146519e6e91ebec28f6c92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oowm.exe

Filesize
197KB

MD5
b1d297247644316339770efa6f480fa0

SHA1
2dad5ef04a327d8e375f6ade9689e5f852e9e862

SHA256
41e7a6018ad0940c24ed59ec94278723646c60f8451abe8ec67cd740391fedca

SHA512
f8d10594c5e68c2f65f0acdce754f9990bef1f6f90d18f1692433fe123bf1868dcc4321554a928c0c92b020a68154402aed6fa616ff5c0f573687a9cd0d5a013

Download Submit
C:\Users\Admin\AppData\Local\Temp\osgkQQoM.bat

Filesize
4B

MD5
26b91030d87f34a2327b38482fc31961

SHA1
65fef5c806ae78dde3f527d5dd2327b5e6cd689d

SHA256
32000851cfd3e4cc803199c3cb3b931571906a546ed6e3a02171c873b326404e

SHA512
e10b18e12a1731cf99ee62bff133098dc2c70ace17ce4575cd7a70b2f035ad1341e7b8959a897830046ce5cc173a0a8d98a81b5d2c1660f4de19fde3f35879cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\oyUYcMwM.bat

Filesize
4B

MD5
9d863f85f112b4e9de62064949862e8d

SHA1
bd9b4b2651aa504b3492865f403c80d6e841306b

SHA256
4b3dce73b9c5bb0afb339862144a9be6ac3bf25283c319b6104506da30bf41ba

SHA512
c3a5bbeda9a49ff0f2b8d0bcb159c81ec3a57e0d158995c10f079c88f11ae5ba4b4302d9e39d2ba22596eaabd482068732e8f116257d1abf3befa3f461a7561e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pKQsIgwE.bat

Filesize
4B

MD5
249402098aafce864f06bf9aa72315c2

SHA1
36974febabe038f99b0dfcbcc5ff017adcd0cdeb

SHA256
c4750aaa907f99baeebc2412cb03d086e9c36b3dcc32fdddf151b08cf517e3e7

SHA512
4d9b83713c52a1b66dabb91ac130f1a9274cc5af071a1fbd3cd48e852d6ff310328cddee3d802b384f398cb107f5fa2d5d39d0356826c8da690f703c4378c73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgUcgwkM.bat

Filesize
4B

MD5
c6c02fc4ebaa77c42422f04f751b7152

SHA1
df0365897ed7861e90eeae2ec8f6c85bd60fbaf6

SHA256
4d6ea3cea5d6a4921299286a81880def7e9f366f593b39e4a71f8359a870f170

SHA512
cb74f894c5f6f6bbb4f7f9fb338de80bb6bf03706e488d44a71a8c2c48119feaa01e720b475b6c2d2c6d2b72cb38ca0715b83ef34e027f4f3cfc762e9b2afd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAIw.exe

Filesize
236KB

MD5
308a8c7f2fc3b70f99a60e97c6b58fb0

SHA1
8121561d85e046d6c2e3e4109094ca53a8fa0bb2

SHA256
7761f24027b11d76c2b3de907025c7af5985ec557cc337ab3200256ce0b54b66

SHA512
c57a4fbcf15aafbd964033fa1f3fe6a3508fd7f238d84bb44008386fa0220a7be950eba4e1188fb92f6594534d31dcf4b3a0544d6683a69951bd7dfdaac74611

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAoQ.exe

Filesize
231KB

MD5
5bb9b8a869d6c6d0e3dcb1e715ad24f0

SHA1
3ad48abd60684ae15d3919e7eb7a97657dc20a0a

SHA256
70531261ad9aa2b0c3a60e8763e47c66fb508ab8bcdc9da2a6812954f84e1324

SHA512
568521a24c8fc0cb14e2804f98b61dac06019ac8217a58ffc01c33067008ede4374230f34d8ede9ecd09abab4b3d5b94217f98d6174021d3c5becd3ca6be84c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEYk.exe

Filesize
599KB

MD5
84ad46201bc1f92ef5054f4ccd4efaff

SHA1
22de9b3c2aa376a432f06a20fd695c204da11bd2

SHA256
9b058bdb830821933d5347b860ecddea41911f6de4d7b3b6956b0a8353d1b73d

SHA512
7d7e2d3353c04cbd4c0aa710f4f49c3347776e336172954cdd1489c590b1d4f8a04eacbb0bcddffaec15d5e27e141e6c1be8d0831b98719c8d9d2af8a25363df

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIES.exe

Filesize
190KB

MD5
3b3852b55ce51f4f9eb2ceb9d6a8f2e6

SHA1
86d5bb328617024282151a26f71012b82fbf02be

SHA256
9814a49c2d2fcda1aa853c8bc946133c84823a4300cdf45e778e29f0f341aef3

SHA512
6491126f620391e1d6965503cba6278403be0119037f5aeda33f812e14db78db3ec6541cfe5284fbd76f778ecd9294fd593b0621a771d7a4464f59b440697367

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMoO.exe

Filesize
4.1MB

MD5
dc5d93c30cf32a238313a03162947be3

SHA1
3499748cabaeb7753e0e2222385f81e6c0d31d4c

SHA256
70feabeab927a9a0504a97bf6ba0e672254f4abe147be74e6971e6167e9621db

SHA512
495837c45d42a44d6659d7b8ae456373a7f22f53aaa4fe7916bcc34b5e0347c1c297802da130502a3c00b067e54930f916bc965e05d05d7e606cc3c9b9749d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUYw.exe

Filesize
244KB

MD5
7d1ba6327ee79e26988b1a91004c51dd

SHA1
643ee0568baeb687c835b794e4a24a74bd159e96

SHA256
b77bbcc130876e0370de9c160f2295cc215a86a84f75ed81946ae69ccfa5970a

SHA512
04092408ba813ac50a1a532d9389e7074fc16b1dc4054fbf40bbf0b6bca43292b8569cadbd70690ac1dc05a354ca4f8164cd455fc52d3cfd237ea7ca9a4acba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgAg.exe

Filesize
229KB

MD5
a29e0ee0355383d137ea849a3c144f94

SHA1
1ff4cc2183a4ca059d1062604e05b8fa73189896

SHA256
a96c1696713085b970499922c4b03147537d193c39609dc31c4b7a8461b5f2a3

SHA512
e03b6128d5531567622c700ee2cb29ad663636313ccea39a2c7233c7f54e22e2a78ef9a1ea9a28ff0c5c2b4f80a01c5b64da59c7be5cff856a0b4055ab244936

Download Submit
C:\Users\Admin\AppData\Local\Temp\qiUcocUE.bat

Filesize
4B

MD5
26ec9ca2fb8a9ec83cc3c84b8076ea97

SHA1
2b89b4337e6b1668feff80e6bc4eb5d8ecd3d435

SHA256
1f4457fde8ef5dd84674c0d6e83914e5728a7b1db1dcf94c5c5e1144928db783

SHA512
7344bddc27d5fcce8de97ef7db5584eec6cd738d91c88ac21b798594ba0a479aa95849de6eef98950bfbe40a53015eeecf132b52068b46b0112a692fa21ec737

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoYogAos.bat

Filesize
4B

MD5
b9dea5a40741001143a0b6884e52eb5d

SHA1
43ad85a47e8cb92e005d833d162eca1dd9b31238

SHA256
44e6e0b7e8593f43acaaafdfa5199f37f9fcb998342803a6a61408844ccb7bcf

SHA512
c777a150b2a5e7faf8c1a5410df35fa5ebc3090e1fe90390dea4c3c1216c1535c722522bf96d691a9e86143bcfb8402e6118c67b62fccb25f80f7d1453872575

Download Submit
C:\Users\Admin\AppData\Local\Temp\rMUcowYs.bat

Filesize
4B

MD5
5aed43f69c612102cf2a6f25529d49e7

SHA1
7ec6d65da00225720f795f05f791e1e389d0195a

SHA256
fde44361987f998dcde6ea7d2a4bb1d75c6ef5ba3da8a4570d10bb49e2e6ea72

SHA512
c73a047ca2fd8fe8337e2f6df72cd653271f32fc273751a61894eb5542270ec670ac3f4ab220d3e94121d18d4b846f70a31fd4d3521ba6f191db3312bf770f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\rYYwMkwo.bat

Filesize
4B

MD5
205489f397625fc673b25f8d81ec3c1b

SHA1
0f46c4635bc977b1e784c5282e2bac1da5671737

SHA256
95399398b8515beabac94c52503c058530614b776a722fe50c43993438f33d75

SHA512
90a10a697f589dd6717f96617e2ea6891d64df8db00ffcdd6f661886d30121cd4bdac49a745f808c0e18d7618657bb28b4783961fb3f75841283c42901dffc5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIwA.exe

Filesize
246KB

MD5
32dff1f516a1aae515d5be3c40e7253f

SHA1
6052fccdcb6694300555b8454fdc4d3b47949ce1

SHA256
70fb793317759d1993ee4338ed044fd7bb6cf9f251382535dbbab58d3323281b

SHA512
c41393d0cd1739167550945e1a744dd6ca4818019fa7c12563d2941cd8aa2a740b96e9137cbd9812c73b0d01dc7fc55cfe88fe5ae91dd70a198f5532f4f672e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sOcYMMos.bat

Filesize
4B

MD5
08e6630d8ca755d128cf90aa5d38568c

SHA1
cb859c51ea5f5ae8e7054fdc69de6acd2983e239

SHA256
9019e5b1fa97e3b3d451c067972c129aec8c53e5e59ebe60299204da02875543

SHA512
589acb79c92424a16d9df212e9a1817b88f1624a9113730ed48bbfca26e94462e34a4ae6f77912980d1a0ac70a259f24c61f82f7b7b8b3e1703d87717d9d16d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYIS.exe

Filesize
194KB

MD5
c91ecb967a0ce24b6086fd3a06b0a774

SHA1
475736f2f844e190c9b9736a481af0165423096a

SHA256
516b91b160d146b320883c1d7783f1c6037b229949dc87ea7f01d7b67f222c88

SHA512
568c48b556da89d1465e94b03ee0880d48221df455c1c8ce781b72a440cf43af1fc171a25c10aab99f41ad19d03f6c34173f171e3b2622ed4ae413744d36cf7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scwEgcQs.bat

Filesize
4B

MD5
31b8f54d76d20cbfa373e575891a0ed9

SHA1
ebe0f58175aa810ecfefcd17c443b258a66d1944

SHA256
9ad03fd18caebc3078e42a5391d38130ef508849f51f59dd657d52741930aeb6

SHA512
9d5c5a61615d5c2b303948290d3710b0e6241bb8afc34d97cfea97ac56e484f53089fdd304c1c324d1b0a1278fc921fd381bc9ed0f69f3f896fb90adfebeb424

Download Submit
C:\Users\Admin\AppData\Local\Temp\sewEIoYc.bat

Filesize
4B

MD5
dc1e04b9b2181249736dc85465ea944b

SHA1
60c8d12f5a582d5ec97acdd1ce06770a371b61fa

SHA256
7b118fa4015a20110dee463e82e3377bab8880f8e14546cb5e587694f0e5c2ef

SHA512
e553b65b1935246f355e4a688b4d35a088a9be46f7f892d58b3b026d7e056ca121750ba25e1f26c2624d7286dbdbb1c6f1a316d184b8b7367ee082a2fa4b5666

Download Submit
C:\Users\Admin\AppData\Local\Temp\syMccUgU.bat

Filesize
4B

MD5
818ed924ff7ba5f73e9924e628139b83

SHA1
541b24f68f9265d0194cbca1e21caca7171650af

SHA256
61e5096482ffb8f059712b33e6e9a18b1ccc31816fa483e522c6a569bd66e200

SHA512
e58da4c8168ec85d831c37bd0e4adc898f07ae98fa754c83c8622dc693e52d5e004565843c5d68e2458ec9002a0b56a52395c9d4d84e3981cf8ffbd841c7c9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEwEAEMw.bat

Filesize
4B

MD5
ca70923e57217bf31eca62658dcb29c1

SHA1
fec66c0c1de084b2d55de1d35a6e20ca07074954

SHA256
5ab23d8013905245eb538d0fe933d516de99669d4f41eff232d3c0d1bd8e132d

SHA512
a6592a5a1d2008f757da4d5665bf2008cc684afec7a07cac0bb27fa4ff3e374fe824725200dbabb5f2b99c7412a0cc4f71b0a993c040f86824ec85e69cd15e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUAwQMAc.bat

Filesize
4B

MD5
a5b3aff60f6cd2530234bccc80357530

SHA1
b8b858d8b39ab2403ffdc95f9b5fe57a0b0b3930

SHA256
b517b843d5b57657e910425ffb04d1a362756072973404aff448f97d3c18b9c0

SHA512
14e974b0bfe1343073c4b712c8430807fe53ca4c4d69db2db6fee25f51c97b567757189377e0a6a50df33c7497d17b7d64c6fad1e12eba91f969a858b25124a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYgQwoQI.bat

Filesize
4B

MD5
8c59a33f4190244262823bbb47fcbf5f

SHA1
9a09559edc59410a1e149def54b27fd4bd20dffd

SHA256
d0ea79fd66b85bdf6d18cb3f8370a93550a9b9844ab154689b9e61bd440b53c7

SHA512
bbd571c70162ccce6021e7bf0210319007c3bbc91f12953e242a77ab50bcf1891118724a3e36defb31549d3a33a4644c37f5ab20ffb0d03e1a374011a7310d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\taIcAkMM.bat

Filesize
4B

MD5
ede58777e16c4288f5026b7ec74e2ef7

SHA1
4949a761534634647bd12bdf65ba967dafb10cc5

SHA256
23bedc1d75449632158cf653c552854efc6f55915e7e259f130ecf1174e2d4ba

SHA512
a02abf43d6dff5e5c062b863bc536fb5d46e18e97b861f0749f44e0a2c2162e647112c9df4361eeda20d6c8198b00a846530eb80953177a47d965657748e8a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiwQQMkU.bat

Filesize
4B

MD5
280b1f9efb3493446df900e02ff4977a

SHA1
906e2b9918ffea552af355b9a733023fe7c0a730

SHA256
49ffc386c7daf75d437c3a2c5f36f6fc1e949c73fa70726a5a5fe9f5bb09866e

SHA512
2cdda039595bbd962b4fe63c31f7f05037cefa7ed0fccb3cb0957d009262ca93bea8557572e07418a295bf50c0b1b438d6cebae78312267d9f53c7ab33de3fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\towoAswQ.bat

Filesize
4B

MD5
f03539d484290e1153d688079147062d

SHA1
e09db595f18dbf269c27ad95f0e2cec73058594e

SHA256
22169b35212928ed867ecde15418332ffe4f5495b7edb97350a1c6bb58aa0299

SHA512
c4f6819c9ef7741e862cabc65e5e4fec8dd3956d9e6ae9b012226f6e776c1a6bdca8b01e4e31100db8da7fb587656242d665ebc3ffd972c6a75a2ccb2080f41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyQosgQo.bat

Filesize
4B

MD5
2f0dca7304a93d87fc6f8268f0881ab8

SHA1
37f471b692df485a3e9907f87dcc61623f755aad

SHA256
6fba8a381997191b05b60c026f524e90c18e960969cecc57dab2074bc5d7bab1

SHA512
c16cd86e47d53b084e08baa26f4fa32c66ee49aa955b7422e7e1b7806e5e7407ebc89f77b83e692d166cf5979aebfa9f9231cac3dd9f4e1590fc4b64da0c684d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIME.exe

Filesize
1.4MB

MD5
d289fbaa5b5e4f4efa8b368170bf5284

SHA1
31eaa272b2690cb4124c356e28d67494d99b6c03

SHA256
17142e202ca3ec1b434ef85b97cc6a97904ccf28f0f4e9fb3bf6074fd2463ede

SHA512
e588546c996a6ddcee7687005ee5ac8fa40474b29cfc232a71c512ae48be5e76f229ac3fe3f65e9d11de1fe13f154bb376f1bd3a1d74049851ba83fc3c0bbc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMsC.exe

Filesize
231KB

MD5
f7af3deaca10fc30d1473749e5b95db5

SHA1
1a066525f516519483eac48b461eb7951d17dfe4

SHA256
9c379d5b4f5d6e0db30f234d726e94a5aabd03f070c68a52c9eebf422037a042

SHA512
533174827573cc133205861d49c9126093b3496eb7b00f4af600132bdb8080502e64c73007525b902a4e2da0fb5bb5b76d7a7c5d9b2090c3cd127f87f3a1a9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSIQEUss.bat

Filesize
4B

MD5
d6a785be078c47909fb35c4a0022a9ac

SHA1
fee6a770a215ed0e6c84726f6a12729290beec79

SHA256
1ba939ede107dd5e716f22690b771468fa0bd39b4c238a57bf7452d2b24857cd

SHA512
a2da43d4f4dab92e140da89c601fbc7e4a04f5c4c4c89865613a3d030e1233018c7e3f0dbd50becac3aba2e9b688e7ad861a8450c678bb22245c26a36f6aabd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukEA.exe

Filesize
226KB

MD5
6ed7898ab8e31fcc8ecdefb2ef0f30a8

SHA1
5dfb7c5064a091e455da25ab81deb9d99e27d65f

SHA256
8d84bd001cee05acd1a6c44ae5fbc8282c5515b5ad979a81506555fd42f49697

SHA512
5f8e28f72432cfdc1f27d4d4722f15ab1c5a3cef8d64735f83fb1753e739e5c27b9cc306efa174adbc3760d93d7d617a53251edee4c1b19ec896fccf712b8e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukww.exe

Filesize
242KB

MD5
f08484985220d5775dee86dc3a0435fa

SHA1
ea28768f835dba5ee784bfd8e71825883d86221b

SHA256
abd69a82d93aead65994a9f9b06115da85899ea0b9f453a0ce07ab11664dd1cd

SHA512
d38fb578851b05ae03dce70563fed521a60295751e39be86587e09bb2c2f906051237d699e784a347f6c05ba0629444ca47021eaede2b428890f2d590412d623

Download Submit
C:\Users\Admin\AppData\Local\Temp\uowS.exe

Filesize
245KB

MD5
1223e565a4f2251aea2ce6fe44a6e719

SHA1
ca57a16a5dfffdcc74146b71d350fad5754cb9f5

SHA256
fc7074f5e101b1c9fd71e663c213dd75f89e99cc3622d9276679af1960761aba

SHA512
037109eeced792b72bdff027bb149e1285580cb93807018603c43bf321ef2f4ee98848440fa4f416ecd76d836586ff3fe3d6074b9b3afc886b596f8e5b58f478

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwYgIQIs.bat

Filesize
4B

MD5
f3cdff521643f14c29f5c5b9f40010b0

SHA1
60dd312285f51f1f74d25a0f983667f68c9f8fd0

SHA256
44ea3e24b1e7bae99dc67243c1937fae00e71a110f2466323fde05a82b77a22a

SHA512
d9fd66774b3de0eb53f53811b92abc70f28dbdfc6bc2f9a253151f028c84a63e9d69f7341bb87e303744cd8426dfe78cb808b6ff65e9873149a000eb8f60ae9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGQoQIUY.bat

Filesize
4B

MD5
3decb2c852b8d1e9d860bf500dfa26ff

SHA1
8eee65363bcc372a6665ae383d59e769610a0dee

SHA256
649a54d0ce5b69149fcdd3ad40d17a856f8d19b354a119cc40c57b3549f1e5d3

SHA512
078c39ac56ff9d31d4e1d86ef27b4652d6725ddf4d68c7fb5c777ffd79a32c8e4226ae89b993430f63ff9fc1e0e782d73e952db1d0015e3977e8bb6d996195a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQookwgU.bat

Filesize
4B

MD5
b3994fdb833753839dd0dd4a6997b60d

SHA1
fe9f0aa95a9f0418b88d13cf2ef8b8a33b9f435a

SHA256
c457af24be62805062adeef614e3f674b8677ff48a83dabd03eb3b5b003541d6

SHA512
edf053dd9ded63f46d5bbd762fbe740d4a3aeacf9571c73ececb30ddf192a3470ba897c2f2fbc6bc8d582ce00ac1957ec582d72a81473a786189a112adb61fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\veUcIEso.bat

Filesize
4B

MD5
4e250ae69f16c00f4a5d414dec83c730

SHA1
5bb6fa29f9ad7be32f0828204ad2d28161037667

SHA256
c85c4d09a0ed07bd8f7b481910fae04ec4513b4565a71b6aec7dd1b3119ce875

SHA512
d63ac46c02e6078cdedba41975d40b337dceef30a55f293c17ba418b03b84d36e2564322319b1be8f23758df6b059e14a48761ff059801f00bf9ea9d11ce5471

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUce.exe

Filesize
245KB

MD5
631928e0f8096a8a1039f70fb44a6f08

SHA1
22ab154223a48c136b6e28dc997d0ba7ee5495b2

SHA256
061218738d8e8d0beb0fedc837b1a3cdaa9a64f9ad34b0da055879dbc3710465

SHA512
05b0629cb600e18035df20d178ab4f6d47fce6d9c78973224e1e474fbbbb082d52f2ac75d905832d870e3ae219251753c421706e1925a5eda82211542e20baf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsks.exe

Filesize
189KB

MD5
2d6608db325e9433b84cdf338b6df0d1

SHA1
79df27d1d2bc941281c5d5b4f53aad0060738ecc

SHA256
0c523879d62c275b472cfefe2c1201fc2183b4b58216359db5ffde5519bbbd8b

SHA512
47460f38c2260edf73a16900be1659b4903d8d8cc2619ae2e5d38c57b9a17cfeba1b59a7a86d7bef33a6fa5c386377ad4fe6ebd25b00609918c265d4bd269f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwkA.exe

Filesize
245KB

MD5
e8ff3266b65608cdf28102e725760d60

SHA1
978ce60a3b5c3896151cc86b6b9f0b0d6ca4fb76

SHA256
e97450b6c9c478e3fb29df29f8c5b32be3e3639ff3996bebb0449d4bd99e19c0

SHA512
b8ec2bb2c31195cfddc7205472c6f24f0fa31b4d075e43080e5e0b34837ba096593779f222d1a933fe5ba2a6ae07ee64c2e0580c442bdf2d2a870dab3f350bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xKwoAQsA.bat

Filesize
4B

MD5
da58262b5dcbde5ea0db363fb3e831db

SHA1
d8b6a89e5e22b4bf21dd4a28a84801d4779e3391

SHA256
2a0fe45b5c87424391a766f6a2045dea9bae26cb9f8b61056488f3237ab8da7d

SHA512
b39fe1f72a01b26606d9b712f5e48a43f0d780c8e1429bad198ad3c716c07bb57ec02f3f413b4dd814f681c5ca8a4c59fdeb043015a01c7db8b378eb08f0a332

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcUIoQcw.bat

Filesize
4B

MD5
e749490e15fd779d3fb006f258977b9d

SHA1
afd096ba87b00f4eeb91e4f942769ca52f811001

SHA256
0f396be5e8cf8d3f45aacc6d42dbfb1315b8d01ffad160e282d773f125770f3b

SHA512
2885e5afb5da873e37e94ce589945ef23ffa9255ccec390ebc0776f9b5355de8e5dceb84209a9d4f5028b2388326fd33de2e0b62c706719a8f1473449e00d735

Download Submit
C:\Users\Admin\AppData\Local\Temp\xggYksgE.bat

Filesize
4B

MD5
06eabb9b2a445e0e065e1d369b357d73

SHA1
4f4c54ee6276eba8d62d2c77378a034b9af1e316

SHA256
130fc90d3cec82aa4c9c619717aa7c47c3ddc60a6c51bb6635fd8f0e16629454

SHA512
e085016b0b0f4989c817d0a0fc15991ec50c73541ea76c51d62539265440773232f8dc8d55c9716fe30bae7e216a0cad0f6d5f6d3de416e1a61b50afa7784e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIAs.exe

Filesize
228KB

MD5
6acafd3a6dc9ff75c42ffce15bd32738

SHA1
edcbb34731015dfc0104cc8f986d9f8a6251906b

SHA256
905a836bdd0e1a574baf16130eea948e6694ca4b3809922ea9ea73f8e25f816c

SHA512
044b5dc7447a86cdff821bcf160ecd0ce39de49a5f7d07a7b1e0b4b58e3b3c13d2e58440f9768bcc1afaaa6ffd082d5dc5d2912fe23969e2aa0b9599125f1ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUYe.exe

Filesize
226KB

MD5
bf929d1f7f4b63731155e5805432f5d3

SHA1
af290282596578cd36bbc3899f1d996067c35a65

SHA256
0d18d23c9ec6c9a2b3cc3fa28bc6563dc63cf846c1dade7999e1204ba868343a

SHA512
dd0ffa4f42ea7e730dad07b34698f2433778c81b84cde0f253d33ff5bdd2bcbd5540a95d5edd4c96583932b1783e3099402d7caf6d2cedc5eb2b3d8347002843

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUYg.exe

Filesize
195KB

MD5
d795c6c32a53c5afe62be05587b16242

SHA1
7e9791b79db6006ad8d9528f8030f7262e17214c

SHA256
d600c95edd50d69122a4d7ef44c156d1bea5877ce1e35bb60d83047d331e7c82

SHA512
4081c08000815880cf5adf2776490a0ab89327c0491bb6376173b3abb250b336f40ee91ab51a10b5e88e9072cc023a057623c2baf4aaf8bae344f0e06b37238f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUwO.exe

Filesize
229KB

MD5
64b2120f153b89f2351dc88f383e2ec1

SHA1
7c564dcda4042ed913d7cfe950360f731db27576

SHA256
97286d4af909227be615954e197d0d5974afb0a45cee4de5aec4e1b7bdc4eaba

SHA512
d0f64934bcecab15213706b65ab84c89c31225846fad75325efad24428006e72d70d25717cb633348f52354e71b243802c6d1a102ed564e90c32b1bf25ae6437

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYww.exe

Filesize
234KB

MD5
405d7a4dc7fe3221109550e19e804512

SHA1
672155cde8310beb59e8ebe29e35bffb58c66584

SHA256
ab85d531a14a6c3329f8ff070cb3f13a81bfc98e748dc1752268a9cb05120cff

SHA512
eff383ff73961fcfad95f9e8393e9184edf2f399d55a43bf97370402386a344cb8b0e26828d2ab5516f3f9e1cbd790ed4f2de245b8341cd910d73e451f42c5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yeEcAcoI.bat

Filesize
4B

MD5
590ba0b75c50cce5e85a6635e60c74a9

SHA1
bd333321a89b06afd9e00d54ea091d189f0970d6

SHA256
d9f7960c824a01650056706903c9299d208d333b2f0768be387373ab9352de70

SHA512
351b6f81f5a52fe1c9347c5e0c9b63673b92834af84c0c080c78c7a98dcb783918764d283ab75b7064001dd04f8b52654d500caddb2be0ddf77ed8f81f33b0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykcEsQMw.bat

Filesize
4B

MD5
cd9710b4b38d06c873b143d19789784a

SHA1
ef07acea5ea73d2df50ccfc7e594159a27a13e40

SHA256
1eb380da81cf2ddbe683d2abbc5d5e8fd3265ad612fb86b5f04ed321a80dfa3b

SHA512
df1c219239637083bd4937605ea3359fdd5ffd61fb309415e8e8e30dc0d88a49efb8551296f28f6eb7342d15afde7d2047fc91cd1f6a204a367f2b0e42c258b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysYw.exe

Filesize
241KB

MD5
3558dbc046ff55b1753d5ff2a904bfff

SHA1
9ddaf60987fabe64259782ba39a441bacabf830c

SHA256
bc290627d65b95ede35e6c4c477b5480dc4129c0dc84b2e7f8d42f1fc54ccbb2

SHA512
dc50f8e4c91e1b47d3e5840d53453924856d5453424a0c4bfae730f98421729245c46a6aa8624cc14a27e9d9193c0fef79d762c29ff2aa6af0be8cfd2b404c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsggkoIQ.bat

Filesize
4B

MD5
324c5ee7a259a04a3f9bdfd6384ab70d

SHA1
9eaf182ded955c926bb4973d016e16edd9e33155

SHA256
339e97fbf481db9dde6ec86d55804ecf1d1f9e9b55be0d2a768338e8afb463bc

SHA512
e1704829a9c460b5bd90b1d154af58fa4aed5083f424cc55f5b979f2570240040165112309613cdd2464344342cb86cad0bbc6a1e50ea7c936485afbe30f3b01

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.exe

Filesize
1.0MB

MD5
6b8e0ad481c23d6595d771858466c88f

SHA1
feb5f7f21f342aef8d85d06274c513707a007179

SHA256
162f9fac3e63a45ac0b9efbbf15507aca6d1b5308603573c22c3f28aad47bf66

SHA512
c7a63762f1d6f9a0d7e499a05279d1f67c03b53804626128e0eb3dfaee38e9a4d9d39777f293a24b3aeffa25d6851e43c10c2703d713a7dab4635bc07d810430

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.exe

Filesize
960KB

MD5
8d79d2a62459b90e2edc9632698801a2

SHA1
923499b31cab9159cece3c97a592c4cdb50512da

SHA256
f5bab03300906db2cb056255ab964b53f3bcef670348ce910fbcc86376a9a63d

SHA512
9f6e715edbe2063eb55162872378cd3a27af8e5d068bd0ca69dad19ad8970046778d004954dffb5a8144adca8ad53b2393e4d374f3259768877d921a4c133322

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.exe

Filesize
938KB

MD5
1be2159aa12b894fbe9bac19ca43c4d5

SHA1
bffb23ae5e46b9187cd19c460d08bb5c38a1b7df

SHA256
ad9f332212e20719d4c436b1aae9c43fc802d706898dc481f7ea353e14ed7f6f

SHA512
b7d16e6e0027637f9556f6b262fcdcfd45162dd77210b15c26a54fa639e03beaa919dec86ede5020bf9570a95d56e3644c525f9486116675af77935e1f6e5b64

Download Submit
\ProgramData\iIEcUIUU\JSIYcoYA.exe

Filesize
186KB

MD5
7e0515094a5c39e43ab12bbe89212b42

SHA1
5a7b2ce288296656ef2cc120d69c44607b460446

SHA256
5ef4850ed0fdeb88043df527995341cdda4464ae5e666f3b8ef31acc00481412

SHA512
569b9ee8abb0d48a39c60da675c89f5f375112bad58c4f1c11e1e4802dcf526e57f69e64f4007b518b728788e17e0f17cb5a56c36137efe88200e4305abbc16f

Download Submit
\Users\Admin\eCQcYYcc\pagkEMoc.exe

Filesize
180KB

MD5
76fd4421d4501357355c44265feaf45d

SHA1
4367bd911c2b048e462e949039641366dc9bec53

SHA256
1a7a9fd346e6e8fef34c1a0b03b739575add965e56956ef0af7da2f53e05a79e

SHA512
d88ad29e29796728b22367a0edf88e6a7caa77f1b0ba906996c973c0f9d18f30d5022329cbeb3f0694451dc8b0ebc8e8a8922cf0ab7e1b6d5b6de290f795cda3

Download Submit
memory/300-128-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/308-540-0x0000000000810000-0x0000000000846000-memory.dmp

Filesize
216KB

Download
memory/320-541-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/320-571-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/328-361-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/328-396-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/468-229-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/468-198-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/484-419-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/484-387-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/572-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/572-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/584-623-0x00000000001F0000-0x0000000000226000-memory.dmp

Filesize
216KB

Download
memory/772-105-0x00000000001B0000-0x00000000001E6000-memory.dmp

Filesize
216KB

Download
memory/772-104-0x00000000001B0000-0x00000000001E6000-memory.dmp

Filesize
216KB

Download
memory/792-432-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/808-385-0x0000000000110000-0x0000000000146000-memory.dmp

Filesize
216KB

Download
memory/808-386-0x0000000000110000-0x0000000000146000-memory.dmp

Filesize
216KB

Download
memory/828-550-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/828-521-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/908-633-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/908-604-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/952-243-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/952-277-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1008-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1008-59-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1120-242-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/1172-267-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/1172-582-0x0000000000130000-0x0000000000166000-memory.dmp

Filesize
216KB

Download
memory/1172-583-0x0000000000130000-0x0000000000166000-memory.dmp

Filesize
216KB

Download
memory/1172-138-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1172-106-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1180-184-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1180-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1272-115-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1272-82-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1304-162-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1304-129-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1304-291-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1304-323-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1312-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1312-300-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1404-643-0x0000000000170000-0x00000000001A6000-memory.dmp

Filesize
216KB

Download
memory/1432-409-0x0000000000410000-0x0000000000446000-memory.dmp

Filesize
216KB

Download
memory/1536-81-0x0000000000210000-0x0000000000246000-memory.dmp

Filesize
216KB

Download
memory/1556-371-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1556-337-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1608-501-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1608-530-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1656-644-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1656-674-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1692-57-0x0000000000370000-0x00000000003A6000-memory.dmp

Filesize
216KB

Download
memory/1692-58-0x0000000000370000-0x00000000003A6000-memory.dmp

Filesize
216KB

Download
memory/1752-290-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1896-455-0x0000000000120000-0x0000000000156000-memory.dmp

Filesize
216KB

Download
memory/1908-685-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1920-20-0x00000000004A0000-0x00000000004D0000-memory.dmp

Filesize
192KB

Download
memory/1920-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1920-6-0x00000000004A0000-0x00000000004CE000-memory.dmp

Filesize
184KB

Download
memory/1920-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1920-16-0x00000000004A0000-0x00000000004D0000-memory.dmp

Filesize
192KB

Download
memory/1960-603-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1964-30-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2004-665-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2004-694-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2076-560-0x0000000000200000-0x0000000000236000-memory.dmp

Filesize
216KB

Download
memory/2148-197-0x0000000000170000-0x00000000001A6000-memory.dmp

Filesize
216KB

Download
memory/2196-410-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2196-442-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2360-684-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-500-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2476-252-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2476-220-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2580-359-0x0000000000190000-0x00000000001C6000-memory.dmp

Filesize
216KB

Download
memory/2580-360-0x0000000000190000-0x00000000001C6000-memory.dmp

Filesize
216KB

Download
memory/2600-561-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2600-593-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2620-313-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2628-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2628-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2640-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2640-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2652-336-0x00000000001E0000-0x0000000000216000-memory.dmp

Filesize
216KB

Download
memory/2704-68-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-613-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-584-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2712-433-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2712-466-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2720-489-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2720-456-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2760-520-0x00000000000F0000-0x0000000000126000-memory.dmp

Filesize
216KB

Download
memory/2796-624-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2796-655-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2796-480-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2796-510-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download