1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Size

187KB
MD5

165ff7a540b2338d7b848c17c9e9e9ca
SHA1

2b4ccc7579cd41e57cd6e19108ea7df964b6b0b9
SHA256

1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
SHA512

225e7909b4587c2a090681de0ac870c5ad00f245f6467e51f1b99489d149fffd8e57907fceb435b31b30c4adaadb89b0e718a73cdace715369b269584bec41be
SSDEEP

3072:kxqO4KrRMCg2fMLAEO8NGzswbpA3fiani/dckNHqTl9EsRVKQoY:koOMCDMLANEf9iFckNK59EPY

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WwsAYAUk.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation WwsAYAUk.exe
Executes dropped EXE 2 IoCs

Processes:

WwsAYAUk.exelyIsIYwk.exe

pid process

2388 WwsAYAUk.exe
868 lyIsIYwk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation	WwsAYAUk.exe

Loads dropped DLL 20 IoCs

Processes:

1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeWwsAYAUk.exe

pid	process
340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeWwsAYAUk.exelyIsIYwk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\WwsAYAUk.exe = "C:\\Users\\Admin\\ssoIwAoU\\WwsAYAUk.exe"	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lyIsIYwk.exe = "C:\\ProgramData\\WyUkgwss\\lyIsIYwk.exe"	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\WwsAYAUk.exe = "C:\\Users\\Admin\\ssoIwAoU\\WwsAYAUk.exe"	WwsAYAUk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lyIsIYwk.exe = "C:\\ProgramData\\WyUkgwss\\lyIsIYwk.exe"	lyIsIYwk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exereg.execmd.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execmd.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execscript.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exereg.execscript.exereg.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execscript.execmd.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exereg.exereg.execscript.exereg.exereg.exereg.execscript.exereg.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exereg.execmd.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execmd.execmd.exereg.exereg.exereg.exereg.execscript.execmd.exereg.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execmd.exereg.exereg.exereg.exereg.execmd.execmd.execmd.execscript.execscript.execmd.execmd.execmd.execmd.execscript.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execmd.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
564	reg.exe
1360	reg.exe
2816	reg.exe
2188	reg.exe
1864	reg.exe
1044	reg.exe
2680	reg.exe
2760	reg.exe
2000	reg.exe
2004	reg.exe
1564	reg.exe
1728	reg.exe
3028	reg.exe
1992	reg.exe
616	reg.exe
1340	reg.exe
548	reg.exe
2480	reg.exe
548	reg.exe
2348	reg.exe
2972	reg.exe
1492	reg.exe
1532	reg.exe
2604	reg.exe
876	reg.exe
2828	reg.exe
1760	reg.exe
2068	reg.exe
1088	reg.exe
3024	reg.exe
2020	reg.exe
1744	reg.exe
1044	reg.exe
2912	reg.exe
2000	reg.exe
2820	reg.exe
620	reg.exe
1544	reg.exe
2020	reg.exe
2960	reg.exe
2108	reg.exe
2904	reg.exe
2740	reg.exe
1076	reg.exe
328	reg.exe
1968	reg.exe
2632	reg.exe
1492	reg.exe
1272	reg.exe
1320	reg.exe
3016	reg.exe
444	reg.exe
1108	reg.exe
1876	reg.exe
2828	reg.exe
2100	reg.exe
1728	reg.exe
2772	reg.exe
1360	reg.exe
936	reg.exe
3020	reg.exe
2912	reg.exe
956	reg.exe
1584	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe

pid	process
340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2436	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2436	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2012	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2012	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1088	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1088	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1744	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1744	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2160	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2160	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2888	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2888	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2844	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2844	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1624	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1624	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1616	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1616	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1808	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1808	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2724	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2724	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2788	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2788	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2604	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2604	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1908	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1908	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1784	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1784	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2272	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2272	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2304	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2304	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2680	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2680	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2060	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2060	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
544	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
544	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1548	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1548	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1992	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1992	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2840	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2840	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
3040	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
3040	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2300	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2300	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2944	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2944	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1640	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1640	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2284	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2284	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1836	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1836	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1632	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
1632	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WwsAYAUk.exe

pid process

2388 WwsAYAUk.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

WwsAYAUk.exe

pid	process
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe
2388	WwsAYAUk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execmd.execmd.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execmd.execmd.exe

description	pid	process	target process
PID 340 wrote to memory of 2388	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	WwsAYAUk.exe
PID 340 wrote to memory of 2388	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	WwsAYAUk.exe
PID 340 wrote to memory of 2388	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	WwsAYAUk.exe
PID 340 wrote to memory of 2388	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	WwsAYAUk.exe
PID 340 wrote to memory of 868	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	lyIsIYwk.exe
PID 340 wrote to memory of 868	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	lyIsIYwk.exe
PID 340 wrote to memory of 868	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	lyIsIYwk.exe
PID 340 wrote to memory of 868	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	lyIsIYwk.exe
PID 340 wrote to memory of 2276	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 340 wrote to memory of 2276	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 340 wrote to memory of 2276	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 340 wrote to memory of 2276	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 340 wrote to memory of 3028	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 340 wrote to memory of 3028	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 340 wrote to memory of 3028	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 340 wrote to memory of 3028	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 340 wrote to memory of 2448	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 340 wrote to memory of 2448	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 340 wrote to memory of 2448	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 340 wrote to memory of 2448	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 340 wrote to memory of 2748	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 340 wrote to memory of 2748	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 340 wrote to memory of 2748	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 340 wrote to memory of 2748	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 340 wrote to memory of 2840	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 340 wrote to memory of 2840	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 340 wrote to memory of 2840	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 340 wrote to memory of 2840	340	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 2276 wrote to memory of 2768	2276	cmd.exe	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
PID 2276 wrote to memory of 2768	2276	cmd.exe	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
PID 2276 wrote to memory of 2768	2276	cmd.exe	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
PID 2276 wrote to memory of 2768	2276	cmd.exe	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
PID 2840 wrote to memory of 2736	2840	cmd.exe	cscript.exe
PID 2840 wrote to memory of 2736	2840	cmd.exe	cscript.exe
PID 2840 wrote to memory of 2736	2840	cmd.exe	cscript.exe
PID 2840 wrote to memory of 2736	2840	cmd.exe	cscript.exe
PID 2768 wrote to memory of 2512	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 2768 wrote to memory of 2512	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 2768 wrote to memory of 2512	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 2768 wrote to memory of 2512	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 2512 wrote to memory of 2436	2512	cmd.exe	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
PID 2512 wrote to memory of 2436	2512	cmd.exe	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
PID 2512 wrote to memory of 2436	2512	cmd.exe	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
PID 2512 wrote to memory of 2436	2512	cmd.exe	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
PID 2768 wrote to memory of 2332	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2768 wrote to memory of 2332	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2768 wrote to memory of 2332	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2768 wrote to memory of 2332	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2768 wrote to memory of 2660	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2768 wrote to memory of 2660	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2768 wrote to memory of 2660	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2768 wrote to memory of 2660	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2768 wrote to memory of 2936	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2768 wrote to memory of 2936	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2768 wrote to memory of 2936	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2768 wrote to memory of 2936	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2768 wrote to memory of 2684	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 2768 wrote to memory of 2684	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 2768 wrote to memory of 2684	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 2768 wrote to memory of 2684	2768	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 2684 wrote to memory of 2968	2684	cmd.exe	cscript.exe
PID 2684 wrote to memory of 2968	2684	cmd.exe	cscript.exe
PID 2684 wrote to memory of 2968	2684	cmd.exe	cscript.exe
PID 2684 wrote to memory of 2968	2684	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
"C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:340
- C:\Users\Admin\ssoIwAoU\WwsAYAUk.exe
  "C:\Users\Admin\ssoIwAoU\WwsAYAUk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2388
- C:\ProgramData\WyUkgwss\lyIsIYwk.exe
  "C:\ProgramData\WyUkgwss\lyIsIYwk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
    C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2436
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        6⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        8⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        10⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        12⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        14⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        16⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        18⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        20⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        22⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        24⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        26⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        28⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        30⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        32⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        34⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        36⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        38⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        40⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        42⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        44⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        46⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        47⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        48⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        50⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        52⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        54⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        56⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        58⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        60⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        62⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        64⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        65⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        66⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        67⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        68⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        69⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        70⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        71⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        72⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        73⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        74⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        75⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        76⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        77⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        78⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        79⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        80⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        81⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        82⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        83⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        84⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        85⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        86⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        87⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        88⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        89⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        90⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        91⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        92⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        93⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        94⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        95⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        96⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        97⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        98⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        99⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        100⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        101⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        102⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        103⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        105⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        106⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        107⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        108⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        109⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        110⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        111⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        112⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        113⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        114⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        115⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        116⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        118⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        119⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        120⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        121⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        122⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        123⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        124⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        125⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        126⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        127⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        128⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        129⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        130⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        131⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        132⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        133⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        134⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        135⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        137⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        138⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        139⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        140⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        142⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        143⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        144⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        145⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        146⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        147⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        148⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        149⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        150⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        151⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        152⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        153⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        155⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        156⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        157⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        158⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        159⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        160⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        161⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        163⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        164⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        165⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        166⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        167⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        168⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        169⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        170⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        171⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        172⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        173⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        175⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        176⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        178⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        179⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        180⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        181⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        182⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        183⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        184⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        185⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        186⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        187⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        188⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        189⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        191⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        192⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        193⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        194⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        195⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        196⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        198⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        199⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        200⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        202⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        203⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        204⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        205⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        206⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        207⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        208⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        209⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        210⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        211⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        212⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        213⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        214⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        215⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        216⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        217⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        218⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        220⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        221⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        222⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        223⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        224⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        225⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        226⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        227⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        228⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        229⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        231⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        232⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        233⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        234⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        235⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        236⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        237⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        238⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        239⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        240⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        241⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        242⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        243⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        244⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        245⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        246⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        247⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        248⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        249⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        250⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        251⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        252⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        253⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        255⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        256⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        257⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        258⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        259⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        261⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        262⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        263⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        264⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        265⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        UAC bypass
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hggccUAI.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        264⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FaUggcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        262⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies visibility of file extensions in Explorer
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jEMsEcQA.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        260⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcwQYkAU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        258⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        Modifies registry key
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        Modifies registry key
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        UAC bypass
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OQMIosAM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        256⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        UAC bypass
        Modifies registry key
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kSsskoYo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        254⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        Modifies registry key
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        Modifies registry key
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wWUwIgYE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        252⤵
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        Modifies registry key
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BUYosAYE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        250⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NWoUoAAs.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        248⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NQEEkEkA.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        246⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        Modifies registry key
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VcggAMwo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        244⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        Modifies registry key
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hqYoMEoE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        242⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MUEMMcwU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        240⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YuwoYoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        238⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KCkgkUMo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        236⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gasoUUQg.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        234⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\luoQkcIM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        232⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hKwIcQEA.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        230⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        Modifies registry key
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VsYsAgoE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        228⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lWAsoEsc.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        226⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOgEQosA.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        224⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AIIsskUE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        222⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WYAsUsEI.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        220⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KQckAwsU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        218⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\noUAwUAo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        216⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        Modifies registry key
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lkUMggEk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        214⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BYYAkkEU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        212⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies registry key
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LEEMYIQU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        210⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oYYQkgkk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        208⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sakAoYQA.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        206⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOosYMQA.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        204⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oEQwQUYI.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        202⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies registry key
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RKgwgYQo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        200⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zYIkocUs.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XSoIIAAE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        196⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        Modifies registry key
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dyQEUEog.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        194⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        Modifies registry key
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mCswUwwE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        192⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kAQQIggk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        190⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        Modifies registry key
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\asosMMcs.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        188⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qKMMIUQM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        186⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BYQowYQE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        184⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\faIMoAsg.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        182⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NoQEcIMs.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        180⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bsEEUkIw.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        178⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YMEoksgE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        176⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies registry key
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AmUooYwM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        174⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SAUQkUEA.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        172⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wIcMEYUU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        170⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TCgEQQUo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        168⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VMoIowIo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        166⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nmIoUcsE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        164⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pkcUwAcY.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        162⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\geAQEAkI.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        160⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QgMcgckw.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        158⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uWYMsQAo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        156⤵
        
        PID:488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LykIcMkk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        154⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        Modifies registry key
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rkoswUMU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        152⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TIsYgEsM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        150⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies registry key
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vWoIkMMo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        148⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\riAUgYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        146⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies registry key
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GokEIwkI.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        144⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oyQkYEkw.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        142⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\isAEYMEM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        140⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jesgIUcU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        138⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zwgYMoQA.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        136⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vCAIUYgo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        134⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        Modifies registry key
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fuEIYsIs.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        132⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQsYQQkk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        130⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies registry key
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\geMAUIwo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mAsUQIsM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        126⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\caEwUEUY.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        124⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCwUMAcs.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        122⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RqokwEMs.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XMIcIwIE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        118⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RUksMIsU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        116⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hEAkIAgg.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        114⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jgkggEgM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        112⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SSksoEYw.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        110⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cuQcMAcQ.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        108⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        Modifies registry key
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GIAcgcEY.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        106⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GYQYsEYI.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        104⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LwkcAgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        102⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bgsIQwkE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        100⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PecsQQMc.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        98⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OmEwkckQ.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        96⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\euYYowck.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        94⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CQkgkwYY.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        92⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MSIgQosM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        90⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KQggEEks.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        88⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TgEgIoAY.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        86⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hiAwEgog.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        84⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DuAgAIwU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        82⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        Modifies registry key
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vcYsAQQA.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        80⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KsIcwsEA.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        78⤵
        
        PID:488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gIQwAwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        76⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\scoQAgUk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        74⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies registry key
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IOAAMscE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        72⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UgUMEMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        70⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\psUQYMMo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        68⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NmUMIQso.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        66⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies registry key
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TOAMsIEU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        64⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies registry key
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\doUQwUQU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        62⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SsIwUwQs.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        60⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOkkgAcM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        58⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies registry key
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GuYYscos.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        56⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KwsgQogY.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zAgAgwwo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        52⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jIYMgoYU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        50⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JsQMYsgY.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        48⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LGIIcQYY.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        46⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zGIUEMQM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        44⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gIAYEsQI.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        42⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uSkQcIYw.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        40⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gEIYMwQc.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        38⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oGcUYEwM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        36⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OAscIMgo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        34⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xmUAoYwY.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        32⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BgYIIAwk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        30⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        Modifies registry key
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ryAcsIsU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        28⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgcIIssc.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        26⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sMIgogcc.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        24⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kUMckAsU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        22⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oGAMcwQw.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        20⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uiosoYIY.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        18⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nUsosAsI.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        16⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zWsUMQgs.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        14⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PYQIQAQY.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        12⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vIEoYwIg.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QeYcQYIM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        8⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2024
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:896
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1404
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1332
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GMUcYkgk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        6⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1524
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2332
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2660
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2936
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\KKUgoscY.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2968
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3028
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2448
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZAEskMQQ.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

Filesize
227KB

MD5
be4aed9c850566817a0fe805fb1a5582

SHA1
472ac49fc3775d0b14d9887bd23b5242d8118007

SHA256
dec4546bd8fe00e0b20393939525167a7f593ad87e7e9f77983dfae776f09d50

SHA512
f6fc93a5086470e1a0c901aaf67679169ca1b7afcb30fe4cf87797d7e1f47ae22ba8278b85596980ac912389990af805bf7bb2f71c9416de829aa7fe24ff447f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

Filesize
243KB

MD5
ab9662729053d3d8a093f6e9d5c96e89

SHA1
eb2fd95f722960318e978758f47a1e53f675cd06

SHA256
4a4d33e700f80aff57800a7081a6809ec5232ebb92adbd5372b5f836ad70f56c

SHA512
99e9beaed269cf05b6c35dfc1971705c0bdb2a6ca2814dc86bac9621c9fda8879c065eb7b364dd13e56a5bd5a39c6c4c39c6cfe7f50f3dd2b1019a6f87982d2d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

Filesize
229KB

MD5
a4edb570f6f1d6cf597e74cd1c0b85b7

SHA1
3b37e37bdd231ee7a42f5066ef4c8a82e4c5110f

SHA256
a43580b20c0bc7a71d1b79c38930039e0e4dc3b26354c1ae56b3b878dd24858b

SHA512
cc8c4d908663055d1791086a91d72b58f16a67d0c5603f4ad495e57a7591ab0ba51f91778eee7bda8b8a997df813432488c06052cb6288a7ef9198a7b220cd9e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

Filesize
242KB

MD5
6cd927405cd569a76fcc258520d44ec5

SHA1
6bce510a5063255e0789e9989695317f7c734c66

SHA256
0208183885b73170227f3d349bad5ddba261de5449361d3e6a6d7c1b8f808ba9

SHA512
715f2829ced147d80652caed45f2da4e923712b96b5a3ee8639d263747695c483e40691e7e389fa2895d87e2f077fd8180164fbfcde0ec77b69dc50ce01bfd5d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

Filesize
244KB

MD5
12de08390344db2bfeaf747dc89bf821

SHA1
394f27271459a1c9754e56982a8ca49ebb20e2c5

SHA256
60404b37d4d352eac5749d5979e00f57bae1f30fa86e11b2804933c596c3829b

SHA512
de3ec9447ebd28a049dd27c51e004ff425d4d4d9f2d5d7e2fb2ccf6db63513cbc95e5f17e62d79367b270d2807bf91e78ba3af33f3556186084d20fd73554268

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

Filesize
234KB

MD5
ae9004a45102034732dafdca9db02948

SHA1
d1a2c4ddbc8ea20ed7ab18d6c291cc2adaed7b2d

SHA256
8adfbe180fc527cc9c8bca90fef75c51d130683fc9661cb36c4d272475d21a2b

SHA512
a15838c0e687d30b4bdac4ca8a77482606ddcde61bcdd1f13620c548dff289c30f24083d4f099699a1b88d0b1062010342fbf17c9d61daed0f64e91ccb49dd46

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

Filesize
246KB

MD5
2a527f99f38b3bce100c5d2391db073f

SHA1
4e837ced386d3d25b8125784f2eec69a19e3cf1d

SHA256
c7fbf6d1fb0682fec8a417317cf0aa721c3a52605f6569071ba719b1f958022b

SHA512
51ae044fd19740f44298568cf47d60d95478377cf21b8c14445bed77ca1d7b4602dbbf90ec1f8701e2b52f7b5fb1113924107a1e0a2306072a0317e1efa91f2b

Download Submit
C:\ProgramData\WyUkgwss\lyIsIYwk.exe

Filesize
197KB

MD5
29d62f1aba65cc5d44acfbbc7753cbcc

SHA1
974027576c13813fda6a4a158fe7fa8440833fb5

SHA256
645642889e1f1aa999cd368d64c31a09d3c3d65b1e3638d8114fac9e592331df

SHA512
923a4ffb5ad6799e68b814e132e67179bb6de8f095c585a1531701d3d839c74a158df7f31f489bd94601a87e03e53f81715e9baf0c2aa069e642d3fa7dfdada2

Download Submit
C:\ProgramData\WyUkgwss\lyIsIYwk.inf

Filesize
4B

MD5
8202f0381c77c5439d6b233ac89b6290

SHA1
112cedf3b718ce996d40e4cf3fcf62bf06747fe8

SHA256
9d5abbd1b894d2485af1109ddbdcd1967cfc8908850e8b2949fe50a0972bd018

SHA512
04a20f82492b24d6413930f84eda12569411ea1193642eebe57e19244c5cd28475d8fa8c7778e73ebbef1c6ede0211faa6a31cf56ebf4b5b7d7beb184b2d3a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5

Filesize
2KB

MD5
4d11d81dc520c49daec13a866ca2a200

SHA1
d760cbb77963f810c0558f94db6a0c4b0d89c5f3

SHA256
6918f0f8f0461f866a849fc691fa5de86db117554fc09c6497f9df363eb483d6

SHA512
85de4910ccd7a083239a99218c5bb520865f785fdb08745b19262837c4473a4ee47b5ddf96b7f2a1bb0e06d8dd2712e699e80968fce196b3e31832b48a442bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAka.exe

Filesize
233KB

MD5
548c8b37c0f10907be90c2e90478aebc

SHA1
d88af5824455f742786f990cdc14b2cf3710e330

SHA256
d05490f123d2cf47eb1d992759248a62501dad393d17cfecdb98531919aaa1dc

SHA512
abd9a5c59c12a482e160963e7505f513d1c827552296a5a3b703fe08db81622ecbc0c7079ca304ff9fdeb9a44a5d62f5f39544c3da02caa6a554cc5ce6fe2cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQYI.exe

Filesize
306KB

MD5
2870823f105a87eb7727c5086f418afb

SHA1
fca7eb7c5c3c048c5f9c4064ee6e727149dd004f

SHA256
153ea53b594f61d2abd8c104648118ace8d0e819598d7b8c28d32d7eba5d03d8

SHA512
c8ca8ba7346c74d4d62ff6fb0c1b11612f943e5eb77663addd45ad6f410f499b9ba2bf9d3a95df8d2c01448d8c0de9f3641c994012eda0f7370486314b9e566a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUMC.exe

Filesize
644KB

MD5
93e51c3ed41f02404323238801212b04

SHA1
bb18dcc8dad7bd2c372c97d2cdb5364b0aaf0033

SHA256
5fe7b99dc2273e7feca6d22106bd29e8a98d84bc06ad2dfd820acd460a58a6ca

SHA512
3e58aecadd4c13a16ee3f52ea1d83d2bd87312d4b1da21eaa35380d5c33913bb1ca37a0b7c659c73b43799cef48b1bc38bffbe244ffb98db279c129fa84b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUcM.exe

Filesize
250KB

MD5
f2f96c2dd0a29bd6e8d8ab5c765d7a8e

SHA1
d49bbd1d234c098bc653637b774d0574fa79da7a

SHA256
2a3c7d1c3631fca3de9cd2f8689c5fb86ad9cc3658ba9111a08ad3f1b0cf77a2

SHA512
0bda41b88f58be6be67d05b17f26e7a1f357479dfe4f55d828d2d867ee964dd66b87869892c9ce2dd2dab9a95fb34f58831cd2bc7183256012558693ff6ab60b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcQgYYQk.bat

Filesize
4B

MD5
8c978e2bb383008fc9403a87e59bff9d

SHA1
bfa5db68fd98ec48d64d38f43a49f8f4a0654101

SHA256
eeec4fac9c6fb6a2b9bc2b624eafd0fc3eb9f45dbb67ff049e12ca6932ea5bc1

SHA512
06143e6595428cd6f7b5625d02817eab6399796164a350ede4391cfe5bf7f26a8ef5fa31ac69f7e158beedd483d29d55abc3b8a4e80790724fd618e28c87a4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkcK.exe

Filesize
246KB

MD5
76033b1412edbffc7dd40a858220c993

SHA1
57d331834d1de612bd939fe5b221a12bfd059b55

SHA256
e9cd6d15fe299b9743c4ce3531218ccfa3c0ab986d19c351aabd4c7961b5d08f

SHA512
3c7a605fc7ddc833781e378f0bf066f93e5123db82a1d3029f16f81bdf87c2aa3d36f16d37364941c83d52552360765d74324e0ce97d9b4b355c80ef2bb54e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQwIwQcg.bat

Filesize
4B

MD5
c80e40b65c2203cfc0d40212da881569

SHA1
8ec67b2bb23f287ed6ad2ee9465898683d211fa0

SHA256
aa28c04536b5d4c5bff68b403588782e2eeec7585e050bca6c62434859c51629

SHA512
8634fb0930d2bdaf85bd8d0ca58b1adeb8024aa40c1b055fbd3aad5c2a12f0e671ae0406f9a06947a54c1d8594f99bbdf5f54ef0d3345bda84f3f4f655665bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYUcIksE.bat

Filesize
4B

MD5
22633bcbb6d9408992740da3b5637534

SHA1
1542d741b926e58f92f7fabbed2191a3fc6f2d90

SHA256
92dab952b2df2e24dd85bb49b74152682e2ded24d57f4be66455ed50919044ee

SHA512
32e18040ffba6cf3f4a1949606924352fb921a15c0659a2b0da7beee92b4fa3484a7dc20e969eed5bf9ac34aa784544bf3d6dfc03ac73a25050200c4d79dc9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\BqkgAUMI.bat

Filesize
4B

MD5
6208c652ee8d8d820d1afe504a0229c6

SHA1
dfacc3005dca00e326c0722842b364093ba6f548

SHA256
6f201dff7ea8dd3880ce9e541814470879c8e73eda24647b1ca1e1f22c88bce3

SHA512
fe68bf3e7672ea56903b09997cc02d17c5985c0cf813767f98e899459548b46f52623b39456e6a8ae8d89caf53c8f0a558785be148e085a4f7c41b66878aa087

Download Submit
C:\Users\Admin\AppData\Local\Temp\BuoEgYEk.bat

Filesize
4B

MD5
104a9ce4ec6d76142b1cf0337b1205ae

SHA1
97c82939a68de72f39bd8e995100ac6368341924

SHA256
36f79d3abf20526c7527b80675c1a84d382032b78a5bff802f4b37e1bc50b094

SHA512
588aa2944514ff8e23b6019854b59f97b336c3d31f47fa16be735efd14e31bc8dc79f51da662d31f3fac65e94bdf84c84fb019945e72e076349d6a8ae909cf78

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIEk.exe

Filesize
230KB

MD5
2c2e42b835029141af10f57e7d9fd2a5

SHA1
2805825f77a405426a6df058a3c508b8f5ebc4e2

SHA256
8e3a9530f092cc901b153686b6f4bc2b434b7897180fdf79ecd1b34c07cfba44

SHA512
5548b36892c1b34535df7ee0a3cca392a59399a3c44d99ae51b16ab31cf9123981bf5a658e7727658720e96ed40e689856d1a6eee97cd5544959b8b734a14d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIwY.exe

Filesize
232KB

MD5
2a4181dc997b5fbb2a3f562def775331

SHA1
813ec7cd8ae7e5e1a545880495715d0add2bfad5

SHA256
54b2f0691bfe95c34e53d2cd1bb2a89d03cc648c0a0ef09c143c2e0bb7a86854

SHA512
484eae45e48857baaa25f5411c08b137bea89cd6349e5ecd84b2df0144ed7e9b779d37bc374dfd955ef94edc99c46bb6e2bbefeaccf7929bca48f69433b31ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMMK.exe

Filesize
231KB

MD5
4190d6fb514756a5a4a4d5ff86cca4ea

SHA1
49d0044561b00e746fed309abd112752763b2b23

SHA256
a8741d15a24a6ecc196dcdb070ac21fb54f2cef55bbdedafcc6b5c72cd0e39df

SHA512
341296c3c67e594e6542d6704d4fc94585260f470d4c475b0280de40d119b0cab89fd796ed90db1e9960592bfe5384b5c6a1b7586a3d9054ed8b352d4d0817a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgEIYcgU.bat

Filesize
4B

MD5
11e625cc98ec5cef9e38279dea83c285

SHA1
cf3f292de83a8d4a6658a893580cb556461d8587

SHA256
585dda7f7d88d4034606d43debde4aa5467ba8997303a6b91704d579007ce995

SHA512
548b2408c1dd54bb34f7691e1666d9e223f18903c01d68931d545a8224cf7325634611b55511a5fb4c3330f6397b7ca79460edbad27776eda2b0b43378b754cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CksC.exe

Filesize
235KB

MD5
481ff2e58f4e68a11ba71f4d54c4b96a

SHA1
78c6bae49e9a632e3a717eb74596b08a3adacfe8

SHA256
e0f83dbdb5f093fa8f9a71306619b0d0e2e902378cc5fea3521a5e8bfefb8524

SHA512
66dbd9780883480753565c4ec50ea74814f3e8e65c99ad0dc1f322ef44fe5c6b6e38a3e7fdb918150f00339dbe1bde071e89108f216c7cb1761b4ff6db94d580

Download Submit
C:\Users\Admin\AppData\Local\Temp\DWUoMUAM.bat

Filesize
4B

MD5
c5aa91632fea5e7421ab75d7ba5cbc2a

SHA1
cd58e420db0b226506b33f73ad6c0c71762db3d2

SHA256
8e1643bf88663912d6d94dd5ebf8547520419cf6678154e70519bca31d8359e0

SHA512
56416c7069d379f3926021692469fb15c9dfd1a1f01072eaf3a83295c1c454fd4efbb10c5caf76397ce8e808511452c619f0606ad7b3d29c02a0b3f0c245bfa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAswIosU.bat

Filesize
4B

MD5
11c353d753d8961bafb3a11eb6ea4c91

SHA1
3ac83233226b10837017426aad0b3950813ee43a

SHA256
19677e2e356dc2bc4eb97cd9427b7f93fb77b292006c731d8ba08bc82ddf1fad

SHA512
9765f6999ebbf6ced2c9ddd3d6cb248a6e46b74f0a13d4a242218f7ee5d97f2567f6075cf044e8baed8257c1adf6c8e2bcc8e6f49c250dd0fac74c1fdfbf7424

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMQssQkY.bat

Filesize
4B

MD5
a49cf47109a8a100900233d7527fe2ad

SHA1
24f1aeeeb031e25fc5fbb985176c8be310469ff8

SHA256
091db6ca47b4c2922b4f412c6c503b3245cfcb8eb67fb8678380c76b5b03c004

SHA512
292256738870cdae5010ab2354992368a4ae4681894c832237d1dbf7bbc5611f6393de40b2ac530103b789002ccb03582547d1c9c1a2d2b821f138283873b6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOIcMgsc.bat

Filesize
4B

MD5
a1e7f93dde9f74248381a24e79361f81

SHA1
50f03db75c7f44daf25ac7364ffa48cb2a90df1c

SHA256
e4a2444024f0acd04936870a6dde99306a7bcdc3b520b70347475b11b9870291

SHA512
524fc4187f0c3eb5ceeb172c565b4e2d63ec711a1d167a959ce17032a185f1c41130b24655cbadfaf46686865c50d10af9d3b82223ad4c1ebf3a10d7dbff21da

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQQI.exe

Filesize
240KB

MD5
946b035f46187a4d6ff26b93ca9b2ecf

SHA1
a99801d077ee031946fef6335d03988407596212

SHA256
0fb1ce46051c0778008a4257634e3404adeb7acb1f6f119b14669a60115f5446

SHA512
0b468a63c90e1c18eef977543bf5fa9670efe57f4eb17f024791aa19e1b051c5fa10e864b6c8ff604db37145a4d483d1008702ab566a874eb851a821b9340a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EScwQoUg.bat

Filesize
4B

MD5
1100cbe3812f7d582202a014b48b9f9e

SHA1
ab75c56b95a72d911bdb7336a4e264018badf88f

SHA256
85def7d8103d7986c27f4f3a811f907550dd1109d569abdc9978844396cbb4df

SHA512
73ca12da53e8129c4f1833821627b2051122d1206a6e2d36bcbe723055c782bd5f01b03eb3741a021a2854aec0d14821153adc6d97c5464a0ad4e19fd7fd7272

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESgEkkAI.bat

Filesize
4B

MD5
0d04fe663f61bb3a6632406f116cf014

SHA1
7b668c20709d875757f79d990df96290f4af6049

SHA256
559d11af70b4a49160d56796c0660fdc27f3690192aacd6632026ffaa71c9dd4

SHA512
b91a8d3ccbc186840eca028b4f4d39911e072f527e34dbdc18bac83e27fac34f40924da5f718f82a07752d7f96ecae2e837385ebe8a057690046c4c974e442f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgQq.exe

Filesize
238KB

MD5
171bdef931890f48c44e4b334945a979

SHA1
5290e3349abaf872390790241fb85c82c0c59d52

SHA256
4653521183ea79fb20a0b71ffcec83c48ba888a2cba2477423b18209ad3d8929

SHA512
09c64a4cf7a7ae1f7c52006f97c0c2457456f594fb12f047c66cbfcecfc76aa1ade04d174c4917d89c6ca6e7439f0da108a4a8ae2d07f1a36206291b723a4bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkMM.exe

Filesize
249KB

MD5
ed91a8e3f743ace0800bfd8b0658e827

SHA1
fdc099a44c2dd0385fa5ea715b8b44a550086758

SHA256
c85b08ccc6cd71a939d4b56ce8252e85e860fca788855be968b6cb306c48eee5

SHA512
2a46e63225be3d6de26ea040506ddc2bc060b77f3ab26efa370d8b0803ad8cefe5302df6dfc8f44b503e360ed00c33692ea40984a057e930b6a506b8a926d7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsUwocsY.bat

Filesize
4B

MD5
c89592f2941149ae6285029074f8b821

SHA1
937a617527ad9a9ef6c8501319172849755af286

SHA256
63066d925a2d8cc33f21dcba57912e7c76bd89e65e2af39113bd19aca411cb85

SHA512
22530973fd80c5b634a0fff0b5fc0bbd13841913e8ae934cd95bf23133456abd6438a54a8bd84f94c0549343127673bb7707f134074f2c46fff0cd961159976c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsoA.exe

Filesize
242KB

MD5
72a46e7641109862f70840753e3548e0

SHA1
43d0519db64aab771a014f37f59f2cf41d2afb2d

SHA256
bff46ccf4ee43c5329d90e095ab9fb49a66cd78a16c5e3001164c09d5f18d6e7

SHA512
aa17c601347d9b0db8839e0af90906b96066e61fd81493bf2c4b90625428398cc7feb539bffb539a89860770bf921e64bd50554b12187b6bfff74d5a7651a0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ewcq.exe

Filesize
833KB

MD5
bfb6e830fcc8759ec28474a939e43257

SHA1
d24de300f35ed9c5f651741f80cfe1211e30b56d

SHA256
98804f6eb85c074f647f3d86400f7af5911f856eb014b5a8a14373a93dd5df80

SHA512
8bf91cf5b4c968f917cc231954832a9160e62dc99d7b77d7d8bee46be920c693433f207fb4cf69920169b4979c5f95293cb7fa7815ecf0c7c3772aeeeae8090c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FeIUEAAI.bat

Filesize
4B

MD5
302f97fb67e5f5b42a59533188ccde0d

SHA1
b4e95df7cd62ab9120ef85426d3e5f87d7e3cd83

SHA256
7fc12e39423864a7672d0cd93514571a95947fea1b117ce085a0e74618f598f3

SHA512
82a6ccb3cf5ccef4030e55db7d397ee9de1c4515db527182bdef5dfbf18d1a6d40c980cddb07446b24aa3e9b5ed365ce939229d2a698fbf4e432250b2ef28d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEwQ.exe

Filesize
204KB

MD5
e2eb23c36873be9615047b505df2bf8b

SHA1
b4655ce9a5ff0cbadb5572209b72913a37a88fe3

SHA256
6d6c077e5ffe1c78bdf20d0caf24ef74c984a175eebbc9bc42b9002651db660c

SHA512
3a0ea465fe5bc45d657a4797a236afc81b652ab5426993841bd145d8c846a645ffccc7930af911dc9997be90396705b10dd99248a9e20dd07cbaf8e19add0f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIcU.exe

Filesize
244KB

MD5
2c84699717f82bf47e54f4ff4baee674

SHA1
41a83cdeeb18cd68eb95828579162244c7882830

SHA256
645d3a850075d7f8b8a504a7bbf4b302c681287197beae2e357e85acad7b2c0c

SHA512
4c5e653d307eac219285e98bbf3561c3e823defc19856dddbb583deb32f97a886e7d67ca0e178aafc100ad835f6086400f15732a590d8b462f9a32958cdc6c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQUK.exe

Filesize
212KB

MD5
afba5b6d21b9d62d657f34610767a334

SHA1
fe532de114010bb8f005e13697cd8c5b7c003870

SHA256
21a6052b184c36a54980c3cab015afa0efe27cce83beb44ccadf2083659fcbee

SHA512
cc536de571b678b1e07bc641871c8e679c2542b5da6f9808018a0d6a7937e35ec5ad01e1e28693f84b16bd3c68cd86b7796e41cdd789554950b8ccc37de9242a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgEG.exe

Filesize
234KB

MD5
9c0ab3778b56cdcc5411ecfea388ccb6

SHA1
806198cfc28550af9da0c74165b5c9b3083a4355

SHA256
dc84c6958a88dfa63210ae888910ee8059049dcf5f2bac826409b4fdd2544899

SHA512
b1f2e8f0a9b3f6f20de6b3e9ce2669f735858398488d767f0a53f1aba72324c56846c6239aa9a989f7322ec6ba44c62bb1ccb18ca5bdb64f0b1d498bdca5afc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwgM.exe

Filesize
205KB

MD5
7a605f4d9131e735600bccc27d760596

SHA1
30b963c962ee3347ab64c1650e354dd1e06666bc

SHA256
a0dd69129a291f3ae46f61d28e21a5da7e0390663f6d666d786af5ca58a6c49a

SHA512
444727366055fea929b6f68dedea0450b59ee3b6427e98ad6b6c2f14016ecd4cb268aa456ca128c1497d51a8db1e4098cfa651183906b7bb42063531e392bf25

Download Submit
C:\Users\Admin\AppData\Local\Temp\HWMYUskI.bat

Filesize
4B

MD5
090dbe413bf879131fe716b35a4d3e8d

SHA1
7d9401fd8530eb4d2e326cd3ae36632d95b51aae

SHA256
84c2e90ffb31445bf424b85deeca23966db4c5ecc3f647484d918d319e86faff

SHA512
3970af53304d3fbb53f7e9e4eb7736d88fb7dc6bd375919e41d9e88601987f62654e5a53c8d3f7479c636d091ebde491ac1135802069bde121fae7b5a2f1d06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmoIcQYw.bat

Filesize
4B

MD5
2f3c4454679c916cf1c82711b7eefadd

SHA1
02899bffc4e6f97e05d716f9ee201ec07bc4723b

SHA256
e19e43ffd0c6fe542def58b70bbd95aed2b7d73d58dc0f22d74acce7a0812b6f

SHA512
120d186b1aee405b6a8084db6dd696b7a82481aaf849d6fe3ca77f7d471274a4fa720b5c1e093fe0f5e22f473ae26439fb50329deee286fee4490279787eac23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAQO.exe

Filesize
509KB

MD5
003d893a4b848b7e2d7be702b2ef68f7

SHA1
264cb44478638d2646693dfa598d7181ec51df7a

SHA256
6ab33ae46d666f7ebc7fab5fe2f1336b7e5c1c319f8ee79977457eb302a103c4

SHA512
3bf516cffb7c1620c8058187441c0c0596145958b112b80be4714caf215ee7eff91765a9dfa8df37d3523cebbf61b1deed6b672e9910bfcea47ff03950cbfe97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIwQ.exe

Filesize
233KB

MD5
e1467741687925411a833356b7d39002

SHA1
c182ab07368e0d35429a8a840cc79671338ad4b4

SHA256
be5a64ea7702b4becf9655553cff89f110d009983fcb5136def661febd0c2a69

SHA512
70ed4634485ee604bc43531560bfe1d8f7aa7a56f19d9bacb120562436141a97babca128581343aebd0b9feab89b2228912944e8035ce5463b9faf2d81ba254a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IKQcIAcM.bat

Filesize
4B

MD5
6f821eb8f02f8b28383175ebcd2eee65

SHA1
84f81a200821a44dbc53d1e8d94f0b9372294232

SHA256
917824436276855880efb169bd81a5285ea61b6519d72cc4352088d8014dab63

SHA512
33abf6e37ca6b7e050edcb8fb09b031b8376267e3aa8f88894593cbe5ed8d18dbdf29776d7b16cfa38e6cc420d2d6c68a0e4ca5169ddc6ff2290972c62a44e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMYI.exe

Filesize
241KB

MD5
397c857af0021d0dfff703cfeb39b5ba

SHA1
6340ee3046cb19f22818a8954aaf591b22b2a044

SHA256
42a4607bf5d22586dd35c6852c5e432b6556f7fd113672dd3a20a8a464a67940

SHA512
40007de64fcea01bc4cd03918c934a27aa2549f980e7383bba0d6e3b00744f3ed1f82d4083d524fe7d1dd4743c98e7275d4585565056401749bb13f03772b871

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYMu.exe

Filesize
227KB

MD5
fb9daeb6d05497434041d4852f9977e2

SHA1
99c1974f5a8563ecda8eb8b253b0d2fde19cb990

SHA256
49af586ad17b31dd271415c64f1549a4527286ed86f2b6ec8ee5b734d0a97b2b

SHA512
3443a659d4c7f573d214f48b7314ae6c62288c8829aa27ea4f25906b4b69ef6f465e6f2b87495c25b57dbe557ff1c481f6d01cf121ad941b4db4a6e419ea0ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcUq.exe

Filesize
240KB

MD5
168e3d22cf4390007e8346c73936c2eb

SHA1
63b99e69dbaa8851982df41685aa700692611538

SHA256
8335bd0d12f9b0088edbce45951c1757b8c810d6c0bfe4486617c00f4bf84524

SHA512
12b07f86ca9f36f349969bb4847117fae009de272f74e32529a68b00676f53221cb49b59b801a45eb2d9ab6de536aa619cd9b81fe9f8a5d46006cddf60078b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IegoMgMs.bat

Filesize
4B

MD5
5bf0232a6bea3bf238d5e313e277433f

SHA1
02559076c2289540b9e4c69fa35cf4b3d0443a40

SHA256
5f46a01b68a54d3315e0dc585b04fd8db67e96c4db87726d02ee0759b2b80a67

SHA512
009f20bdd11545cb897bfa9d2a8be9ffb4f19d5efa63a5dbbe4d3e24535522fed6c8f5e2e5e4f2f3fefce0f9d23e35c50942090dd394a7a7d307663ba8669734

Download Submit
C:\Users\Admin\AppData\Local\Temp\Igoo.exe

Filesize
182KB

MD5
69324f13132b108b92333d7ce9557219

SHA1
a154678ce24a11043b1a8fa7905dd3a60bcd6276

SHA256
089fc99d581d012bae12bf7e0d1a6144ab40da73ff30dcc92c7ced60d53ed05d

SHA512
3eaf070afc3dbece4aece164eb9e3102ae9cbbbf37ebcefe84d8cbda63ce41bcacb8eec8f2bb0d8e3719eda0be357452d2ce520f9394a06c64388db8472e25a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkkY.exe

Filesize
238KB

MD5
0fff01a7e9969a69690fcc36510bd22b

SHA1
f50cb517254535cf4f68ad6b91e3b020dc764722

SHA256
ffda23f94385f42306f3c2f54bc4e93adc8306076a1783c227f70b6369a1f5c5

SHA512
4c1931a546ac9538767149761a2504e856526d05088149d3c6d93f25124f5de02f8eb9cb1be6afd8bd7896397baf0577db24f3a9aef987e32b66fb67f79a2ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoYi.exe

Filesize
220KB

MD5
1d13c92cc5d78ed0f6f5704acfdc8bba

SHA1
91317634edeb16209718f2bea5030a10658e097b

SHA256
4f63157d4cc74a6355f5cce5a6f10257474d99a5456e90a53c088dcf45a3b41d

SHA512
9b2d3f574f2bdaedcafd513c1dc5c5f3b297cdc9b831731331abbced6a62ce184aecea786c6f7db52d86e20f2e7da50a723fcbdb1c8dd85f6dc439f436d7eebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQYIAoUk.bat

Filesize
4B

MD5
355bb5d4eb41b84165f91ff31893bcdf

SHA1
1a919a6af21c635ef60da1b1bf4281f78165dbd6

SHA256
85ffa518f219e104cc6111bdac7a13ed37abfa13105b07c119e0b64f1d94e554

SHA512
571159de9965ba89876a649bdd251a89b9ed5d9303bf9dee6d41b7efbd1e189ecdb23b4f7520b11fd8fa8824a397f2889954baa4c44d9442af4e8ac8d29bebfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUIgckoU.bat

Filesize
4B

MD5
9bbcd6bdfc813d8e131060348d3d50be

SHA1
f03e2562ba9146cb3dc1579b2979702909667ae4

SHA256
226ac151bbd1372697375316a9bdf2154b2f3a81ffbc7bf0c3e4aa07a2cf9e3f

SHA512
f73c98d544d6bc63e1b4fc3ad10d5f4e100f04f10e56a276183d9462babf9a6b2e7a5a2e31fdb9ce48bbf6a6a75741f0437a8ccf686070e6c0e1d2b12945a0db

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYck.exe

Filesize
311KB

MD5
0c012473dd5322492b59cdefcb60faec

SHA1
c1cf5d45e23c50a8c902d5ae3fa51fc5b5fb2c76

SHA256
fc69180f37426e19b4eb9430ff50aa6ad76e572c04e3fb744f8db4072755da0f

SHA512
63ab4d0300d2c92ffd76e3335a21ea4875c27826d209563afe7454e7f10bdd3c24f90b77d652acb026dc74bf7f3ddd8bbfdf7940963ec8d287be717e12d0fb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LWQEskso.bat

Filesize
4B

MD5
cb864e0b8cbfc1e3a59434c949ed9bdc

SHA1
eb142fc8cdb4e137f0affaf8f9c40c30096d9c66

SHA256
e65ac8bf63ad300e4ce880e74c21781aa21cd8104a3f27e887c140d6b0de6aa0

SHA512
838dd420f8fe0c07d9032a5447c9a297f6a2f5a318e0de7acefb6d4863dbb1d25260b724292f4248a285d68e7dc6cb67771bcf909528034e13a167cc9c688569

Download Submit
C:\Users\Admin\AppData\Local\Temp\MCMgwwUI.bat

Filesize
4B

MD5
8716b09d176270d9cca3d09ed64f1c1e

SHA1
7ae464011a167e475cd03fadd33236f83f0c63ea

SHA256
021bcff98715ab900fe240afb89e265225f960ee407b00856e258a973e051710

SHA512
8c33e0a5df73d3d2178d45b4b7023e21c8f5c296dc74800c2fca23fe73346bb6f3086a0949906d7a904fb20855c49e4f7a43efac6536ac1ce2f88ff7db245151

Download Submit
C:\Users\Admin\AppData\Local\Temp\MCoEgMEw.bat

Filesize
4B

MD5
538da10f52f30e39efdf2ce4a45ceec8

SHA1
718a75c966352bcc8a1cd6496c33b8e03ce8c3e9

SHA256
c03532ff461d8c0619f20088ee11f53d481e3821fcb9df9772ec2e4add2b592b

SHA512
1f350d98a7018cf48a7791ab5ef4f2841e53e2103fbb44d1fb9703a820950dce116b9f324ac70c5a5a168f275198bf07d06eb8f030124ae2e6316c4a6be2d3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\MOYQkYkg.bat

Filesize
4B

MD5
4b9e667703af9eb48919f42b64d94f64

SHA1
eca2b6233328de98668b443ba64124908d3454fd

SHA256
05e5fea4fb57a71038cc71473723b6b3f37f62b70f0509e0869efd8649f90798

SHA512
32b306c6a8755e24f092ceb41798d3167eb366f13bdec3f741792a4cc3ebaee62904c3ae91ee25c133459bc070ff6c4ba4b5422acab0faacaa1e5cc47c0fb76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUYe.exe

Filesize
253KB

MD5
8df3ef91d678428cc819c0ca7ea3e4d3

SHA1
28ffa550ecd64149967cb50706cd3eb8b3394e4e

SHA256
9819334342474fa9797f9391fe7974e23cd057b43a184fef48971743bd83f727

SHA512
760d46bcdac847b186be5fda50024d3c4dffe3043cf9318ccb14b3e961b7cea913f333cf208f6d4cada6ad0d3c91e70f570582d0926af3d8258be5fbcc3b0b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUoG.exe

Filesize
251KB

MD5
7f07cf1290f2461929795cec61a3409c

SHA1
27b9639ff1c0226c54210e372ef30fd7d1a6d236

SHA256
11b75f85fab56357708cfb9474b070f223a1b504afb4e33d16b3bba151fbcd7e

SHA512
36b6485c500c3da3cc25cc851433f0c98b6f2b4f787cfcb0b051f20d66581f0edb5e7e6e3c6806b437eed18fca72d1f5684b0ee103360ab9230be8d2f2e41f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\McMq.exe

Filesize
317KB

MD5
a4bec49f05e33215bb72979740dc4db8

SHA1
81494a132404b54ee9a10825fe28cf5be95d793a

SHA256
2ba2a20427b9975cdc19b6758f673273fe140e4210510c5d39974cfd3fa6fe3a

SHA512
cd27363b6af430e617e3a8e9d038673de29514a2797d5a2fb27df65a66904909c51351ac17da6c20ea03603c617dffe171ee07ab5bd037d98b19485d4c448f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgQK.exe

Filesize
184KB

MD5
90ec742e81c9c95ad1ef35ec81eb0532

SHA1
f409f1359d828c6e40aae5c3c6ad6303f975caba

SHA256
3cd942df669395c49abbde092a2c824cc8b02bfafae1179cce0e3734787b832d

SHA512
b333d2e2c78d8353524f2c714eb91571b0c11bfc728d1a92a5cf9eafe3d8d4036c43e7951f77cc3a018dcbc846fbdcd9d9a31d40886376723ff414707e9fe81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwYQsQQA.bat

Filesize
4B

MD5
c30ad4be79e57ff6ed6356c7ddde57d5

SHA1
773e59335f1dfc1ecb3a4d94e608a9b9731acdc4

SHA256
bd0d4e709d80d0d891acb20a4849ca91c1078e2a3d388bde613e44bae2761c5a

SHA512
5e4dfa6dc2006be4ca0fddaa8e3cd8a3bdd62d0ff08f889b11e8c0bbe6caa20b86f018381c294a9a94d66b0cd1fcc704afc0e3a3971b4da1bcf88b286adbd323

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSwIwcIw.bat

Filesize
4B

MD5
7156470676fd593ade56a95394c558a3

SHA1
2b4240bc193156d342ea5fe008540c41d45b6deb

SHA256
d9894bd62a863aad66ff353b2cb482ab05a61dd7254cba16bd8801cfbc5af0ec

SHA512
94143b4085acc3f738124cd17873b5b45a73828e36bbd936ba22e8486864ff970778ffd6dc338e3b0959f2df253236dd412c55a0c68ab171c8606006748c745f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeMIQcEM.bat

Filesize
4B

MD5
2b846089afc8adb3d9aa1174c8012313

SHA1
c3548249dbcde02be460bfef6a76b29e3ab4289d

SHA256
e103883812e7ab26bc8bbe9b584f5ec09ba94536560cc172aebb89399c645c80

SHA512
a4d3c762fb8637c7f9b37fcb99a563afdab196af4f690b0be881e2f956605ee0684a638c476a071b7e98daa7486c040ab3b35f4233e92b8e66f854ea02a506ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgYosgMs.bat

Filesize
4B

MD5
e642888e3792d8f937b83790dcda1566

SHA1
7adee858776309a7288267f2c916796b927f024b

SHA256
f1275eccb4ca12117bcfb6923b810e972ba9069f4e73cba181e35850f31e8e04

SHA512
26f772a92f20e2f1c892109287eb4de284a1d18495efe1766e65f1a545987e7bcd7f2606ecb38464493254caba4ea0a79c8a9cd0eb4823e17f5103302fd732c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiEwkcsc.bat

Filesize
4B

MD5
00a8d724b4707a45088d3558753f88f8

SHA1
5133f913fa5b06ccc2126a2a29814e4ffc716816

SHA256
d23161286746acf561fb0ccbf319766a9933c2b0d1ea50ea795b89c710b367b5

SHA512
267948bf1eb1773de7e0ec95ea66005d95cf8b246208e317a2c44200e384ad65729ce429eb310e1789238d9c23b7238022e5b48afb3286043003e4b9feb31cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAAi.exe

Filesize
243KB

MD5
dfec56ab7ab4b03b8fbbe2ba4b8d5055

SHA1
c4363c1e7a82182cf61942b57e9793374c4eb432

SHA256
deba5998497fd33740551463bb384657df7ba5bcc9c12ef562688155c973fb02

SHA512
3289b6dbbdaadb422dd8cc23a392b0cd381a87693eeb98d4264af4b772875722437859e7ed959a7ed47a7cfd3cc86c4e26bb8c86982c79f38a44e00ab9d6b7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGoggoYY.bat

Filesize
4B

MD5
bd94c67430aa6be42269b9b15219b488

SHA1
c8e9080fad9cc122b10c1bbcb7e8a78a0c1ee710

SHA256
d3a0bed0c9ef1ad54a8658e1c3292d94f3f0ca553aa0874bd561fa06f879a4c6

SHA512
fba298e7b882a73c45bd6d38373918d5fa6f84d6cd3f22207fc089d246c46f067fdd04f1240e52f4b70aa1cb43bcb53acc74c13cc145853788b913e4a0e23cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIQAQIUE.bat

Filesize
4B

MD5
cc5ec6f576293ba6cfe3424f96f9bc7c

SHA1
6ab1e28d81c265eaede1c7166b54121344eaad77

SHA256
b97512894364aab2cbdf17a1a79b235b951327c23b9a1524c99529d94050746b

SHA512
5cc073c17e3aad023339ed010d9a693a7ca2eca573d992b02a39e4fa8f07241126d97d5902a835123cb3bb2e883cf73a33c6876a203bc13f31d325c1debaae5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMgA.exe

Filesize
209KB

MD5
0e396bda741916b4be621595da49d1b0

SHA1
902c84b8b48c3eea2c3d239228c67f7f7dbf9b7c

SHA256
3c2c62e41ef5cc448fef7718503b05d484543bff159b1547d65f573a8f79808d

SHA512
2b54405052f14d99568021afc8c00cb044398da02c79ee7cace0e76883ed959fb6355bf58c7e44248df16fb602bf2ff73c1da413ff6a614eab079e0b574474bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUcIEMck.bat

Filesize
4B

MD5
24f1a35438859354b485767e23a4e5fb

SHA1
abe0cbd2f7e02466b05e383481135a2b34362e3e

SHA256
4fb4e28718c2b54503e91978fd8ce46f9111c09828d48c447f36c9a554f64def

SHA512
ff4a9623e4b77ef06b6e2b27a2df3957db0405b448e422bdf31a022d178fe4153c590a0652d4a503817e2930fe3437af92cfc6cd668a165d302551456d360c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYcE.exe

Filesize
202KB

MD5
baee6fcfad280db3e0e28b5c72f57cbd

SHA1
017279c15a9fad91001c788212cd2f2a1bf5fd6d

SHA256
f1fa5719c64f9e3af9ba44671ff2fb0c30c593b67f33eb45a622cc2a1a853c7f

SHA512
3de9a6b139aea08b68b163c2a3ca9744717908297fa323854043b0cf80e081b323e851f1f0a82fea107c53482c48a9086cdf0f3dc61b8ae058d9fd206576ec52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ocwa.exe

Filesize
254KB

MD5
2ae57232a52e548a5acceb7ea900136d

SHA1
d0533426533ec588efbbba4d3157085cc033989d

SHA256
bece87ceb8cc95a84aa5f1c33b20f0ca49750fd43df705566cb90bd17cdff911

SHA512
a41f4da94ea977d21734ce934f30dadbc0c8eb5dd90a6cd2e97be3a32d4261961d84198e2eec39926eb2829489cf906bb0a9dd1f4793c012da7c5832f8585f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgIu.exe

Filesize
242KB

MD5
9a788918531d0cb358971cab17e448bd

SHA1
8566d68f6c95a0e304d4b99072420cf9c283c7e7

SHA256
fae2253c0d96f9db94bde1ab0418268cda849c69919d52d810c8fd10525b1149

SHA512
0ec97eac9de0343885a714e1fc89eb3d0cbd8dbe68df16d3cf6ac72578138ba34df82f927d8c4cba18a925c9d874e3e531a9c0b306d35b45a4c253819bc6d3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkUk.exe

Filesize
519KB

MD5
ebed4a1c75912a0c785effe52310ac23

SHA1
08d78b092145dcb67498791e4946607fa7d0548d

SHA256
b673cac9a4db84e2a9eef60ad107f5513ae05f22cf93a68007d2e7872f64be5d

SHA512
9203b0e73837c56f11048ea278b780dabbb50777bf5aa0e12177843339714ed20bac818f0f3bedb25d4d02cc075a1fcc9da6129f44333c7173b8542da78a6046

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oscu.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCQYskQA.bat

Filesize
4B

MD5
eaf1d81221ef48709fdc73ce5d1825ee

SHA1
42cf5e75941d87382ecb691dc8663ab13cb5478c

SHA256
2308efad026a9a237984b0ec0e3bd428450d6a89451c75951889022d6eb43b9e

SHA512
1ff412525eebf9397272231b5b1fd0b26952e75ac38a91b8198e6b37ac1d7182093a913e7257c331a88ccf101724262e3e29213829044391326fe7e5736d5f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSwsMsUg.bat

Filesize
4B

MD5
e02906b66e12ab3ca843633fd47efd93

SHA1
f6b5688c3df111b2b29236956c3da10aa1f3e5e2

SHA256
3d5bc8ce303c78c74483a0336220bb3fc05bd2f785275d88a5975fa22859da1c

SHA512
d9afea20c243bfc4f8cd388c459224e302812b7a9986d0fbe5f8fa3c461a8aae22cbb64e0158dbb188a6f07a4a4ea87359069c62ed92575ea32ffb7342aeff7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PcckssIk.bat

Filesize
4B

MD5
ee598b00ca44d8e978c19940006c7075

SHA1
7e21c266cebb4b72f88c2d805badebca00f23993

SHA256
515187fae85eff1aaf5bee62ea4f3d48c982032c7ccfc13fdb0f06c07341e02f

SHA512
58c1a0e5133f7d9b07b86e6720b3b8a9c17c088b378692ac93694779fd2a2a26491e51dbeae5cec713ff48a19f008a3652533da40a65bcb5a204908b005bdac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PqwMscQM.bat

Filesize
4B

MD5
bad58da2fe460861b29bbf4c8b2f1cbf

SHA1
90fa9d4f3bd998697fd295376c532eb914cac127

SHA256
8d02b018c40c1e37f686b7a9f5ac9ccb62da1b9be78d02f56a876bb9f78bc825

SHA512
25a624b6a171897ebaa92c1a0fd1ef8b329e040ad4c8ce783a5e5da3e4a2a293811723123fe3931b2870d036e14caad1bd66678fec9528040279278e321cc330

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAcA.exe

Filesize
233KB

MD5
fd1e8d269bbb5b411a6d2b4f5d05d7ba

SHA1
0a254666e2a119520329072d522fcde19138f859

SHA256
1d87c3b33949af5483d91778b0b03f23e747b2ea17cc0850997c1d1a428c0df8

SHA512
5bffa488a84f17a1e5b3c1d956c3835210fcf30d88253721d60f760dfe7b10a05c53e9a5d502ade71b6596b8069c6c0c0efdf13cd62ecd1033802558277f6b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAoS.exe

Filesize
201KB

MD5
33e4b0ab94e3fb04ce37e8492ce81761

SHA1
ebde8b4cff217b8c2f973822ffc8c55a0ed0b62e

SHA256
b467036ac3cb2a7fb72456a750c5e551656effb27b21073265bae992ba685b5f

SHA512
150ec77209587470ee638af9879d9612d762dc31f48b8ef604234986ad41c8bb94bad498e3e9245bb12443e1a278911dca15469efc133de7e1f42ec98a1288d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQEs.exe

Filesize
236KB

MD5
9796c14e19ab183fbcb2006ad28b199e

SHA1
e3794e4380f51226b06b639504f598057b21a598

SHA256
d29dcc6bf7f10f3336ba72b879c4a59f50a3c06110cfb8543139be7bb555e765

SHA512
cdd448d9a3eeadb435143e88a79602324045417980c02d94bc312a4e3a08f45e59e9e9a3dfba9f46560b70e468224e5712a46b186803d5768e7a3599f4ce754b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQcg.exe

Filesize
227KB

MD5
d5de4b21008202688e2a5ab45944b4ab

SHA1
275ae67eb0e477bd1f7057078807a5d901008f74

SHA256
04ea4e243cfe1fbd095d3d0b54a9ef8cc2d5fc9a4b70d8d282fccfea5070ecc9

SHA512
769ab30e1a0dcfd55e194ef53170ee851185cf8b1fc77c314f30a9b916bde3f0d1ee22f3cffc2788c131d34b59acf77205b27e98dfb0e0afb172bad22af38ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWQUYkUc.bat

Filesize
4B

MD5
38ae4a974198a2f888d2526268689314

SHA1
5e48c1bcb9e75f8c6b5061a2f0c7b598eab4aef8

SHA256
ac9e1a2153553af0685f43668e5036f6c8a3b52d131ed58ac42524552e8dee52

SHA512
7ea1f5d2f2b25c12c259a97e97c682648b6d66a2644d91874e0a59f745da2a53632ae3af00d70ed266c28b18bdfe280cdc40dbacf570ee2288e64e43a97029b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QccIEEsA.bat

Filesize
4B

MD5
f6626cd4bdf67f417d253242665bd1e4

SHA1
70d0006179afe34b354c52d0143af1290c5cdbe3

SHA256
e70eb27f7e7fba14ea2c1a84bebc486b0907857c666d8fe2aef07bcca3609f43

SHA512
9a9f0d55644bab4585565cd8e0c6b42d7c6079b762a3a0004d2044167cfb001d6bea1dd8e33111e49a2661237924cc955474fef2bc1a36da92b3571921f37532

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgwI.exe

Filesize
247KB

MD5
c0134a117046ceaf3908e3addd7ca442

SHA1
6b91e5b285bb3deb7729b83b941f14297c05d553

SHA256
8e62fa392cf5d54fd4ba075aeddd62aaf9ac79b0c28c362022ec00484b878e46

SHA512
40313aa82cabb1cb3659842fa434b07f76b2d37c5342c6dc62ab523dc0acd307259793a137127e8e0b756d2ad41e9b66f952d7d4f83192d34893f7dd8534bdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsMi.exe

Filesize
232KB

MD5
39f6a65c00379db407646912ae984986

SHA1
e3f647fb3441fca7fc826bbfa55738465b5b2639

SHA256
d88828cec1ae3d75ed57459b6d33d946c80c04473c27182e8ba82bc1b3a32ddc

SHA512
d655baa4e9ccd5aa98dd38104f2399c0aa092e017a92c52a37c6ff845cd537ff5ac40588a32f3bf52dc8bb9f64da90bddbd5fba7d74dea0ca9923e4b00c61254

Download Submit
C:\Users\Admin\AppData\Local\Temp\QyEIUYkk.bat

Filesize
4B

MD5
61ea7c4660a5288382219c4bc566731d

SHA1
b32f1b52a302b86ff96a1c4ce793487a598f6dfb

SHA256
c5888b2f9e23095f50de4053ec58130f356fed86ce6e4cc01c3add2bfb0affd5

SHA512
2e29e6886e0fa8d1723a83c7691eb72e6aab8694ddd4642e81809d651af824c8588c9d4aa6fa6d93823eefcef160c0302a2f215d436f2ac24c1ded5b923e72a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUskYAwc.bat

Filesize
4B

MD5
05c53cff2f216447cb76c55720c77f88

SHA1
ec325c30790024972b6991f029bb5ce1aa89a171

SHA256
006b9e2c3223fbb52c52d60c099efe1b88d64c5bf146a0ad36e2dbcab4aba20f

SHA512
f4f775c394a47cc2429e700f42c12e7074cc68a2f68d882c9bcc57b90d7f3e3ccea81c1a5d68c75b45a184af37123d96741c4aca61266b425db8edf3e25cc571

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAcK.exe

Filesize
208KB

MD5
3dfbf9c125abe34791af1a35029bf11a

SHA1
4d62181941e00f485262b5729910d9e7ad3d231f

SHA256
00ab17abc455d6c3c774073fa6bf193b4b0d417bbcd5f0169b57a4c0a2084ea1

SHA512
5d7f58cf5c9ee13fc985e7f8cf536e371332c8fa71cf2d69ba2bcfbcf30b3166678b7d44319829c9e2738658dfcb22ea403db746b95aabefde2c60c3cdf88cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAkY.exe

Filesize
230KB

MD5
6da043a850d6c04721e4943fff6bd58c

SHA1
07e204719696fae9d4c858daf7851311550b3b5a

SHA256
b7b9e6e620635bebf5b7efcb3e94d57baeb9e22a42b45650ac4788e9c5ecf5d6

SHA512
60053b35702270cbeac17b8f74636d76f67d9d6ef17daeb5f7803b294343e3b8edf09defd47fd28dcfc04eb7bc1c0280769bc46750cbe5a0f7d5510024d6e998

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIMY.exe

Filesize
237KB

MD5
1c7283ae698af9a5de588377f1242e47

SHA1
dd0ffb67fb6ba4027c0e9821c86014f27fb78a04

SHA256
60c1053708da6183f8045cccdf1fa6f2a61f5f173861e503fb0c3fbe56ef601c

SHA512
6ee3d95fdf887a978627b35cae3962fa80a4f0707534b77fb0672525be4c60d7499cfb6e27841c3a5d1b7c3c60a22f91bb8e0afaf9b702da84138b4865dde8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIgC.exe

Filesize
212KB

MD5
c2e7f00f9c96d21cf21619c75a6d7e52

SHA1
c09f11e83d42be703e77ad326b1fc4ceea1167d8

SHA256
9e284d09d73e373b0f9093798b11ab79b41589db86514b0d2205d85b8b09daa8

SHA512
0eddb69b3416faa1d38aed291b120867597a803dd608bd8db9c0861ddec95c21a115b70b2fba60c96ade2ad5d5295d558ca136e0bd714f72ed52ea29300c03e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMEo.exe

Filesize
237KB

MD5
b349197ec70f4e4c01227b08b446f556

SHA1
86ca7d480a8a801be988ebbbabc2d24323d28888

SHA256
b78235c7beacb5ed67a50f9836e87830362b118237571b3e6b4a153c7fb9d251

SHA512
8fdf28fc7dd81ed817488b0924ed13d5d5d74f8d3027c20f4b580d9121cd94c213ec3fef6a3c597b6a3ee562eb740facf27ca6c3b240bbf8932cee187890eff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SSoQkQQM.bat

Filesize
4B

MD5
0f70ae335e8db355a505e46df5074930

SHA1
f4fd0e5598a9f741765d8f512e269b7d2ee69374

SHA256
995b2b2fde060398fcb3390fc6ce3671ac3267dd9e63b8fdd2895bb450eeeb35

SHA512
16af9458d8a02aee5751fc6254277eac04a54ef94acd08f4cc6720b4abecd7096b8f37d41ffbc3fc9305270c16c73530910f61a63fa51da41d3a272a8e1c6a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUUm.exe

Filesize
1.0MB

MD5
dc4c795a54941574141a7001deb171ef

SHA1
7bde2e8bad00af97486fd44d8358e5a9298ddede

SHA256
c0d7cc070dc36a3aeedadcf3dd47c776355f678a4b96ba4701b329c02975ae29

SHA512
cac52d5a97920770fe3c794925fc5fd0feb05c030f2b8a4468a7e12104d0fef3f651da6d169aa76fe00455878c689c509cc42b7f7b44c758c8fb6c15849d501e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sowm.exe

Filesize
237KB

MD5
6dffdacd2cb585f56f06fd1e70fead87

SHA1
8d3e378741a13e016158d053369e7f1006c3848d

SHA256
92ad9a91478115b841b1e9ccc8549b7bc2c22c3e44246cbf76152c0003718c38

SHA512
83948db97ddc7eb3b96484c351bba5824f401db7740f8748fbc2755931e162f2ea1ed31a150bf6f723f55883bf1f8f2c83b026d8cdb47ef5cafc1f44b88cf918

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwoswIsE.bat

Filesize
4B

MD5
814dae22aef4402cfee1b26b4c024bd3

SHA1
1479971420af296d7d857d93b043b0144ac91a5c

SHA256
11df32a5198461dc7d729103ce5fc505f93da42031dfe5e215516960be01ad11

SHA512
dfccdc20d7b694f2cb3a2dab118054ba9facecd970485f72910af4aca0d25efad3d07bed059ca6d5d1e52bde34b8a4f4bfd1be0b8a86dfc5baefcad186a668cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TAgAUUII.bat

Filesize
4B

MD5
ac343abffbd621c9ff37c0ce7a5f5e06

SHA1
bff19bfede26a8390a4d986d7d8938a46b01a84e

SHA256
ba95d851db3192ce07aff688b7a78552de79b604ab3ccc1c2e0a685b35ea807d

SHA512
ae578ff65f2f2fc53380b12ef106db29c74fb2411650deb3921560b9de0ec1e4ef64c0d48e2ccfbca34589350f75c2856090afa0e627c0d1c0f7d2cab7e85a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSskIAoU.bat

Filesize
4B

MD5
32446a2c9d6dc1f9ead5da429be6bd3b

SHA1
a47d452ae81ddf84c3097b20cc8c1375cd948487

SHA256
940f350b5ee3c4b390a289b60f5278d68273a9f4efbff346dd50b18edf8c9728

SHA512
0d46d8c20bc57bc5fe44545af984d77577a0b209838665af5d64f4e2b082708c342eed2c9e969ac9ff20fc78d7f62a986e705c3e9ab7da1f6303b7e1bb9117be

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAAYEoo.bat

Filesize
4B

MD5
93f50de8ad35c9799237d7302ae38a02

SHA1
1c72688983a8a0bb05e3caee0af48d70f75810e0

SHA256
ebc0ffd3b662738d3f349d4a90d18e11811931a225947e2d1d9520eb677cdb03

SHA512
a760611844bdb0343281cc701319a864624ea3e54077db5d5760c5a06cf0339b4bb2d0a998ae58e2749e487bf650a5d18015cffe7a31099e6d3893638ea1d032

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaUEocow.bat

Filesize
4B

MD5
b6c015f04882b5962d74d71c19dd4afb

SHA1
20a3ec595b8372469a79352e29f206f6e38001e7

SHA256
7ebdd2e4dd1fd565e91e95776c93374ad92615c21794b2ecb11b5a6daf93dd10

SHA512
a66178dc1f77f475b2d4ef60635cc39db8d085fe6f07ed9051fd4f085fbd930892a85c8703817c30934949822194aaca9ca9b3335996231b6119e52b52fff1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TuwgUsQg.bat

Filesize
4B

MD5
b59b6440f52a17da3e6604d950eeeb55

SHA1
4a8a6c2526da2390407f0c716961d8131d952c4b

SHA256
c101d1b420fed256158b889408a5eb5a0e5d14922acb085f936369b88db88d06

SHA512
2b97f4aec5fcdb2ee6cd3762b8c05506bead71a7f86c5b05e7d0d017d00e43b290cb3b6af82122ea5e12020569fde036b5b7d4ae406f258930d3f0d44e0e7336

Download Submit
C:\Users\Admin\AppData\Local\Temp\TygggAgo.bat

Filesize
4B

MD5
d13fb0eaeece0749e88e5b31d58311e4

SHA1
5516b29a8410450a19b10e5b6c7c557ef4b22828

SHA256
d8377e5b97f4ff014df61a9a34053f04c624876d9305b9bac56773da45a25ef5

SHA512
11ed0f543071f3512ec6d50e79ebab56e8a260c10446d5f9b9cf67eaecc00e751343ec5509cdbd8cdac2d29d997cc71fc994979864ee13cd09819e9b321ebb83

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMMw.exe

Filesize
207KB

MD5
21f64b73c7c037325f44f250f09afabd

SHA1
85108e102e83df30472fba8f73bb2f21da639c54

SHA256
c23e36fa4fa81e6508c746668d6511fa9a4f59cb5c8558b777774fad9efa5f4a

SHA512
77f5a0ac9e66293c43f37b683a8236fb0f51a05328a4ec63f1c64960f5b5d29cace25e58b5a0b1fefe5298cfb3927dbc94af22e7dcbdfd460b0eb8f4fb76e5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgIMUgIw.bat

Filesize
4B

MD5
736e1525cc626379db2baa0d13a38d8f

SHA1
40d20d40e6f1b1027a1fa99132de44d4ff19ae7d

SHA256
54c6ffd060f087de15fa7f7e24063e63b5a13cb20d162215e99a610ee24dde32

SHA512
5cc7c8545743cf02ffefa33d48dd2849152931ba6cabba60f1ccaf6002db681fcbfbf062da087c0d72aeef759d2b6967400b6668a06f1eee91275e03fbab6ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ukoq.exe

Filesize
250KB

MD5
70223451aabd87d61a483dfc8f7bd137

SHA1
b89e603a7919c574a92475412e413a2177dd5754

SHA256
2b875fd22855dde719cba67aef882e0bc09ebfc39461b64b735ae601c2ca93ca

SHA512
ad69f9ba90ffddaca234860a4a5b95d286efe668c32473d1dc4260430e6412d353962934110c853f3b97d5e086bb3082e13727a33cf4f33a53796b5aee076cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\VGMkoAAg.bat

Filesize
4B

MD5
3efc40fcdcf350a0ece0c8ac7dc6d3ae

SHA1
64a0bc21afd71078e07a6d2cd4572881c5b3b082

SHA256
4c9cf482d3ebb738ce0d0eff6fa20f4ffbdad98eeb3374814d2e289aa6a678d8

SHA512
b628a27670a69846923c3b89b72893147dc8b9d75e0a4115c61a30f953eaa46581a0218b09f5fed0e8ef52d1878261ad0ab7a8b9bfb4ef70a4f3c8b33874d935

Download Submit
C:\Users\Admin\AppData\Local\Temp\VGQEsEAY.bat

Filesize
4B

MD5
a3e1c89e1cd4747ab1a85643fc5b154a

SHA1
91882eeaf33f97da178f5eb8a32b2c3e2b1efaf4

SHA256
31d86b6a0dabc3662920de19ad0a5b0bd1e5514878b32a94bdc77666a163990c

SHA512
a218883957d13f567887e217f01cabe5d3dc7243df58238f576b3c785f31d8dd23218b8a8598b94417de3c7b3cac6781c953782507c5d5026a7720b470259d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAgi.exe

Filesize
233KB

MD5
f2a51c426ad572c40f3ee3fac4a2c2d3

SHA1
b464a79f20e3928b0cbc142919ff29dccf7a05de

SHA256
768c2de60f3ec63146f65d692f19786066e5cf1f95f1334afa35387784fc8e96

SHA512
4c588a4b1c26ea4270cd5b1a4feaa468213db2736a6ce72aca6b646f7605c570b9c6f2e6a30707c243d5075c732ae037f30807813f784a6324881b879358a004

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCwQowsU.bat

Filesize
4B

MD5
b6f5dc1ace466d905aba42aa73f196e0

SHA1
93476f489ef2772f733229ef9455f1d04bedd3b7

SHA256
da9edced8c73f6c5aa8674230bf146d8ae079ac6912f85182a206e102e34cd7d

SHA512
faf5a408226229d841dcade4d719b8e37b1b96e501cf69daf992079e5c6924b2ebbc333685492b1401ca7d0dfe365760b3d9089f59a35dfbef0b288d0f2766da

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYcw.exe

Filesize
649KB

MD5
9b298f104d1f24d016bd042292881242

SHA1
eaaefe7bcc37513e4a94e192f9ddc0586fdb25c2

SHA256
1893c4ffe97add6a329eb9732b1ec9a97f7e42690c498aa273fb59ccacbace3a

SHA512
b8e806661df9515ee6ee1326fa83a4bb863749edbdb7a02ca4ac586e42a8bcf177250bdc40b7427e7d64bb91a71069ed50d401ebdf57ba21e7a6906d01a8b55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WggQ.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoQMQEQo.bat

Filesize
4B

MD5
3a5ae92f2fcea2c924364bd12a4d4904

SHA1
7d54cb6d51954dab7d218964462b050c19286b1d

SHA256
c9250c3ec9e5471c6126edc50a84ab08db16ea6efac3ca4b97d7fb05dcf8706e

SHA512
661b92b0290fea56d9271a2566549b1771660a08f8e785d12b10ec1da5be02a15fa12ef1435f59096ba13603862631b6bb89c4402a1d67b452a3d8458e51af13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wwsq.exe

Filesize
248KB

MD5
35c963c0fae9ff807642c822b47129f7

SHA1
081848770b3130ebb9938b8c5d7be4ab99668b86

SHA256
e27a09b2a3a48698d6da1b95914e4f1c7422792c428260cef847878274858ce2

SHA512
f499b019fd6e6d844e57ebbcd95e4a33818b796f63d1cd5ab59158a16d910e906124f895b1c9562d4f6a505144d91fa6c4eb4e5fa41c02d28cc29d3f8a5360d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEgookoY.bat

Filesize
4B

MD5
3a241b81d1ef7630f44f847577af7936

SHA1
92c550e03f0c11f0c1347dde9ea4eb50896ba68b

SHA256
ffd17fb8000400695aa56edc25df69c71cde2bae1e06ca3b27f6fe93781b664c

SHA512
ebd63a781223e9016e0d6c31ba662e4f6b0e5d92e614c78a7b6476fe5f1a51534f72a695fed47da3e2a3d8dc59ed7c19c2ee9a8c08a36b664352445c537505fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\YGgsQAUA.bat

Filesize
4B

MD5
455050faf3132eb16d5b64df7b6a937d

SHA1
11e394f99c09ee3ebc3eb7f7c5b56ef5cb9d8f0a

SHA256
d11b552c58e0f85bd1a0b825a7d1a14f00da0b310ec8965fd736285f6a4de100

SHA512
004148c74a61573b44060518971fe3ad6bf49e7f7a101a896cbd0abea41bb944ccb14b29e7b070961a41824c530cd869c64d4fb37712618d88c1355e04291ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIAk.exe

Filesize
202KB

MD5
ae0dd143a2475711ab7432a584c30ad2

SHA1
269ae74157e8ca6ed220f5f4a99ae29ca2c8cdc5

SHA256
0e9b872ca24719f4528959ce6438e940001b0a4b9ef3d4d568c1aa25561c254c

SHA512
cf3e3bd68eebfe4b3496cc21fee71624ee6172ee4d987a43c039ded532a467d39cb9b38125e00b335b25767f0d68a1ade86d32f9cd018cef62ae6d752012e71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMcIIYcY.bat

Filesize
4B

MD5
b585e1efbf2a722ea974f6a73ea03f83

SHA1
b609cb88fc65a78a08d4c874082f2a7891631ca2

SHA256
f0f29cd94112d451efd4d28426771c6d3379067ebd836a2c19e149643c90e169

SHA512
6f6c860543c68ff2048a9228ccde5a39d3a74cc00fe4d62ee6e91d362406e56ddf9b94df27c72482ad6c48aab4f768305668f761295262ada429980d74bbbe30

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQMa.exe

Filesize
190KB

MD5
501ef1d945951a3e3379e2e1605a4d15

SHA1
a7a45454b6baf46b4481b524d5e367ba631d84cd

SHA256
8e8ce30e029cd9d26169729de84748c96f2be860114eed5c842952fc0caefc13

SHA512
e0675fa10e95fbc9148e5e7f5926ef8050bb8ff9845eb6e9397b86968d6fb234d19bb805c6a2304f743e77f3b687f90c7543c2ee04d1de365f3a3bf855f97fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUok.exe

Filesize
641KB

MD5
b9a0f546a27ad44aa2f8e4c1d0f47213

SHA1
29ef0fbe76127e3d93d0f618edfa732a81a3fd55

SHA256
4a9ffecb6bedebc16e300bdc91bd95e943adc616e830865053ba43e041a6b806

SHA512
5e2dbc43c9eb9322a194b78ecfa26bc383d8590969162b116a8d817efc7b29e162225f6b6bd5c879be71c0721d4dd626d631d7388e2d745e6799c2fd45142f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoAE.exe

Filesize
189KB

MD5
555a457f5d043c70f08f910d52585abd

SHA1
2aeeebbe8d88ab218c4d40686f86fe27ab3982a5

SHA256
7dd5793895ca415bfcb53adb08a750769b6839dde637f271dc9ee3378ff42561

SHA512
4e8f38639ba499230887978e521a47adee668eb4665333b056826c4f12e014cc6205ef9ee051d2efc2a81b3619a7b3c8a19b3eb14f654a00ba7bc32566d40db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoQg.exe

Filesize
831KB

MD5
00fce612f1009737a3f58791ac23925e

SHA1
6d819072285d89ee76bf0d12c702a5a4e000117f

SHA256
826b8e83e63d2cf54166e254d74265f60f1508548a84a088ab1bf11fdde736ba

SHA512
a920e3bfe70399d0e52edb3c404aa7f58a44f4e8581502786a3bb125300a01f088ebc9dcb1911362a440b9aed964a516bed018bca8166ddfbfb782655c4e66a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YssG.exe

Filesize
927KB

MD5
4759c2479c296f582e45f7339d6bd731

SHA1
8aebaecda5a04fc118a453e0d1da96ee5fd2fbdf

SHA256
4c4aa587e90cb6d138499f3751e918cbd57fa83bfdf2cd51fa2bc6035e1fe21d

SHA512
905bcf8a2cb3d34bbbea16502e878c24e6b210142dfd13d9856d80bc5b195ee1ad21f98e7d8cc024ec76194d31d82e81a0c7a8b2343817d982c2868fd86ef9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAEskMQQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZKQQcQUc.bat

Filesize
4B

MD5
de8dc5687de325fdf58a3008d3925815

SHA1
60c930f16979877bdf850b2480686a70357658a0

SHA256
33ccf7ced28cb7bf6912b35157d18517aed7455cbea07e49dd360f6645cbbf4e

SHA512
c1ca54128fecf92d000ae39b6387b80c2a76f31ba64acb2ffe4966be93078aca2700814349c92353d8b6aa4f13e3a875182d26381210470516960f4fbc509f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZmsAoYcY.bat

Filesize
4B

MD5
aa0019b9f3a9566e760bbe46e23f9e41

SHA1
355a4bda40eb0121786f80fe50c26673dbfd60af

SHA256
db39affe81ab7f8ee3baf9548a3877a1ef4c2c36eaafec91c40c042451b9b4ee

SHA512
5e3df24a2124e20833d7c0958a93354e77d285d868e31425dd803f1b07fd367a5fdcf25997f5a2ebc5504bd99eae0eaae0ace3a71fa88c0a21b86e1ead17b26d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZqosEUsc.bat

Filesize
4B

MD5
08d758b4f6d574577c17848a192b7b60

SHA1
35c0a760769fdd627218a8260141038eaaf4f3ba

SHA256
433f5657fe9d19d045eae8390a41e66febfc04d113400e7f88d8a4acbfb80d9c

SHA512
e606308d4c002b499f2c5b664a579b3d83e5907c1d1bed9e6eccc5af9dfd0e5ff57ebf8d2f6c1b424ee26122012fc24d09662ea7f376921f5bbc6ccdcbd12db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEMu.exe

Filesize
237KB

MD5
37bcb9b7ed5a833c709c208c26858212

SHA1
4f9283f268e10c03f3e84ddd058234043a1125b3

SHA256
2cdc76ac0170514fe4cadfc9d08205f5b3a983e574d9569f47118e94a574910b

SHA512
d0e4217c1f83b6a7cf01b7babad7eb50b5d790624c493277605ebb06821d4a8471728f4b5545334df542bc29b925faeb81a1250a62c62de7c996f323c8e3611c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEww.exe

Filesize
235KB

MD5
04d1de57ae408440faf4354ea3f312e9

SHA1
e02e1afbb962b58f978b4b8eca5bbb3e8d33f4fc

SHA256
ef0f93ae372b936aa6f7e2743ccea504bb7fe1e8f169774f5c80155518e67c58

SHA512
8be4339aea1f1671b2be9065564cfe62b07d6bc482157e9e56655155cf8302d76c6c475836bbc2fd86d940219fa8d91322d84a8041b7e009e5a8bfbb5073878d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMsY.exe

Filesize
232KB

MD5
7b3ad0c9eb30be77ca9d73c35f5d2838

SHA1
86ec7fe3204c163557e3e3750c7190372f7fe295

SHA256
26c4f2af27baeee14affb1611107c23f13208468b644101a98eb1456f4a9363f

SHA512
e3b65f0105f6821c6069cb748b6ea1a2c607d7fa1e31cf966ffea1d29fdd51af617ca30e0e028d8d88e5e31e03568537c6ef0eb06d555972bd9c1edd9f0484b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aOUswIAU.bat

Filesize
4B

MD5
e3b32a6b24affad6b7cd7bc8b3cc0204

SHA1
f0e754e4436bf0ca5e8c9a42ae3025ea76295991

SHA256
9c6b1ba89f12525801364672ea67ba9ae4270d6508281b54050c8a947017f1c6

SHA512
54f17bd1209861fc12fc14155782f63e880cc4ffcc2d34fd86cf79e6ad098ac28e7aa7da3cd111c3231a27d0a4926054ffe36c6ebaad6d6f74f80b4a7444dabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQUAIMIE.bat

Filesize
4B

MD5
06763dd0358379bc5da16615aefe401f

SHA1
adfe8bd1cda150b6ab303cd7f39011b273fc3d64

SHA256
5ce69a52e5601769a26edc93ff1272b2a0cbbed828bf7baae1a5974492fca736

SHA512
e99ab39b97eb1efb84c67fcb74c3f9481dec1f3004176e7ce901a29a6c9edd370d5341465c71b2670e9922a42cedaab9d473b0cd6edde8b328933545a928010e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUAu.exe

Filesize
957KB

MD5
ac6d533ef37cee65b4d55158b4b11296

SHA1
3a1c70de0b7d56bde0a1d482af475c6254e10c76

SHA256
a058f08828529ceb7bd3482d4a9afda75a8ecc257c9238f0be14f533e4019a97

SHA512
27cc6c53ed7db94151e19301aac1e6bc2206af03d0c61368198ff808f35da079d9b36acee66aa9cb03347091abbecf6e94cfc5c773deed2f8cc61e7a095b6fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\agAY.exe

Filesize
236KB

MD5
553260c05f3ace25812056e879b16982

SHA1
5b89465df37dbc503f71faa43afb4bb48eea88fa

SHA256
39cf83fad3e9c455eb15f16e15965d769565b41f0696573a4ebab7702d67bda2

SHA512
5bbaaece7a24ff746e7e71d222c678858abd2ce748e9d742cb6066a7aefa0104a0548f338645a59a3e3ffb82d1f0051c52866f8d32e22780d92e3a58578cd4f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\agokkoAw.bat

Filesize
4B

MD5
284bff5e4cfb1dfd9b819a926d96fb04

SHA1
b9338e48798f49b07899082fd871b9a51a8e3a8b

SHA256
96ea8374241bbf3eccc9c362076a35744014c797b68e586f6a32becd99145db6

SHA512
bd782413b0e414d280d66fb5b5bc4b5a826b2e47687569894db4300e84ad3b730919c891495d86d3f40d01b36908d1c36420a235fa34670378eeb294ea65b4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bUEcQcQY.bat

Filesize
4B

MD5
18dbd762dfaf61a4d4841a2d5dc5f4cd

SHA1
31b2b694b2958d2142bdd334221df5e608f8e726

SHA256
985421130b1d2dd738e9df15022bf58d7aa069be0320a734a215b275fa8fa8f1

SHA512
de1a10e0a88af17d208e5119cb643cb28240c592208b02e57b597554a3bea9cbc90031acf7c2b1fe50877d153da603f6a00558a049e4998a045e012a47609671

Download Submit
C:\Users\Admin\AppData\Local\Temp\biUAcAAU.bat

Filesize
4B

MD5
001da204ef9acf27a448ddae8ae9dfb5

SHA1
26c791f6f93d647c59af0cedba75deddfefbaa53

SHA256
0cb7ceb61d0aa650a305b1da5a55625ca3ea2a24c8ad9d8d2d5b03116be4ddd6

SHA512
fb1a6bba6c8b29d9d0c37dbfb9491f6cb5307cd12b6f027e3e7b1bdd4c037af12965365ff24f088009b07b3abbe32b5f910ede8878f59d5da7b4f32be3377b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEYcoUUw.bat

Filesize
4B

MD5
60f32f271a85026569bb69d060b9a64d

SHA1
f983430cd61ff8a5e98271a2e5149c481c349e79

SHA256
44671d4e4be3bad5764079302efa0eddf35eb393ba266f00e11c7d70756152fd

SHA512
49b59c01f888cc18dcdf7251a53ef412a3f228a6312b46dfb300cbfcb188af522c44f8721b0862bbda9dd80b443379e783a7b196b4ad4ef330b71c78c198877a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIUQ.exe

Filesize
201KB

MD5
c68e3f45a911e5195bb47be957d425c8

SHA1
2620f3653aa52593bef4bb7afeef41e78d110323

SHA256
4eb490c080734bd71b5568ebae6a45082d7bc3d61ffeaa8e3fdea29c68bc97da

SHA512
8194207675e894a6769dda556e015b8d34eec6ba1ed97397d6e3ebfe1eb2a34a450b5a367fe557dc88b758777bd4eae14cfe0fb60b1deaace07c2f91f8b87f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUQE.exe

Filesize
195KB

MD5
683564274d2ef5eb9c88c9dbe7c92b3b

SHA1
304f57b20112d2dd98ba0e8d31410248490d6925

SHA256
3e2a84437b95655f566579751ebd9e1818aff3572c8f6b2a7fee8f7ee0a8e8cd

SHA512
3a163df12e37656ee547ddff15bc02a901727097be84b7f562442170de5946e4b28df610afa750114930b8a99faff2579b6c26b887b64b91acfdcb5fcb1e6f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYYS.exe

Filesize
189KB

MD5
201cf9a9a368ecc32ff3480eb2c8cd06

SHA1
c9a5b358063a38e3f64e18c387424929b33e0c42

SHA256
69cf48bace3d4758fc30e2af23081f0917ec54e87a380ff6071752120562af99

SHA512
6e52b9a5dfa910fbadc4bb62669ef62c2f99a2e37a91a0d08095a65324d7d659665e4e5ea1aa631ac5f0a15b347948357ceb6e783eaaaeec179e31c6f40b920d

Download Submit
C:\Users\Admin\AppData\Local\Temp\caUIAEgQ.bat

Filesize
4B

MD5
7cefa468c1e2364d877fa718bc883300

SHA1
fdbd10d48da0674369f519ad7851ce1e2fd65401

SHA256
ad428e39e09bf3a7cc3f1df03f2e32192ea2400bfe8c82653da84db9f2817f5d

SHA512
a0e8f6f3999432f92b603d56af6f8ca940b9ef397217e446f7f14e1f5c8de1dbda3cfde0c4950103fd5c7a6b102fc38caad392a0398438fced26cc139e046004

Download Submit
C:\Users\Admin\AppData\Local\Temp\csQkIAcs.bat

Filesize
4B

MD5
cd67bc8e29df60e6bcb7d96c6b8fcac1

SHA1
4d727662ab02239f05efd66fd1656908214742e9

SHA256
f86f3e513f92a957ff8de15a8ac579fb4328755e197447a9b9f516131de8b7c7

SHA512
929670cdffab5471ff6b65e64e2f5f0b00e1e60aa0952e2b6616f6a14a9119400a5b5507c270c007c8c1f48da520b956edc2c0335744fdcc8e110591cbdb1f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\csYsMAYE.bat

Filesize
4B

MD5
17f85f6d065c321bc9110f9c97175009

SHA1
f78e973595c5dc4b72918644e671bf3023d6513d

SHA256
e6ced8b452fd2ebfde1796c31cdd8c4b9f2e00a6a783423552a65e7269177d96

SHA512
0a6b6023a02bfe6982985cbb52f3d1429531ff36a68ab461a09c7030717f66fdf88a4835f243477756b1aec14dc617f05ec148be9c0f26fa951c6694da23ecb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dMcQIwso.bat

Filesize
4B

MD5
50022d4a6f40553d7f551b20872552f2

SHA1
3ba457eabbb7fe1f78783f6c07dde64986ff4ff5

SHA256
785454f412f13c92e8fece3e9b86fbc598b029b0081f938c5d4e448f7ff5dbe8

SHA512
a4be3a5c60d3394bda78fa520226f268e485a5d23af4db064b92c5e1e7aae103dd34ef767726085709e42332bf04cb4117a0c5869314a63e9046746183db0696

Download Submit
C:\Users\Admin\AppData\Local\Temp\dOIMQsAc.bat

Filesize
4B

MD5
40367bf9e9bdfd1369b035d8c02b6a9d

SHA1
da54f050942c6083458e67f19e0cd0d9ee59afa7

SHA256
c68ea5c2b0398eb9b72f6b2dda57f04f7cace3799dd082b5affe676fca82901e

SHA512
990a64479c419a553c83aa8ad82580393a9fc539ce327aac27a2a84cc98cd91a925efcd3d40d0e5e750f8ea5751b0692793fb27dddc98d8c61ae931451e3aa5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dOwMEEEQ.bat

Filesize
4B

MD5
c66aabc971a2e68c9460cc9691102ce7

SHA1
81714b0ec1debc484b7b0a9b15cdea6c2cab0c2e

SHA256
0fe489453ce06b5bb299e1ea1ff991dd48943bfb76aff227c00687dcac6d3c2a

SHA512
c854e4c6f47c3edfc1bb650b4854e389989337c989e6fe3fd4b05787fb242ff16f7b18704c1b1ca716236b75a0806511da063bd5f60778aa1c2eaf3b26fc9bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\deUsAIsE.bat

Filesize
4B

MD5
2076907e3e3f0a2cd917705410734d1f

SHA1
6b4fda53564631079c92cd0c434a333765e6f4f8

SHA256
fe441bd11ce7cc4231f7b22c042cba474c3566a6f0fb8a348ca87c707e204750

SHA512
ff3b20770c2f75691934e1aecf3100c0e9f4216020fb9b4f4eed708e9da6b8a7235ca9fa92f5aa2e026094d279f947560775fe523aa65fbe74bfeb6d782ed171

Download Submit
C:\Users\Admin\AppData\Local\Temp\diYYkMcQ.bat

Filesize
4B

MD5
bb7ea0fd1216da85c8b32f487a103269

SHA1
70cf719998efd6046912300f13cb7bbf53e194fb

SHA256
bf1f6dbafb45c20c8392c9266abf22be7148b285634487e607852fef84027d62

SHA512
e7aa00cd944603b3461fce240049d6c37040a1e0e1ef80b36d98b817d52a67044c2d094864dedb766f98caeb557d0e45d746f1a755d25b733c4b4f81b0020114

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmcQcsMg.bat

Filesize
4B

MD5
8483987f6dc442cb5ba29ffeeae87d3f

SHA1
df4e796ea970fe9494dc0953d3a93f0f46f86572

SHA256
a0083250fb85cf8419c64f294666d33262c8f793f697d288c914980bb7fa0934

SHA512
131631032a6869b73aff0d319ec47b20ad764e22002654b80b2794f4544998d9993326240184f83be01e0a0542cab3a566d7e4c2e97fc59030798f51a3197e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMIYooEc.bat

Filesize
4B

MD5
69038fc2e60cb4cde72c68214edb773e

SHA1
2a2ae7d408a3a7bd5ca764d6fd1bf8f2fd36c1e2

SHA256
839d19a9ad8963623be585ad0c9b4432e0db70606589834f7c241f2881b6686b

SHA512
2f21ec1ba4097a921e4fe4a4258cff683afa4e78e649610931d06f00eb06d918d5355bd60b4ace30f5882de9eea1cbac8f7801f53b07fdb1f1649fd9fcde2f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYUcQcog.bat

Filesize
4B

MD5
51644a8f1b40e0730ab33f996ec3cc1f

SHA1
76e498937941f82aadb38d3a380960c04e75504c

SHA256
b121ee7c110c421b3d36b422c0aa34c7875b5926a8cb64678bf5489610c5c617

SHA512
35be1fae70ed00fd87afaae4c0e807e015b51bac92d54abf27b08a5877728b419d0c0d5bb969a1c0d7e9d57908e51b0908b17b50a887db07fe1d3cf1ebd03584

Download Submit
C:\Users\Admin\AppData\Local\Temp\eakIQUsk.bat

Filesize
4B

MD5
0d212cbe8d9f51666d583535e05523b9

SHA1
65dad29bd3984d91b8f39eed57d54ad334734479

SHA256
89868793d9da4a74cb9c754faacbe156afebba5dc83115dc667fff3aa358673a

SHA512
569844b26eef4ba13f65fd37fb6f62330c7ea5187adf61128279a52f1e5066ee20e77dd33c3d81f5ff330c645110c4b2d032e30525867884ef07cbd167405bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\egwI.exe

Filesize
637KB

MD5
050defc00da83e7b2dcd9fc146d81fd4

SHA1
9db3f2b7b40a69f8ff71acdf3d43b5701fa756d7

SHA256
f2d6735c50e02a0baf0ef009057ce12e5bc849f2e032f162b1c53277ce384f9c

SHA512
c0bd4134e0798f96264e46a7d5d2bf2c53738956fd106df266d964fb2059e8d51835a4f7416239267240e04da5202b87d0820f770fb8f894774454d80ddfeb3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekko.exe

Filesize
228KB

MD5
19014496196424ee89d496f7ae77aaaa

SHA1
fe18bb484770bfbece8d5274a2f186e25ec156a5

SHA256
017e5b49d96a945db76d8662553cc8f40dab30e298b099b7423db0924d5fdc74

SHA512
ec9bba515c99ddcdf32531ec7cbdedcb7fa4757450ed4b882bb8fcd513b334bb248df7f6ef3a972817ab9a2ef0cc03a1040680697a548eeb27db588a8dc376f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eokG.exe

Filesize
237KB

MD5
81b0b0dd4a2239a6cbd5247d0c18e85e

SHA1
1141f8c604f5c8194d817e3dac73adc4d6cc6cba

SHA256
971cbd6b0fb6d0eda8b586a034d02859ee165dff7fc598ffd51c25022916cab7

SHA512
afaab30def5c22ebd06ee226d7a4fb2d52d8728ad646de7246da16e48759366f504e740589710e6342bce3aacdcf55dcc6847c31c20e17f61165551a8f639834

Download Submit
C:\Users\Admin\AppData\Local\Temp\escy.exe

Filesize
414KB

MD5
7e94c860bb5a231ad9c794393e06c044

SHA1
8974d6a58417acc3c619ff80f704e2fd0c8ce570

SHA256
ce25add7eff7edab7dd4e52b0617bdd4e350a066f1b2f5296c7a0a12ff77838a

SHA512
c3c9bc3c4d73f17a25f4c8a966772b470e3d47c27efbf5288c436ca26aebe76458131a58a68c711ee26dfea877228999f4cbd8f1505dfc46a852d8a11f768756

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyUswgEo.bat

Filesize
4B

MD5
7c0084544aab6157f117f2527e9cf596

SHA1
269b85d4e8edc36d72770723f3fa069f25aa68df

SHA256
207b73fac5a0e775c2f596574bc4032e722a536ba6a277dc158e0fdcfd7acf6c

SHA512
9ada5f5f536026e60b4a7dfacf7b632cf6f9d3eebc050751f8f1cc206a4afff86acc3d335c264a87b16ffd49f6ef14e59c43d6fa5e8f6e4a9fb81ec58bd20b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYIgYgQs.bat

Filesize
4B

MD5
083d06c1337ede4505f78e07c1f0c5a4

SHA1
6e811a9f865a14b2d94ab68c4238f379e573753d

SHA256
6668bd7df3ca95436f64bdf5b8b3daa675de9202054910b2fad3e953d47fde26

SHA512
01fd58a997bc6fedd82ea09355edf91e1a9a774ca7fb91bb8b06ad675dd530701d456e32d77f3ab1b673914b189f2f70ebf252aabfdf5b618604afbe47c049b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\feQwMAgU.bat

Filesize
4B

MD5
2873f2283331c26c0b8ca5f25bc54273

SHA1
85d68cdc9c341d5512c7a2a0f59059b3fe1c9413

SHA256
55d40ea33a8463178635e9040a42e29fd86ab09b074a69cf7204fe1e0dc9df6b

SHA512
bfa20ec364902eca17ca81a6c28279b34e7daf67eba2efbb7ced2012c4ddc16e8c27d0804de4b57ded3813c632e86cb9fd5099ca2f47ee1bb9ad8e6530080900

Download Submit
C:\Users\Admin\AppData\Local\Temp\fecscAMk.bat

Filesize
4B

MD5
cc6dbd8f596c0a24a8dd09c9a4aa36b0

SHA1
107796c99c235c612dc1f12703d8b79ad73acb91

SHA256
a8a65be0790d3257e4c1ce078e3078e5b77fa6e854cb00fea9bd8cc63e578eef

SHA512
1e4db925dc2a7a6a6340f5e787e5214cbbd6e18a19890b70943584e351b259593a718b72f664c367cd1ad2d3c9e076935e9f673e95d2420b8b0b71224af88455

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAIc.exe

Filesize
491KB

MD5
239e6c274479a490adac3fe9fa98cc2a

SHA1
bca4575d18e4418b6d931c909d92202817c4c7c0

SHA256
c12fb774565e009dc148e54c6cd77a21df1f59ac0a8abbecbf8ce05d434156f4

SHA512
99d56f43c425bf2a583c7bdc3602a0db54e970513eee8f4b08cce74a2ac75776d010dd871eb3bb9a7e9f4ff7f7c2475edbcffd50e8d5c70761d22733fb8c19d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gCAcYAgc.bat

Filesize
4B

MD5
2be4c0420270f278a3dae98bdfa6db27

SHA1
acc54f9889608aeb03c533d72a37e96759f3d84b

SHA256
71d90dd6c0bf2f64e3f0b97ee9df5d4a274e8f20b52eb93cd9a080c1a21a95f9

SHA512
fb1f4ed510c8bbfa28706d3ccf6822c314bd5099e2b274ed97acfc560f61318f0eb50332d64dba157244fc769c13b3911facd5c7649ece0fd3b003a9b6690134

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEUC.exe

Filesize
227KB

MD5
f570ab03ef1b40bc31c39c99dccdce49

SHA1
67b2cf3166c467dfc0b4e3aada1008b642e1fa20

SHA256
aa5bffa14a5539c6bd962b8323ff8f9fd4e8f76408a0e68e7ce9e0a5f755facd

SHA512
70d7123caa737c681903e0d4916674e81a229e1b7605e76ccd4591b321e7457180fabc77b0068051ba8256950a1344c4dec0e60a015aa8a7524f8840e70a9ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUkY.exe

Filesize
242KB

MD5
3304bf344c138396a3987efe70a2ad11

SHA1
263a7c61732feef400813dc7f1ddc46241275d21

SHA256
70b9e6a49f1e63506cf1f459a843b728582107ec087537f1d401bf79deb3783c

SHA512
f9afa1651925624f778a3516bf70fbf8f04864ded7e96bebb5c10ee34c526b29b82294e82d3fa310baa8e8a6eafa50f74c1ffc191f167db02177d7583ab88879

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkUI.exe

Filesize
251KB

MD5
5efadd13ff5b8cd1301282bf6c1c39d0

SHA1
02868d6eded841c6d651191624ad9e0d033d7a0d

SHA256
41eac31318b5f7bf2899d13ba3a3b7a749c1673f0486ce9292e8d33889dfefd7

SHA512
a36b2d0a67d8735da2335e8d44242413053ea2be6e644dc0f4ca2a2a5e6d6693d1d536b2a278d129e0c127a62e3de55ec5d24ec121a1e25bc8ae0b2e7b728929

Download Submit
C:\Users\Admin\AppData\Local\Temp\haMMYwQk.bat

Filesize
4B

MD5
48b8643c9bc6b91d8b899681d97df0c8

SHA1
9425661701af31ff6663ba12936f46504521de5a

SHA256
8f370002260d0ba499ab9a1357b3198cdf50d0587e77b6ed5aa2ab8e0eca4bb8

SHA512
5f56719e1017a77709d89d2db960be47b1c99e6470155e2462fa009cb7cae01fe26fcf8cfd45b5d756b41c9d0938177c8700dd083d7b588f152cb4a22b99b0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgAMgAow.bat

Filesize
4B

MD5
60ba1b32eeeb12b8d82ba18f4dd1f77d

SHA1
33082c84dac993d92e2d5fe1cee944ab3abe64c6

SHA256
77241e0656fe0a050e5d43a875c2f189519816ac501979f491819ad242f3ef4a

SHA512
c5e286060081d669cd0faa6d5f6c94ee6de797e14fb0e77c840eeb8ac2fffb8634aa9674af76d5ba9485d036d564bc2a7c498ed5837ad52ee0557632fc1b987e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwsAAIUc.bat

Filesize
4B

MD5
e5f70ffa24d3aeb805ed57b7929d1cd3

SHA1
8aae3a0990ace275a253bef9b091eafde7012d27

SHA256
80ee64bd8af6861fb4cc85831074fd14e225282cd9a8e4df117b209459a3a1b0

SHA512
d532aebd2ea9dc6a128dd514543c442908249109bd4a893bb2c2eb8f9a29ef406e375e53b4a180b8b14d5577610206f9d45f7f3a21d497e6e4aac7ec615af7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAAM.exe

Filesize
773KB

MD5
9842d1f1533765741474174121821a7a

SHA1
f1a830550878f8e8f980fa3a60f5e2a2a6af112a

SHA256
a25a96629499960311c37db3c4b5fb80d399cf87009b5d3010b71d7efd23a887

SHA512
884149e5694f0735b95277f60a013790e4b711b14a6c996da36b8b00acace5cbb3a5b365593d67c342e25e48e6fce73b4def02202510d0fa260cd295b89143bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAkQQggo.bat

Filesize
4B

MD5
da58c1ae294629adce997899fed3341b

SHA1
8b41b1841b2e20420e4ff53c42a5a74976364886

SHA256
345801cbbb8d23bc7a882a89401057ffeb332fdadf3ea2b3bbdbf26f657603ec

SHA512
032c049080a65b3ef97a06bc7bf9a44e175023fab520949ce2c52c349a6093f8ce5cf58cdbe298a6ae4b102464d8099d674cb3085923c3b47aeb3fc58eaadd8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIww.exe

Filesize
751KB

MD5
440fb638a3e55e3ed15c7618fc64775c

SHA1
b49cdfaf15ac9d106d4889a9233ffc4f9053681d

SHA256
ccc92ddc5e30a096070a5265fa85d7adf56a9937d27b0c4652b4b0e449c205d0

SHA512
c4a20498359217561c0f3678c23d6651396bd11d6aa3221cf9dac24f717454dfe7f1eb17d19514cd1664b149919b1b98774c6ab3366a470fd77316c77c253731

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikcy.exe

Filesize
248KB

MD5
ed42d5829ad0a3e4516981bb37ac155e

SHA1
3420739a1ffd4858e7ece1ba9df1f7598fb8f449

SHA256
7c9bb17657a16f0d0ed515fdba0e57f9e7ba061357aef458a80697c17dab9cc0

SHA512
890556963e8853914174551568becdb3395dec2e781a80e958a744e440c289641f9e97f11992e8afceea7b84657bc99f653b232d8c5d7b4b0981c3111abb7b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\jEoEcIgU.bat

Filesize
4B

MD5
6d720256490dd72432ab9fee9f7d85fd

SHA1
1030eefef76a0ab0acca394d84e2dc4b9db472cb

SHA256
aa3778b57b43378b34d0af18f4a887596ab383ac62e87b907c534266c9915a29

SHA512
0027ebba984da8a04f94ca70b1f673f8981b55aac094e65363589a80266d31ace05d760ccb64f1f0daacea41cc41250a8c6ceeaafcec4f84823c55244c366503

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkUYwIsc.bat

Filesize
4B

MD5
9dd0d98b7e19ccdb6842965aba43dfd1

SHA1
8726155f7d2f4b3ac61e91c50711b791d569c0fc

SHA256
789d6c460d60b9094dabdf7796095269bd039c1b40f86383d1d46c9fba087cb4

SHA512
dbbe469458557e5e2b6b284215db66dc4153be31b4ef032844fb5f9b8f765fee0e762620ac4b371559f52fb13d6d419406c289c63041497b59237d903e09c978

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEIQkkcM.bat

Filesize
4B

MD5
4879b5f3fb5005344a9340cf5b70a1f1

SHA1
674245b389afaa270c9cd45d8719a8ad7556644d

SHA256
c4ff4d4cf47960006174fb2abefbe2a7f1b5b103b29f1716731835f7c04b1905

SHA512
2c5d3fd2baa5f5fea0414886e948678cdee25f249af0d79b40e5b7b3f933b7b151c5a99e965351d93b925854506b967d13be54acb0b7eec58b4ef27d29ae4aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEMYsQgc.bat

Filesize
4B

MD5
b929fc7e067324f6f102ecfee9220b4a

SHA1
ef67f7caf82741c366c04f2394a2a51e88453b6b

SHA256
f9c6c1a8e0496a7a005b2a6e550112ced0ccd6061892fadad6fff9007de36221

SHA512
7782b054c055aa4d669a82d88f0091c311c99a64cfc4c3dea45a59ba28aa191fbe16d671b2425b0c53be5eb67776bb0783654c8920372f35d32b15623119af34

Download Submit
C:\Users\Admin\AppData\Local\Temp\kGQkQYYE.bat

Filesize
4B

MD5
cce42a62a0428716a1682e02d917e139

SHA1
8716e2242188b0727d3258c36eec907a7319a747

SHA256
7bbdfd45d59b19c01d8f18d6d4638300a6f691416d116f8af760abce398ac159

SHA512
5c9be42ddbef90bac3c1e4e86eaa396358d1818e4f48e7a62df175b678935425a8e0e07bf004282546040b4c78ac774df4a0d120992dcc5fad769719b0dd8f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUIA.exe

Filesize
8.2MB

MD5
742af7211ec01a95f449e064869151b1

SHA1
5ef4c243a2f5be4c80008b4eea493841d42a1d67

SHA256
5771b3cd8e388f4104001d60ddcd3a6e865ef13904d95644b7dc498a69e63bdb

SHA512
1034ff8464f9ad6d73444795095bc11986b10c9b2468467dab6f8426c73a150993dd1bf386404c16b3d0322a9a0d358a687e875551036c874da585d9bd2e7b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgsA.exe

Filesize
1.2MB

MD5
a29fe5126189bdd4eb5cf3f465eecb92

SHA1
514186ac260fdf3913f71095eee6761d32d33d4b

SHA256
8e3ee5148da8aa409721ab2776fe6faec8dd127debd00204dd5c693be145b5df

SHA512
92dfd9a7429c7b1bce0665dc884c1e43576d53aef1635d239b952af5698fa8f6d42909b12d9ee479d1be4b8597b29d41aad777f8229af6afcfe28e35ee7ca49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuYwgUkA.bat

Filesize
4B

MD5
24761f21b7732a7c96771a1ec5b7f09f

SHA1
cbcb15f5067fe420758ebaf290f19853e86ca106

SHA256
cf3dfd00f7c327ad1d3de2ab1748f2eb8887b6656605673871d34b6ffb316199

SHA512
c402ebe2bb2313b09c7e2f8e2c9b0ab156e2b51aa123fa753f48885a9e2f8e9d6624c6a565b11c0c0e20ee91beaccea6335e678af6c272815a6aeca8a2730641

Download Submit
C:\Users\Admin\AppData\Local\Temp\kukUQgAo.bat

Filesize
4B

MD5
10e73e406aabf81018487889e1a7ff77

SHA1
13ddbaffea72ecc41a3779b33bf7ea545ece85ab

SHA256
3516edd4a7803b9d4a4aa8ccc134f050e21776349b6e484f53607e340f9e4515

SHA512
c272481939c212d608cc501694b74ae0439f5a7fd117bead72eac86a44c3205d71577fed87aaa9d44b88a5a21ad64b9f625413ef4fa7b90d085ee9110c7c7c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwsa.exe

Filesize
253KB

MD5
edc8974b30543383efa0eedaec1f9253

SHA1
cc86e841b018a67a2daef9c2636d23abab575ef4

SHA256
827dfcbc2b4822fded1c23d61c1d2417b59ae02da376b5c55562e9a2ff78f961

SHA512
0cd3f5357ed366275aa5a0abe148fc5b5f56e2cf40a059b36381b1b510a46a49b1135f67ef08b79502a88286e2de0883de4572eb03b152beba0867097762fc45

Download Submit
C:\Users\Admin\AppData\Local\Temp\lKsgckgU.bat

Filesize
4B

MD5
f96fc289ba791c0acfb5b825ac6e7b75

SHA1
4e06da774a8aa59822ea594d02e2d8ce9efcd79e

SHA256
98c36d4a39914f35a3f53c469616f447a7c173e8725cc11fbd740827f823ca07

SHA512
5b683daa8f5fbab1e005968a31a8bacca70ed0e70f3cd1e31881b5a36c10c2ce5deb1481bbe9e474b6901e7be515581cd836d4e8137b05212b6bba904fbacbb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lWEEsssE.bat

Filesize
4B

MD5
295aefbcfb8544047d685de1de8fddd6

SHA1
72c71e57d3f53d7ea3ad924b7a8bad41392d0a85

SHA256
0734ce167dc5c71507704fe1900007244b675ab0bc67eda447f61002cfeb7b7d

SHA512
49f37f433c32259fbf13e516c48d069c6d36ac6f2ae8611fe6b6ba3b25a5fbfa500ff7c3fcc3eaea14e1b309a4b0f5d00fb70578b7d0d78f61e57b9d6fe1a9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\loYQsEYU.bat

Filesize
4B

MD5
eaa33a68d2277e0d42cca4ac9519ecee

SHA1
6ae635528476cdf37eea3007eb5ae5a9eadf4001

SHA256
daff4d5a57939714890916bf682d6de4d9fc7d5177d1f83a9e7ec94e9357f4ec

SHA512
2322a6afdd0c981b3d808530bee7d531e21d408c68fd82df52a2155db8a124e75196f4c502a297647193558116f002fb1b0fdb65d6ddf9e27d9d43c62332a13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEwYgccM.bat

Filesize
4B

MD5
108f0333506d28621e2cc37d34e3690c

SHA1
62b80f0e67fd2c825fdbcd8ae4b6197f589705cd

SHA256
7c7a2ffc86dcb3b150ae1b199fd2744dccb53c600099e25ea8f83afff8b00895

SHA512
3846a8d989c13ed929d4cd015bde599cd572a0975277010a5a44257975d5a4253310f4a166ce61486a0f72f287ae0694eb9a053c362c49a2361d35c064a1c0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIci.exe

Filesize
242KB

MD5
a8267ce2de78e55d5dbcf8045b832a85

SHA1
f606584c74280337f06e5948ed10813ff009dd47

SHA256
4b6715010f2d2751aeb3368120c043bf78b71d9c50f2f18c11b9b649f21e9dfd

SHA512
a9a56ac368531d87942d8b59ef225574db7c6b944b92e981ca130642314abaa97e7b5a085a3ee0f8acb3bb6d1eaf142640e6efb212c4ebc34eea1c7dda8e7f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQIU.exe

Filesize
190KB

MD5
73d830dbaa93e7a40a8fbfc480f43a2a

SHA1
8bddefb234b7b68f17fe2608b40e169e0ae0061d

SHA256
d1cf5e45f8d830e37cfcabccb8f4bf01d5605f343950318e90bbafba3c805f1c

SHA512
296d7fdbfd163f263c75da7038b276a526ee754993e49937e883b164b666248d408ba3e3595f69441345e0fa23225175f218efbe0903543e4720f2fee210bf61

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYYY.exe

Filesize
247KB

MD5
aad1bdbb98f59a0e19348cf2abcd7287

SHA1
d6468e23c58c341ceb916f224b3fb241ee2029e7

SHA256
b5df9eb5720a4865944299baafc5bc43a4bb793a03a4e49ddc5e0655e509ebd2

SHA512
5982fdada3e3f38c640f99b874f6400fefca38440b8614ca0b2c30c02f02d1dce3f5d1fa67eaf15876c102b89045f095faba69517010100be402fe81275fa446

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYsY.exe

Filesize
202KB

MD5
60f58a493c60dfab960240ce52f15bc9

SHA1
0787238dcbfc929ede11fa69718aca16c2150bb2

SHA256
2581bff410f1113cf67ebb4e5d246305b4fcce04ec0338fa76228bc7bd69e931

SHA512
e027fca54e3d58b65c94baad287a5b21de86c6903defef9fa9cd731d898acb79ea1715148180d43b70a64ff5f7980ba4f050802ed6bced8b87835f07fd82eae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\maoUQMwc.bat

Filesize
4B

MD5
2f0d75bf12b061e34cd50d1b3e2739e8

SHA1
5a5dac1d587c754bfb043fa6f4a37ace6a1e5cf2

SHA256
00c92c215585b9c5af50be33a60073557aa91650db2260322f2b9f6b465ef1b2

SHA512
b4328d15c43669b18872c24b90ab66f9d86efc8eb7ea102b21de3a5594c39c758e75b625d4e1eeafd9d55b6834f499a3fb161f966e8235dffe9d472ca5c2288b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgke.exe

Filesize
242KB

MD5
a69034415f09b356840264981c662186

SHA1
06764c38c53774f5608badf9f4571393e9dc977b

SHA256
9638d76301ffe098f32589a144201aba1b7d8136a98903d292013ce3f86fd19b

SHA512
b9561fffd4b7e09e9224746b12c7ca9664fdf3d7a41be9f2b701fadfc6a526c86a3845c656eb87be7b1fabd058694bae19bf1610c4eb6e12329b97726b789eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\miEosgsk.bat

Filesize
4B

MD5
f1d236e1a07408f14b6478a24ed2a473

SHA1
1e85f8e1c21b3dec37e0dba7b43eb8bdc1384bb3

SHA256
ad6845d2b44b8441a8f1ebaf900e1c81dbffe67acb90448b0a2192bb58144b4c

SHA512
6153ec1272d55ee66740c830cf26ce291490b76322e6f0cf8948b6feab88c5a1c1b5f59ebb3774607cc596263d934f6c0512d69a052a67680fed6ff66e538773

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkQYEEwE.bat

Filesize
4B

MD5
3c6b95d5f643d8492b00fa7360254d9f

SHA1
569b550df56a2f5c3455b8c15273ef7ed3fb31be

SHA256
f76116eb8ee64b60dc01c1c7a2a9f8249789cf56529a2df70ed96cb6ab321d97

SHA512
73341f8256f4a39bbc33cf7c8f46ecfbe3b50b7b3932ac4495afad6ad8e52b8db2041173eb3f4943ab4abae2151a06210def9039d9ca467598a9f7d0346672c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwMEgkkw.bat

Filesize
4B

MD5
1ad3103b3395a4a912c9755c176153b2

SHA1
a622e1bd17695273987276a99c660eb94d8bdcfe

SHA256
65d21f16af5fa1545b755cd764125d48a469b8dcc2f9a155673462ec7840c64f

SHA512
fcd113e3e8bae0f4f93e51d0010288a91645829dfc38a9ab99570967b07d4d93d4bd9a1b3f5c429d1ebdfbc100dbeef908a6db1148cdf264d5d32901c33d09fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwMG.exe

Filesize
192KB

MD5
023d457d2928a57ffe846fd09460db61

SHA1
8a4a255790c2ec69d71b075fe8b3541dffd0c7c0

SHA256
e370ac0e812e597a482f145a37ffb97c2c34fe932d00a2065573fd256c116b15

SHA512
578ac9c063a78d4e7561dea3bc26f6f6245da29214239f8ff9708efcfae96bd661e9aefba6fdfedb1bd0938ec654b37fa4034aa58af4477d156a49fad184b313

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAcwsUQA.bat

Filesize
4B

MD5
32428ad3e8fff91c6f4dc150c80b8db8

SHA1
bbc9f4007d11d2063545fe89a3db37aaa5bd92af

SHA256
72effce7d823e5b259caf2323b981acd70e15fe2b4140f9fe34b036625b80304

SHA512
22515ed8cbfcea206ac4c7eee6f07c86103eb56785361e9be283bbc9a3266621838c1c2c3cb95fa3c8da0f91074f893631e6bbadcab9db7b8a669e8737d04b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGYgQIMQ.bat

Filesize
4B

MD5
242625401e7cbbc29db8582364ea811d

SHA1
73e4ac4e43501bad979b710e7275355a2b66899e

SHA256
a38c7c42d6d08febef0f0fa5154ea8de75b9ba17076b8cb5d111d4e146894e41

SHA512
a016dddee624bc0705f7bed7b13a3e20b007267b44853ab50a2a27cdf7344dc34e75f32966332e31ef32572eae51e040970d3f18d5fab4853daf66f6bffa977c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGkQAEwg.bat

Filesize
4B

MD5
b7053d5ff74ca757082e164ce3ffe8c4

SHA1
3a52e76b8badb6e745bd26834bb65766ff9d5c6c

SHA256
a0d5962006f2320bd767ad5802a34cf8d612f03473c084a2aec8b5d853fb6208

SHA512
7417b60c5b434f9ac52e701d0a46662936aa9838792c401d4294c1d8575e1a683b7efac3f06eb14d5e7ff9ce0d3dd6c8575f755b6daf16d996102998ee95f112

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMYUkUAo.bat

Filesize
4B

MD5
faf3bbf5a178df2c12a43764f3a52396

SHA1
59a34186682ae8f04337c0d9c33c5e243660e699

SHA256
ac1b6988262005734b3eb336ed363bcd032623f5711e6d7bd5658f14fb3b2de5

SHA512
0a823fcecce81cfe0385795f44c22dd8724cfbc3065113bb80a04874b05815a6a9d25e245d717287e3c57dc50304f6a44c1122653059dc18ea88ef0db42f1a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\nWIcIgsk.bat

Filesize
4B

MD5
25f1185bfc869b9fa74ca1e0d16d44a2

SHA1
a448655307deec0cf1ef886dddf2403d699db4d7

SHA256
caf75a525c9a82ecc6ddbaa2b4e193e0ca82d4b9fb99f12b71deb52b4772580d

SHA512
cc11e91f4f1f919c08dd7d5f4b6725a7d9bd91a1aff21ac9bce0028d32415804117ce83d2e3b74c409ecfc333f1d7c736dfa3c277b8ab4bd18af53314c38da34

Download Submit
C:\Users\Admin\AppData\Local\Temp\nyckAcAY.bat

Filesize
4B

MD5
f07bd004f36d5bbdad8f4bfd086b2878

SHA1
35d84b201e225e6ab5fe3c628fc78d702df113f2

SHA256
5bca2e75639172ff19caca03b09b98d7d36434cd80ef1a6ac02186c50472594d

SHA512
c66551902213c37bb57a8b388fee20477c778911d11232ad99f2292f4573bbc855bc2e109778c96a41fe08bb2de9d4ae41d9492705069c17aa06ff3702488cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oCkcckgM.bat

Filesize
4B

MD5
3a67c096686be5977c9a767eefbd78ea

SHA1
f8aba43eb2dc959bc4a15286baa75d41658e149e

SHA256
bae3d760c8ea8b8b37eb8ddf7006dd7b3cb63c30ff170675b3b97030ced06daf

SHA512
316d0c94377213a15db1377541765c9dcfb9247468cced564742c7cab1f84434b9e45c4e39ad4a3a2b8e6596d7493edf3e9c6f632a2df756ae2bffdd62111a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEMa.exe

Filesize
239KB

MD5
be2f4d84eacbc816683191b96bff9d85

SHA1
d1755af96bcaeaf3acfee416c29ccd04a4b383bb

SHA256
7abfe1fac064db7ad3e2731d690acc3b437bca6c6a92926c22c56b61e2775656

SHA512
509c3ca943dc899d52924785cdb040f5c6121e0fc9b6dc19ecc276b2ca4123f9682d2dad5457bb171857fefc9447c31eb0e9d1f44ca0551ffbef3929db7d0a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUEA.exe

Filesize
246KB

MD5
609306709d7495b9407a8df38e6cb944

SHA1
8a557ea5c9ac82c23e9d2536c0454115625ad24d

SHA256
bfd6f1f616c62b875cc3f7d3e588bd7e0e1ee4366fd2c01a741c523256eab84a

SHA512
3b02f25a500306d5e4d1462bca3cc31fa7c880f3e9b8fb71a8ba31eec1fee3cfa09b5876d09daec1eefe5dc9c10beff6cba895b7b94daf454b0c5cdc213847f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\oWcUcocE.bat

Filesize
4B

MD5
c0fdc0e8148a815b57e219cf386e558f

SHA1
5738314f16be8144bce9a6bd862bb0abed8af05d

SHA256
cb0f1c8f816081e41809fc45e165dc04a69a52640095625b29953ec671724dca

SHA512
5f5674d9309c21c2a14466631ed03af3151da5a76a966a8f640bccd32ffe1cab710f752ed28a19d976cc02ddcabb3bb9c929d6c576ffd4d9c29bee4a3f803483

Download Submit
C:\Users\Admin\AppData\Local\Temp\oegkoAkg.bat

Filesize
4B

MD5
62677de086e9fb889631a9e565500188

SHA1
347c3d1e5cc31a2f0f23111bf60f376c3b396f15

SHA256
f2a74110895bda6c74e3c8a46c4269d52173c43eb15d05195e44551a09e72ec6

SHA512
4637fe4b232d1de211755fe47793075abcebb63c719cca4ba0bae147c110cffd2daf81e9bdf06f2d53b2c798616a25aa78fa3184ca2b719ac2e8716d949892f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\oksa.exe

Filesize
242KB

MD5
dee39c779b8e123234659b853d393904

SHA1
ec6efa3b1c4d2d8d2d3c637a503f05c9303be12a

SHA256
c32f1907a771b514e2b2e9b220dfbec4a05d82ade79d8be11f671034cdce9be9

SHA512
df635893ded7390e55d4a80d5e52bd71a7c13347f0cfa383dcd521efe807fef594bb672c588c5cbeaa34919edd1609711de5e51209213d32ae279bde5d075d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\okwM.exe

Filesize
202KB

MD5
de8d8e4128761ca60961bb1c0939e3dc

SHA1
a873b49f103662b928f856c7b35a73480e7d41d2

SHA256
fedea991a88c779569fbe3bd1782fced8e536b4980674b1d53fb4c5dfba3de47

SHA512
3c91abd6e20e5942d33cdda49b9ccd8d81538b9b41e4a9980acaf8c045b14658d3548e4a05b0d9b95a76c0c1c3c8473425210667c7458c4e0fe6face52415a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\osoi.exe

Filesize
199KB

MD5
dccaef206ac6f59a6e7037a1f736004e

SHA1
5d4bf53fb93c7e96b3800c097d7e46429803f31d

SHA256
7f3174cbe42ed6ce8222beaae2a69a583d05f472a9dfc9a7419358d9e9f5a0ff

SHA512
5667c97603fe5022667bd1cbd042964328ca1dd2d5b146efc4216a242e2b08944e5634f2968980e197fd0be4b4d16046a41090e232743411a76e546ff612ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pOgQQksQ.bat

Filesize
4B

MD5
f7d352c26bf04a80d89315aeb9012a1b

SHA1
e76dc357d461d47dc60acee37f76bfd5af920ddd

SHA256
68520d3d687fff9cda4233bd1baf0a5db2ca33d495aa0ea4c25594ae77a11f36

SHA512
5506e1efc9fb88d31a5a993e701c2c60dc6caf41447a4d70a69137e57834faa6d29a3a793c578e4d00ca7a6882a85f5c88a50f8a6ee231ff2b7eec0c3c442fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\pScccQYA.bat

Filesize
4B

MD5
61e11762dd72183065d78386e015a18c

SHA1
3f2138062e2cd3e33cdd70f774e2307697dfd7a8

SHA256
2e9d1b73cf9aedb3f72f88eacfdc5b19dc16727eb163c2e6964c0e8af4a51a3a

SHA512
d8131c78a01e7b252908684637078b1e0c1a1b29d65e50814af0a7e2763d4b3deb7f40b240ff4b3713c5d04009572d963ce36ddce855d8c1eef25c9e89ea2920

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYEEogcs.bat

Filesize
4B

MD5
d8e125e359ff4878e5cc9f9742ce64ae

SHA1
a88872e7bc061349222c394b03cdffbe458164f7

SHA256
2b6d6a4c30ff6baa1c67afd9200baefafa5099052e985d3951ba1281e9a7a479

SHA512
cb407c57aea2e76c2de091e60cd8f78ef00f341b4ab631a7de6ada974c82b7e855799e68ed0167430ed413bd11095b530875df47ea06b4189693a8e580f06d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEce.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKMUkUoI.bat

Filesize
4B

MD5
5fc5170e9017029df85ce4ea71e6e9e8

SHA1
8b79ac58c2830b0b2009a658e0b3a710c0abf431

SHA256
00acb51b3a5e069af225b8012d2a66c1dc763e1ca00c1d05416ec56c5be90308

SHA512
9975c562bfb4e520e226a59c4379d90ca7d45d7574209ea03afda8a4895b573ed2abbb8221f289ab73b21daff1fb8e6d9c95c8d718ac0dfd11ad2fa02fdaf5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMgq.exe

Filesize
238KB

MD5
80182306637767d5fd66cfa6f69807b3

SHA1
af8b73461b8c0be33f63ab816ee5697b127116e1

SHA256
45a1b22f6edf902411edc38c76c1d0a5413fed6e0c43456ecfee45712b6dbf53

SHA512
4ffaaa431d681d040c99bc8e0a08279e8614d351ad4dd61aedc41c91e72fcd058d99f3e318a9006b1f72938d4301c28a6ceb2a7e05a970aa40fbf7c6da8362c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUgY.exe

Filesize
1.3MB

MD5
493bc5e6ca22bb85ab7bcf3c2164ee9f

SHA1
fa6dae43ea08607f4681a5e7c6cd7dacbb47bc83

SHA256
f9059f55ca385815f762eb6faf89e12059a8eb9d03d210d20baeb979c0277754

SHA512
a0713afe92fe93f21ebb924cc84c6ef2e3004c22f8cf8fdf55be1b17eb7697d13a4402efdc7cc827a7e29c3b8361d489cde4044b9c7ea35811392e9631c9b3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkYC.exe

Filesize
221KB

MD5
88c817954172f75948e5b52122e1187b

SHA1
f3af9277aa4c17b71835749ecc235f91d7d71f9a

SHA256
bf84d47db9154ef23a68a926d5ed0f21e05ff10965df373f209f2770bf20ad77

SHA512
791276dc4dc9be88c592b0168bb64efe4d4c917b377574a4a73f88bf3822aba6e4cac9556ffd5cae48ba809e918a703eeee623603356804ae453669f2fbc421a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rYcYYEMI.bat

Filesize
4B

MD5
01cb225db0a5a149c3e1a07fa1ca145b

SHA1
d120e4326c7c67b252ed40336e6d887f726b7b59

SHA256
42ac4395e9ee0d3a03f869e707cc1790246b421e9b613e38e12ebcfa3ca8ccf7

SHA512
313d905c35fed535a2daecd8c541c0a01aa9031cf1d9afa7d9d8f8cd753db204b447ec26b846237331d2c55d30619b3d80c55c2cff6aecbb6cfba92ab91f9124

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIEK.exe

Filesize
186KB

MD5
6b8cd10bf3faeed779f94f20047d3c65

SHA1
1bfb53c15c93126a1c0cf5230dfae51eb81be7ad

SHA256
3767455b3fd4b5e5246d53ba7b57dc51b9deeefccd8368aa3b4df8a93a260878

SHA512
dbc58a722b9979ecd5951cbf381234239b9d845c38581d5a026c291b2af6d0e517f4930c905c588e2ab455b05633f724a008e5232228c90e7c4e75eae6342926

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIEq.exe

Filesize
189KB

MD5
d3f20035b810a81b2979f3840cfcd704

SHA1
2574226d9a15771dd9775050b2cf50948adc01b9

SHA256
e6183abdb45cf437dfadb4bd93d3c32d6ef5c4ffb69f5c9bfb40769acc8861de

SHA512
46a5cf41695d3b2fc7261752495ac056458eb6bf115417f442ad9c2c6c0d230e7b1b513b4f593eca6a2aed1783e2e71c23d47c51e029c75649b68781fd441caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQUI.exe

Filesize
232KB

MD5
0439f2b3368737ec846acc4514f80e00

SHA1
069cfc798a374c2c4c48f7d0ea5d30f75cc2567f

SHA256
1e17fb1c444c93f1e5a4d85fe3df2ce246853484901c602c8fc79b2168353f8e

SHA512
e4e5c7c92d8f56c54b449f680d3c14239066c7a5b4776dcebf796a54f81763109e174ab83b625f47ecebfe327902eb4185e3211a58ca897e3238cc25a4994474

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSIsYkwg.bat

Filesize
4B

MD5
f13d8d3c46183a91ab85935b34b992e3

SHA1
6f6079386e02fa12677e9a124ee87d8e64a3c622

SHA256
81f3d4aa23a109db3cf1a568f87aee2ffa472922e2974cc46bde243ac06987e8

SHA512
089c9040797c10849605a17891abff2289abcf1eedc2fe07230879f36792305f69dc9872e948b401e4d69eddb06af47fa2904a7a301a5b24ac3c446df2f842a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUQk.exe

Filesize
246KB

MD5
b0b216ecd0d208aac0df6d2df5d45699

SHA1
a4dd2e85b0695ac7723fd26a4cb083fd35176141

SHA256
dc4db1fa2474fab557ddf658f121874e934c8afc6089c0b5ae904422a10cebe1

SHA512
c61cc55898cbfb901669eb1e90df030146c0c8849e781717776adf07140494a73e8ca7e3037e43647db99ce134d9b83d3772c9d57e3fa7c691a940445c1182a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUsw.exe

Filesize
251KB

MD5
a1418d3ec44125c3a839c876abec3d3b

SHA1
3ccb27408ea1ea51f2f52693a96453d28520897f

SHA256
bc3ec03439394f033347c828cb94735d6230d72d37a9d2c1e7e521e1e123fbfb

SHA512
dc64935259b511bc66a106ade9df2c276972bf58265a4b11cd8d423fe4473114da018a19e45a6be677f3276cfc856d154d186c7eed49cc387bd720db6f01ac12

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWoYsEYI.bat

Filesize
4B

MD5
6e6b952415d8f9b4ac156ab4102c21bb

SHA1
d1be56f8cc30a9a91418f43f8fc39ade53733826

SHA256
4518733c6ae24588c4c2aaa832925005993fa7878b8348ad793141baf36b98ad

SHA512
ba0c7c9452a9f78f65383dcadba87de5f2b78bfa95276f07514fcab6538c6ffa63594b7417d532d38ece619441ec442ca49a07ea04b71f08ddae1ee8a929d455

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgoi.exe

Filesize
239KB

MD5
6ea1be1f3a341951b58348e667e1ae06

SHA1
83813331acd30181a42e83bcb518c4fba5343d5c

SHA256
ea24b376072e201a65f1037315545469fc3901be91fcdbd2144d2a861d0b80a5

SHA512
16d8a8ae35faaec666f88e8497dcf7294d5a6e2ada16653787613e44dafd6a02a4ed24d46bde3ede3749c0be6d2bb761a047541c3b99d05e3c6b8ad07424c5cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\skQwQosQ.bat

Filesize
4B

MD5
fe28a713e7b5147e6b05b8464ffbc7db

SHA1
16574981a2a05735f041959f15394cabfe9f2b44

SHA256
f08a4d94cdf953bbc7cefa97bc7839022bc38fac10bce0b9b564a3a8049a97ae

SHA512
b3980c12dc053c9bb7acb4509280a5865d06ae290d37dc69f4e2dfba1dc88bc6f308a0127845d05e483e98d8605998f9b5f48e9e72fa2dac9dad6024c5dbcd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sssw.exe

Filesize
238KB

MD5
8cddd7fbdcd8225c6c355f32504b220a

SHA1
122fb581bdee4938340551e86fe44ff83439b862

SHA256
f34268f3f9a12f6dc5c6f3af1cc0bb11e10f7485fe2873ba0fa1d07c2882dc20

SHA512
cf685bd054f7e7d114d5916c14edf778e536ad197d78d989a87ea7a856d57c89dc55d1f36249ab1b00dfbce786d2f4ca8872bf8c7b007e5bc153d2c577f88879

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIMEgwMo.bat

Filesize
4B

MD5
88d28354ea720cdc7383bb590bc8849f

SHA1
6b550f6e5536416ef57c295e0e94ff66bdc76df2

SHA256
1d53d6167dd77b419671ad1be940545a293ff171dd3d4bae8d7694a365116ac9

SHA512
af19cab56dd150850c2ec8e46876593ba4e3fda06241e26da414c09615187b58e7cbdce695ef71e3b60d57a63818e651485d50e81a3d64553cb034ca6c32c34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMYm.exe

Filesize
241KB

MD5
6dcc9192998d8d13b93dda07ab1e891b

SHA1
e1f24c0d24cf3247a8c3f8093bd1a994b9764adc

SHA256
c68fefdd0fa7100e27ac08875abbe29ffddcb3dade1e871ef65a4cffbcb9b5ef

SHA512
8f0c6f07c1a7a956c2994599a991017a05725ec0f3c6a1199a34d42aab2d53114a3cf0b144873227a88cfac20c4b785a625ea28b556eb91ec1f0d0c9fd11d134

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQsc.exe

Filesize
219KB

MD5
77eb632a0f101147df970902fff52e77

SHA1
8ea2d4b70b994b342cf5730b26e9a46bcae66e41

SHA256
66e83af40252c310d023af895774fa572d58c706d1a46a1923ec3d611a78aaac

SHA512
98f85cea99d40ef9fc272ad5f11aa932a868787fd2e2e91ad1e77c9ddfa974ce89ad35067556e73c3f7ebcd171df6ec88934e18ee7ad9bef9a404c7e23ad0bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUQU.exe

Filesize
239KB

MD5
5d3ccbfcb3a5a3d47371386d34a7b50e

SHA1
a9bed91a5528cf244fd3be33cba3e3ce99f669ff

SHA256
80dbf6a389b8617d2ea47ae5a1d3889d50b9cb35474f86a2994c3675781910d2

SHA512
9a5fe95b0dcff277b98bc018425ec0191e06a947bc6b0cf0fdfa6f92882c2440a2cb97b1089fd6234aee1eebee517b709ab813671a729664c4f9d6b11895b6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYMm.exe

Filesize
238KB

MD5
91412631a58c65378754506f1639a23f

SHA1
6ccb447e87282118a207a8d12f0666236a0485e8

SHA256
25fbb8564a5641dad5a0629f9c23deeef1a58f4893b038ea5420ec95e4660195

SHA512
d1a2d26f8dcc3007d9b1f63b6d0e8d4dc9a3bd134704f0aba242a01ecb5ea067af53c22d427438bc7ea07976574d45c7fde109d195805b7a315448bea6ea029f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucgs.exe

Filesize
199KB

MD5
4614c2d74165fd8116791d6a789dabd5

SHA1
de968500cc58fbbca78cf2c9a541b27f488b5dae

SHA256
c693a72463047a03bf95c6712ca1aff01717d5920bbc723c3d7a01a2f64790fa

SHA512
c30fde2732f89e869c07d76eb6581de77345e0ef4bb54ed2c6e6ef69286c2d4acd128b2c55ef6485b31ddc90de9d7ee6bd81f9ec2bf21e6c32993bfc08505d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucou.exe

Filesize
231KB

MD5
89cd6feacd370ccb4f170aa8db78524f

SHA1
95bbd0485cfb46f029f06f2b40d90be84a26fb37

SHA256
c74f2c499f93aeb7cd28ffaeec3af3d139f5d7fd9636245613bcbec8b77ee617

SHA512
2a6e37b491483a40db25492f0a01e7270ba5d341829db7089d7a9dd423e1a47f7bdc56759eccf6f2db845e6a71b532da7444897a2528f782febcafb73d56d063

Download Submit
C:\Users\Admin\AppData\Local\Temp\umkowEMY.bat

Filesize
4B

MD5
3ea794e73fb6fcea057adfc3736d39b5

SHA1
d5eef2c4a9dbf859733479f76f778a56cfb9b196

SHA256
731cb2b6cbd7885d0960f5ecc7f508ac87cc3dc0c32cd37976d3a07fbd12fbd2

SHA512
1f9fe3c595dab37e7380b26745cb1b23be34303e795c2b744b45f481c57a3dd0d7694d1fb6fc393cee93b3fd90fa74cebd462949fb2efff3c685439fa9069aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\uogC.exe

Filesize
252KB

MD5
cdca7b0ab75fd9ad249850c62303525c

SHA1
7087e3edba1764be3657709b3beecf9b3e2974ca

SHA256
553a831b58e10f021176fe0313ff4425ef3d7fcdaba1d146d69cf1b406f7ac30

SHA512
d2e45ac8935331fa3be6d43b6b72d8c68b4ba8675ca211ae3b2efc404644f0f90f9bbe37898e32171addebffd927e1e13b841acf356b59ed15a3e5602db4b4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwoA.exe

Filesize
778KB

MD5
cb36eddb2391132514bea2bd16c9fdb7

SHA1
1225b481b7cdf0554305c48468f9dc5de944a2c9

SHA256
624a83cd2726d85ee8fe8e973de10dc2c29de802ab614529bd4bab929b84819f

SHA512
392c6529703a9931626ad4b896f610fa82797bb477d481223145f60c89d96c9761f66ee89a8d881e232b973e7fba59c7d4c884756f96410a418d77ad89fbc674

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwwi.exe

Filesize
192KB

MD5
212c4a92b73945867a4469ae480f1089

SHA1
c162804a00d2c3629af0b5216e688d85eb04a8be

SHA256
c58145233bc3997df766b4869cfd867e05ef644976c27a0a71ad5d848012cb17

SHA512
78fa12cdb640c52958ea04138356498bee35cf2d6d7ff6d6dc68617693ec5dcad9fff0d52f5f7c7c3670377c3b21196322e349b624b92f128e1f09a89faa1b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\vAYYYsEw.bat

Filesize
4B

MD5
177c8033e3cadcd8c5247b33dc991492

SHA1
1bd3fdff0420bcc8b0f847dce0bdafb90cb75ccb

SHA256
dc532a1b6c630307569c5dd7a1ef166f7e7319fd3777f82816e5e2acad060c94

SHA512
029b4f33acf96b3662ce66978b3596a94c020d9f9e0d10c2bce03b5c3e2b650e511f6b2513a0d06f5e353844270baf42942b3a9a1f335649920ba70abbcbc12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmIIwgQs.bat

Filesize
4B

MD5
f2f4e60a2b498b98682212f9726e80e7

SHA1
aa33d0c7c183e63d79971a2155477ec571508b12

SHA256
b6a255e0e0b64f09c9ed1b6648c7d05d91148d9d8911bf8974e3a83b1e8f22ce

SHA512
f43f8b68419febc948d047230ee3d022c756cf74df485ee160ec884df97654f1914c0beebf5ab825cb1646ed4d89acd124dc3038439e124d357cc31de69cd927

Download Submit
C:\Users\Admin\AppData\Local\Temp\vokIwwwo.bat

Filesize
4B

MD5
b3c5281c2f5e8316cb1351a6de0eb107

SHA1
abf946db3135e444eb2006f71e63f8a8a92e01f6

SHA256
c0be9240bda23d3470905ac73053cda768f7bdd9ec83590c26462a5aea658f7b

SHA512
68086a226603015f4d3c98f33eaccb43d82d75c99a68c5c4cc190a26f94dada852daafc91552a43734a4b23803ee97712e69916771ac9306aadeec6a3f5fc7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqoAQgcg.bat

Filesize
4B

MD5
12e38d3322b1d2e175ec15301a7c0210

SHA1
16ebab404c9dbac5de35641a80a932bc73b22fbc

SHA256
cb7e3e7bdb1245f8e2f2f213d5b67bf4c6dfe0c0062a7e493b02d5b2d5d1af01

SHA512
5ea83722ad9350ada560cb776143a2efdd2614d3e2977dedf3690effae8cf6f434855bbfb19a4ca75f01875bb096c2d411c962dc2bc5939b08f9c7f6d653f687

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAkW.exe

Filesize
240KB

MD5
fa314e6d4e39d2df13e72ed408930930

SHA1
3798249931ab2b125531d159fadc262de1d76830

SHA256
13fca1a1550ba1b19abfe429ea40ae0533bf6f8fefc9ba6a5e3962760c44f51c

SHA512
87d26db2f291abc016519888edda360b931457ed01147274c551e38a8631d5035e5d08625f400834f7555623deaea74bcc9baaaf4c9ecc320aaab8402aeb4f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIcq.exe

Filesize
232KB

MD5
1d626728e8050bea3ad347c74fafce95

SHA1
a8cd150c44d94706dee8c4a7d506dfc6b8d15896

SHA256
0687e56f65524b6db95a345eafae470e12cbab706ae63e869bee82a3053ef287

SHA512
6e0280bf5f920eedac93925573d4f7aadc5a7da9db7a481e1a681661fd552127a3060377eeff0a46a5c397874e378aa47926d45eee77ca145ae2d4d845a2c067

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMQu.exe

Filesize
656KB

MD5
66ef0c3a5e50099fc5510a8e3dd3a1b1

SHA1
ccc70a74510334fbb08ae858c7dfa4b2d1c7fe84

SHA256
4544162e3d0dc80213879914bb70e7a04668077b8d46d5be027fe33a46d756a4

SHA512
b4bf81a08407846ae333a0b5f3aa5bbb9ac511e443fb3fdbba442f7fdba30e851c8230d57e938f5d373fc7856b32458c47991bbf44903bc6299dd67c5f6c7c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMkC.exe

Filesize
231KB

MD5
2235e415bf9b6718decc15cb3d162b8e

SHA1
1bea854a7e04f8bb04eff9cfc09cef87e31e604c

SHA256
974b3901fce0e4fd4dda32d1104608dd29cee2f9a35048b02291c765b2654bdb

SHA512
d599e4e69d0bd9578ba5109431254e8bcd6f3f14a3bb6c99506412948b383eea2f78db44945fce3f3a97478fddf9b4c662ea41ac158cabeed121f8facf0d87df

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYAsgcsc.bat

Filesize
4B

MD5
0d6949d5893c9f62060b3801a77dfd45

SHA1
165e14cc8763250258024c99b15511d5fb2bee7f

SHA256
56b7fa19921c9b9ac3f3e3e5527d001405137a0a337bd96ed244a8dbfac672f6

SHA512
9c4523b1a4fca2ae5d034fd150687d4114fe40072c00b81d868433be77c3d7ce10a21479a9d87107939b6cf6031494857d39508d27be437e98e78fa4372e373e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYgk.exe

Filesize
236KB

MD5
69a6c4befb8af497fbfd8f124f7b7caf

SHA1
c452f4932536887d845859c71fe8b6f1872a8ecc

SHA256
881180a3ea79bc02598cbcc3a995ace968a13e25909d25b23b2a25893aa0afc7

SHA512
e5477c9320ed9610835c0f31013026ddef90f9e5202911f853ec745e1a6c9b7b5cd529e8bfc947349eb2f9f7a8e15140f3f012683dee08cdcdb7969fc73214d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcYG.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkAA.exe

Filesize
186KB

MD5
dac84f842c86bcfa7fae6b168c971c72

SHA1
5b72d88bbd0cef9a52b3e47d1083bf62ffc27422

SHA256
1936eb5cd9894648e90c688e1c9f6ab003e835330b6c9ebb09e99acae86b9878

SHA512
6bd3d1baf1b4e5b17a271a5d871e586252d0f86601f4360227efeb0c82199a47cd2d98c3f2e95bd0c2b0df4c620e4757ffabce678b99eaf4851f4fa1fe31d3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wokW.exe

Filesize
197KB

MD5
57a26e419101a92d7bc16914c5a93bf0

SHA1
d26b3c5f93a43afd25c7a5d24e8dcb08c5847994

SHA256
291326b5ad603d81a1a7760d52ca756668d11d394016c82acc1e938c7f7bddae

SHA512
e77c12e516de59de1a601436b7b74f689fdfd593b72e1b5af76379bb7d132147dc586de9d784a9f4674ab4f14484b1c001ea922804ae7ad6b49a05b37132c749

Download Submit
C:\Users\Admin\AppData\Local\Temp\wskcgIQw.bat

Filesize
4B

MD5
cf1c8ef0db99c2158fea0bcbbf19c7c4

SHA1
a3f622fd92b0da9673d691610e9824f892dfb3a3

SHA256
40f3d994426c16cad4a2fda74a6f6ee494e1d25b7cb6392028f39f8f485dae3a

SHA512
9b4d459935ad8fc420d17e42fa69f3dcdab62d314398fa9d7b32906da686f3493b0cb6baf0455974d0ac523926ef4e63327d8eebc0d203d0c5da24000a57dae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcIcEwQM.bat

Filesize
4B

MD5
041d520b8ae7b2c30af049292af5e4ae

SHA1
9eccf3cfb0f276c65f1d89cf064e2b700ab5ea80

SHA256
9edcbab261e727b07481dec562272514098b1bac05732993adb7931aacc92ed5

SHA512
490403af90508520d6100da3d647acab621ff2fcb1b84a0ff19fc3648692307fef41c5521d1c369bfae71be8f037229d69917b3d30c753e0982e87989161f389

Download Submit
C:\Users\Admin\AppData\Local\Temp\yCIAEUkg.bat

Filesize
4B

MD5
8255345744bf431c25dfc5eebe9e575b

SHA1
03cac815062be8e50383794fde0ded07a1466f2e

SHA256
9c1bf7d7d1d57c0132ec268d0d5b7536c84c2e0780956105d94ba49483b5cce1

SHA512
1ab71d9dfd34f387308a3ba8b8e05e02a5da94da137f372058fd101304b32eab7c2d28a1c62d2af32e28a25ca54bce44f68fa49e3d9a00d2818befd0f51d118d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEEW.exe

Filesize
239KB

MD5
3af4d1d42af7102ba7abfa04f713e5d2

SHA1
f242879fdd5e7ff46e33717074a580b5aad9af7c

SHA256
0c5e6af46ed1c6cc79724a6919393f50335b75eca96ca33f76154dc7e6895fb3

SHA512
49133df477c14eb97f2580f750003ad217ca39fbed014879366adc236f828bd757fac4caadd97690ae4bd9a9714f9cd6847cab248ff68fdd7905d75db639ab83

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEMI.exe

Filesize
203KB

MD5
6c733aa15c9d919b372e766c81cdf0d7

SHA1
599138d2772bb849116c839f4c3ef52f52071af8

SHA256
8c9b350fa5bf5bb10e24f6f20547ccde07d8c0e24984b1b93e33b15a32fb8238

SHA512
2b24268d92bdc622faaad8b0d6b85d9992e9ef832e922797b7dc43135f1b84af7b4c55e5036b90295673a14e14dbd4960695e52af7e144d05a7707974a680348

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIgm.exe

Filesize
4.1MB

MD5
0f27d70e96712603be8abe2c67db1ac0

SHA1
17535a31e836af43be1db3dd7353cd3177e1cf3d

SHA256
1a9cecd2ff6b5ce3e3ea24875fb2a5aed4337f2b9dbf094f3200455051632502

SHA512
dd8c27bd054864d913be2c7c4c1884ecc0c15a6c19223a64180151c8b5f3acc3be90a9449c321b3f0ec025efad6212cc2cf6d0c99d7029892cb734744d7c3dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoAc.exe

Filesize
4.8MB

MD5
0e98e406cbd615699ce62d4f576fbfa0

SHA1
9301edef43e1dc6791d37577140fe9d665ff4259

SHA256
a3d3f18a49953b5c4eb1fa0e408f3b205af0d3a2ce7e3a65d2c00d7dc056865b

SHA512
5b1fbe41dbc32698ab649a7ed9dcac2e70297a6b6b26260122d2b869678a3c04f289adba8064cdac7c3ba8e8bd7178e335fb2e08d087beaee373c50cb68dde09

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoEo.exe

Filesize
330KB

MD5
08d1b3abe9f802fe7b6c0d6f75912516

SHA1
6abee7182d4e061dd3243ae3f2d996fb5c7b86d5

SHA256
c40f609229920c51a8f23f24e83bdfc8f99e7e2b1b590b96427cd6d0d980ddeb

SHA512
84c4f60e4bf1c3153cbdc900351b0905d6bb899f2fd376a588729a67a2cfeaded6339f3feb45305af21e113dc287631d47e59063b62f69740e132253e5aad555

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysQo.exe

Filesize
240KB

MD5
7ab242f7f95d8641244f939176079ce4

SHA1
5f3a55626c5cb58e6ccc7d852719fc3f51461a55

SHA256
7af563351ce80be08183c3f16d7de7739e5b55a80abec05255c767d4d3e7ab77

SHA512
f65be6517ad169e01e71967ba93c96dc3997828ea9dc40863be4040644e5219c4e25c08680978adbbf639870431851b8bec4634daa9d5816a9a13164ee65b94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zMQMccQo.bat

Filesize
4B

MD5
75169cbe05bbbe328deb5a6bda2bead7

SHA1
b3e5c8a6cadeab7d005e3c4ff103296a448ee039

SHA256
228e5aac98f144a83a22cbacb344025e4d83ff7060959552649e64af82f5f86f

SHA512
bc4c4d6ac94004d8e33f390b18e50ef262ad9d7059e5fd65ad3d9583514a0d0c265d06b2fb9ee196aa2bdddf85955ef523c74e02a2fe2d54bd4ad39138340f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zSYEwQUw.bat

Filesize
4B

MD5
c416864993a8be7de0671f8d4a1228c4

SHA1
1c57707ba2629c6828c5975085e46f6818749332

SHA256
91d1fc514f48dd50a713972bd0427e8832990a22ee697406b9f62c01d887d122

SHA512
2b8837f9f8c65c78574fb9b153728629921302e5576f2cc1d9b85a1a6b44437b761cf20d2cb787eff9c8e8bcf29ace88a87bb14e55d9955f2469192f335c1a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\zUkMwIUk.bat

Filesize
4B

MD5
27bb556497b1c71042e8f58a3c5bd201

SHA1
048a4720a0b9424a8b1701d71800c3910e455375

SHA256
84261c0263889d78d9cc508f87652bb31fb670b3b61b74d1c1da8763c1c10514

SHA512
358a5a0a3678a3d51eafef66e36c3efa3457ca4af51591399dc147fa8901b6ecb68e96bfb367b689dcb80a609bfbace338022172f3c1c667745d3bf6b96c8f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zagAUwcE.bat

Filesize
4B

MD5
ff835735325b140f574732b3817924e6

SHA1
53c88482f74a2159b8954260031d8763845e8264

SHA256
b5016c5947a0b6295e772868b55ff25097196a43f09ecd1a5c3eb1b67336d15b

SHA512
2459f45049358b282466ecbccd5d95a9f681a50e81a87afd905a0721b47b525cbc8dba43cc154cc8e5da398236a5a667809d91c217a91e5bbff256adcac029ce

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.exe

Filesize
939KB

MD5
c25cf1a2aff2f27977382e7f746cc812

SHA1
7921e155322a545e0381ecf24f4430f48292f55e

SHA256
78ee755a2b76e114ed9d915b70d8f7a90d3d0c5d1ef6cc4a8a6f21f3ece7bec5

SHA512
128b16ce5dcdf5db10481044b389994514b58e757a380623e9943054b3f67865041e12c8b479b7346e63cbbc8d4db7ca5a74664d8bb0980049542dcdc931931a

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.exe

Filesize
957KB

MD5
9e7716a83dc00b17e7481ef72b39bd42

SHA1
517ce833bd854173ea67357ff413b804d8c7438f

SHA256
4f4210c322155757e952e3ce77e86612fa796b04d5a1d8183bdfab41a2010d0f

SHA512
0ad67a0e6a45bcd0a02406d975d1133b7fa3ff6c6b98325d4351fc0c1817e0b9212cc79b4f98175af378b6b7d8ec923d0a7fb40daca0c8f276e38ce8d9bed275

Download Submit
\Users\Admin\ssoIwAoU\WwsAYAUk.exe

Filesize
193KB

MD5
34e2023722884e001f2614e7c9f11191

SHA1
1e7b5ed9713976ee1ecdb9bf3f802ded98abe9fe

SHA256
4d00ea91d0c2163d72759a1bc214068c03ccfe2c232825139765de232b28d53c

SHA512
8d13e1c5c46b7101c73f153d1ab8f904d60b7a2397ca0e3c8b4fda735bc45a937c5df50717dceed4d2941187a93487ec0e4d9173a09fc29c629877c379ce1e4a

Download Submit
memory/340-10-0x0000000000460000-0x0000000000492000-memory.dmp

Filesize
200KB

Download
memory/340-20-0x0000000000460000-0x0000000000493000-memory.dmp

Filesize
204KB

Download
memory/340-39-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/340-9-0x0000000000460000-0x0000000000492000-memory.dmp

Filesize
200KB

Download
memory/340-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/544-514-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/544-485-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/596-785-0x0000000000160000-0x0000000000190000-memory.dmp

Filesize
192KB

Download
memory/596-784-0x0000000000160000-0x0000000000190000-memory.dmp

Filesize
192KB

Download
memory/744-125-0x00000000000F0000-0x0000000000120000-memory.dmp

Filesize
192KB

Download
memory/768-629-0x0000000000140000-0x0000000000170000-memory.dmp

Filesize
192KB

Download
memory/768-628-0x0000000000140000-0x0000000000170000-memory.dmp

Filesize
192KB

Download
memory/780-649-0x00000000001E0000-0x0000000000210000-memory.dmp

Filesize
192KB

Download
memory/780-650-0x00000000001E0000-0x0000000000210000-memory.dmp

Filesize
192KB

Download
memory/836-239-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/868-630-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-607-0x0000000000280000-0x00000000002B0000-memory.dmp

Filesize
192KB

Download
memory/1012-824-0x0000000000170000-0x00000000001A0000-memory.dmp

Filesize
192KB

Download
memory/1012-825-0x0000000000170000-0x00000000001A0000-memory.dmp

Filesize
192KB

Download
memory/1084-261-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1084-260-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1088-135-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1108-306-0x0000000000280000-0x00000000002B0000-memory.dmp

Filesize
192KB

Download
memory/1108-307-0x0000000000280000-0x00000000002B0000-memory.dmp

Filesize
192KB

Download
memory/1132-192-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/1320-814-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1356-794-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1356-765-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1376-462-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/1376-461-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/1548-534-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1548-505-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1592-804-0x0000000000180000-0x00000000001B0000-memory.dmp

Filesize
192KB

Download
memory/1616-270-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1624-247-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1624-217-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1632-707-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1632-735-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1640-659-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1740-504-0x00000000001A0000-0x00000000001D0000-memory.dmp

Filesize
192KB

Download
memory/1744-156-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1744-126-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1784-403-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1808-292-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1836-716-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1836-686-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1908-381-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1992-554-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1992-525-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2012-80-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2012-112-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2036-564-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2060-463-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2060-494-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2064-586-0x0000000000300000-0x0000000000330000-memory.dmp

Filesize
192KB

Download
memory/2064-587-0x0000000000300000-0x0000000000330000-memory.dmp

Filesize
192KB

Download
memory/2116-753-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2160-177-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2192-544-0x00000000001F0000-0x0000000000220000-memory.dmp

Filesize
192KB

Download
memory/2272-394-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2272-425-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2276-705-0x00000000004F0000-0x0000000000520000-memory.dmp

Filesize
192KB

Download
memory/2276-41-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2276-706-0x00000000004F0000-0x0000000000520000-memory.dmp

Filesize
192KB

Download
memory/2276-40-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2284-695-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2300-588-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2300-618-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2304-448-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2316-774-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2328-685-0x00000000002F0000-0x0000000000320000-memory.dmp

Filesize
192KB

Download
memory/2388-608-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2392-524-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2404-726-0x0000000000320000-0x0000000000350000-memory.dmp

Filesize
192KB

Download
memory/2436-89-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2448-416-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2512-57-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/2604-358-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2632-805-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2656-438-0x0000000000280000-0x00000000002B0000-memory.dmp

Filesize
192KB

Download
memory/2680-439-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2680-472-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2724-316-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2768-42-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2768-66-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2788-337-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2840-545-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2840-575-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2844-225-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2888-202-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2944-639-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2944-609-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2980-79-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/3036-2790-0x0000000077330000-0x000000007744F000-memory.dmp

Filesize
1.1MB

Download
memory/3036-179-0x0000000077230000-0x000000007732A000-memory.dmp

Filesize
1000KB

Download
memory/3036-178-0x0000000077330000-0x000000007744F000-memory.dmp

Filesize
1.1MB

Download
memory/3040-565-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3040-597-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download