003227ff26fa20b16dddbdf0b791b40c328b0259ddcec860d73861b9b9fe8468

Analysis

max time kernel
151s
max time network
101s
platform
windows7_x64
resource
win7v20201028
submitted
24-02-2021 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample33.exe
Size

524KB
MD5

e752df4c77b8dfa34a902f28c31bb40d
SHA1

a815ae15431626dcffb2be073d1f51f25dede408
SHA256

003227ff26fa20b16dddbdf0b791b40c328b0259ddcec860d73861b9b9fe8468
SHA512

72454c9185ff3a841a36bf952e490f1b72d87b0337b3d5fa6c97d93fec78ceb8162b2abc5e7fa0fba0f62ced6af7ed210888bf3b451154f3519ef7d15897af1e

Score

10^/10

evasion persistence ransomware spyware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

sample33.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\MykIcQck\\RAgQIkII.exe,"	sample33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\MykIcQck\\RAgQIkII.exe,"	sample33.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

TwoYcYII.exeRAgQIkII.exebygIQAEQ.exe

pid process

1236 TwoYcYII.exe
2032 RAgQIkII.exe
652 bygIQAEQ.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

TwoYcYII.exe

description ioc process

File created C:\Users\Admin\Pictures\SuspendShow.png.exe TwoYcYII.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

TwoYcYII.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\International\Geo\Nation TwoYcYII.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\SuspendShow.png.exe	TwoYcYII.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\International\Geo\Nation	TwoYcYII.exe

Loads dropped DLL 16 IoCs

Processes:

sample33.exeTwoYcYII.exe

pid	process
1656	sample33.exe
1656	sample33.exe
1656	sample33.exe
1656	sample33.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sample33.exeRAgQIkII.exeTwoYcYII.exebygIQAEQ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\TwoYcYII.exe = "C:\\Users\\Admin\\dkcgokYo\\TwoYcYII.exe"	sample33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAgQIkII.exe = "C:\\ProgramData\\MykIcQck\\RAgQIkII.exe"	sample33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAgQIkII.exe = "C:\\ProgramData\\MykIcQck\\RAgQIkII.exe"	RAgQIkII.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\TwoYcYII.exe = "C:\\Users\\Admin\\dkcgokYo\\TwoYcYII.exe"	TwoYcYII.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAgQIkII.exe = "C:\\ProgramData\\MykIcQck\\RAgQIkII.exe"	bygIQAEQ.exe

Drops file in System32 directory 2 IoCs

Processes:

bygIQAEQ.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\dkcgokYo	bygIQAEQ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\dkcgokYo\TwoYcYII	bygIQAEQ.exe

Drops file in Windows directory 1 IoCs

Processes:

TwoYcYII.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico TwoYcYII.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	TwoYcYII.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1748	reg.exe
1764	reg.exe
1312	reg.exe
1920	reg.exe
1700	reg.exe
1160	reg.exe
1748	reg.exe
1712	reg.exe
1656	reg.exe
1700	reg.exe
1432	reg.exe
316	reg.exe
1604	reg.exe
1652	reg.exe
560	reg.exe
1524	reg.exe
1352	reg.exe
1960	reg.exe
1984	reg.exe
1632	reg.exe
892	reg.exe
1516	reg.exe
2040	reg.exe
692	reg.exe
1896	reg.exe
316	reg.exe
1660	reg.exe
308	reg.exe
2020	reg.exe
1708	reg.exe
1708	reg.exe
1752	reg.exe
1628	reg.exe
892	reg.exe
1536	reg.exe
384	reg.exe
1708	reg.exe
2000	reg.exe
1740	reg.exe
1808	reg.exe
1764	reg.exe
1652	reg.exe
692	reg.exe
520	reg.exe
1920	reg.exe
1920	reg.exe
1512	reg.exe
1960	reg.exe
1056	reg.exe
2020	reg.exe
1160	reg.exe
1764	reg.exe
308	reg.exe
1960	reg.exe
1712	reg.exe
1432	reg.exe
1264	reg.exe
1648	reg.exe
1096	reg.exe
1804	reg.exe
1804	reg.exe
1788	reg.exe
1800	reg.exe
1096	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exe

pid	process
1656	sample33.exe
1656	sample33.exe
1168	sample33.exe
1168	sample33.exe
1632	sample33.exe
1632	sample33.exe
1920	sample33.exe
1920	sample33.exe
1740	sample33.exe
1740	sample33.exe
2020	sample33.exe
2020	sample33.exe
520	sample33.exe
520	sample33.exe
1796	sample33.exe
1796	sample33.exe
1284	sample33.exe
1284	sample33.exe
1708	sample33.exe
1708	sample33.exe
1960	sample33.exe
1960	sample33.exe
860	sample33.exe
860	sample33.exe
828	sample33.exe
828	sample33.exe
1648	sample33.exe
1648	sample33.exe
1284	sample33.exe
1284	sample33.exe
1656	sample33.exe
1656	sample33.exe
1692	sample33.exe
1692	sample33.exe
1680	sample33.exe
1680	sample33.exe
1700	sample33.exe
1700	sample33.exe
1140	sample33.exe
1140	sample33.exe
804	sample33.exe
804	sample33.exe
1512	sample33.exe
1512	sample33.exe
1432	sample33.exe
1432	sample33.exe
1800	sample33.exe
1800	sample33.exe
1352	sample33.exe
1352	sample33.exe
1388	sample33.exe
1388	sample33.exe
968	sample33.exe
968	sample33.exe
2016	sample33.exe
2016	sample33.exe
1284	sample33.exe
1284	sample33.exe
316	sample33.exe
316	sample33.exe
1264	sample33.exe
1264	sample33.exe
860	sample33.exe
860	sample33.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

TwoYcYII.exe

pid process

1236 TwoYcYII.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

TwoYcYII.exe

pid	process
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe
1236	TwoYcYII.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sample33.execmd.exesample33.execmd.execmd.exesample33.execmd.exe

description	pid	process	target process
PID 1656 wrote to memory of 1236	1656	sample33.exe	TwoYcYII.exe
PID 1656 wrote to memory of 1236	1656	sample33.exe	TwoYcYII.exe
PID 1656 wrote to memory of 1236	1656	sample33.exe	TwoYcYII.exe
PID 1656 wrote to memory of 1236	1656	sample33.exe	TwoYcYII.exe
PID 1656 wrote to memory of 2032	1656	sample33.exe	RAgQIkII.exe
PID 1656 wrote to memory of 2032	1656	sample33.exe	RAgQIkII.exe
PID 1656 wrote to memory of 2032	1656	sample33.exe	RAgQIkII.exe
PID 1656 wrote to memory of 2032	1656	sample33.exe	RAgQIkII.exe
PID 1656 wrote to memory of 1780	1656	sample33.exe	cmd.exe
PID 1656 wrote to memory of 1780	1656	sample33.exe	cmd.exe
PID 1656 wrote to memory of 1780	1656	sample33.exe	cmd.exe
PID 1656 wrote to memory of 1780	1656	sample33.exe	cmd.exe
PID 1780 wrote to memory of 1168	1780	cmd.exe	sample33.exe
PID 1780 wrote to memory of 1168	1780	cmd.exe	sample33.exe
PID 1780 wrote to memory of 1168	1780	cmd.exe	sample33.exe
PID 1780 wrote to memory of 1168	1780	cmd.exe	sample33.exe
PID 1656 wrote to memory of 1732	1656	sample33.exe	reg.exe
PID 1656 wrote to memory of 1732	1656	sample33.exe	reg.exe
PID 1656 wrote to memory of 1732	1656	sample33.exe	reg.exe
PID 1656 wrote to memory of 1732	1656	sample33.exe	reg.exe
PID 1656 wrote to memory of 1748	1656	sample33.exe	reg.exe
PID 1656 wrote to memory of 1748	1656	sample33.exe	reg.exe
PID 1656 wrote to memory of 1748	1656	sample33.exe	reg.exe
PID 1656 wrote to memory of 1748	1656	sample33.exe	reg.exe
PID 1656 wrote to memory of 1728	1656	sample33.exe	reg.exe
PID 1656 wrote to memory of 1728	1656	sample33.exe	reg.exe
PID 1656 wrote to memory of 1728	1656	sample33.exe	reg.exe
PID 1656 wrote to memory of 1728	1656	sample33.exe	reg.exe
PID 1168 wrote to memory of 1600	1168	sample33.exe	cmd.exe
PID 1168 wrote to memory of 1600	1168	sample33.exe	cmd.exe
PID 1168 wrote to memory of 1600	1168	sample33.exe	cmd.exe
PID 1168 wrote to memory of 1600	1168	sample33.exe	cmd.exe
PID 1600 wrote to memory of 1632	1600	cmd.exe	sample33.exe
PID 1600 wrote to memory of 1632	1600	cmd.exe	sample33.exe
PID 1600 wrote to memory of 1632	1600	cmd.exe	sample33.exe
PID 1600 wrote to memory of 1632	1600	cmd.exe	sample33.exe
PID 1168 wrote to memory of 1628	1168	sample33.exe	reg.exe
PID 1168 wrote to memory of 1628	1168	sample33.exe	reg.exe
PID 1168 wrote to memory of 1628	1168	sample33.exe	reg.exe
PID 1168 wrote to memory of 1628	1168	sample33.exe	reg.exe
PID 1168 wrote to memory of 860	1168	sample33.exe	reg.exe
PID 1168 wrote to memory of 860	1168	sample33.exe	reg.exe
PID 1168 wrote to memory of 860	1168	sample33.exe	reg.exe
PID 1168 wrote to memory of 860	1168	sample33.exe	reg.exe
PID 1168 wrote to memory of 1096	1168	sample33.exe	reg.exe
PID 1168 wrote to memory of 1096	1168	sample33.exe	reg.exe
PID 1168 wrote to memory of 1096	1168	sample33.exe	reg.exe
PID 1168 wrote to memory of 1096	1168	sample33.exe	reg.exe
PID 1168 wrote to memory of 1512	1168	sample33.exe	cmd.exe
PID 1168 wrote to memory of 1512	1168	sample33.exe	cmd.exe
PID 1168 wrote to memory of 1512	1168	sample33.exe	cmd.exe
PID 1168 wrote to memory of 1512	1168	sample33.exe	cmd.exe
PID 1512 wrote to memory of 1924	1512	cmd.exe	cscript.exe
PID 1512 wrote to memory of 1924	1512	cmd.exe	cscript.exe
PID 1512 wrote to memory of 1924	1512	cmd.exe	cscript.exe
PID 1512 wrote to memory of 1924	1512	cmd.exe	cscript.exe
PID 1632 wrote to memory of 864	1632	sample33.exe	cmd.exe
PID 1632 wrote to memory of 864	1632	sample33.exe	cmd.exe
PID 1632 wrote to memory of 864	1632	sample33.exe	cmd.exe
PID 1632 wrote to memory of 864	1632	sample33.exe	cmd.exe
PID 864 wrote to memory of 1920	864	cmd.exe	sample33.exe
PID 864 wrote to memory of 1920	864	cmd.exe	sample33.exe
PID 864 wrote to memory of 1920	864	cmd.exe	sample33.exe
PID 864 wrote to memory of 1920	864	cmd.exe	sample33.exe

C:\Users\Admin\AppData\Local\Temp\sample33.exe
"C:\Users\Admin\AppData\Local\Temp\sample33.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\dkcgokYo\TwoYcYII.exe
"C:\Users\Admin\dkcgokYo\TwoYcYII.exe"
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1236

C:\ProgramData\MykIcQck\RAgQIkII.exe
"C:\ProgramData\MykIcQck\RAgQIkII.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
4⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
6⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
8⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
10⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
12⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:520

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
14⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
16⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1284

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
18⤵
PID:292

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
20⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
22⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:860

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
24⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:828

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
26⤵
PID:308

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
28⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1284

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
30⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
32⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
34⤵
PID:384

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
36⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
37⤵
- Suspicious behavior: EnumeratesProcesses
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
38⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
39⤵
- Suspicious behavior: EnumeratesProcesses
PID:1140

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
40⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
41⤵
- Suspicious behavior: EnumeratesProcesses
PID:804

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
42⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
43⤵
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
44⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
45⤵
- Suspicious behavior: EnumeratesProcesses
PID:1432

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
46⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
47⤵
- Suspicious behavior: EnumeratesProcesses
PID:1800

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
48⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
49⤵
- Suspicious behavior: EnumeratesProcesses
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
50⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
51⤵
- Suspicious behavior: EnumeratesProcesses
PID:1388

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
52⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
53⤵
- Suspicious behavior: EnumeratesProcesses
PID:968

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
54⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
56⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
57⤵
- Suspicious behavior: EnumeratesProcesses
PID:1284

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
58⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
59⤵
- Suspicious behavior: EnumeratesProcesses
PID:316

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
60⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
61⤵
- Suspicious behavior: EnumeratesProcesses
PID:1264

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
62⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
63⤵
- Suspicious behavior: EnumeratesProcesses
PID:860

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
64⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
65⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
66⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
67⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
68⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
69⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
70⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
71⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
72⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
73⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
74⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
75⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
76⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
77⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
78⤵
PID:728

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
79⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
80⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
81⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
82⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
83⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
84⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
85⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
86⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
87⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
88⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
89⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
90⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
91⤵
PID:692

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
92⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
93⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
94⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
95⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
96⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
97⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
98⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
99⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
100⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
101⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
102⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
103⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
104⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
105⤵
PID:308

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
106⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
107⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
108⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
109⤵
PID:692

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
110⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
111⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
112⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
113⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
114⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
115⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
116⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
117⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
118⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
119⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
120⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
121⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
122⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
123⤵
PID:560

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
124⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
125⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
126⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
127⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
128⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
129⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
130⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
131⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
132⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
133⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
134⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
135⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
136⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
137⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
138⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
139⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
140⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
141⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
142⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
143⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
144⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
145⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
146⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
147⤵
PID:284

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sample33"
148⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
149⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
- Modifies registry key
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wqosQgcU.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
148⤵
PID:1168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:1312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies registry key
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\scEIsEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
146⤵
PID:936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nqocMUAI.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
144⤵
PID:1940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:1168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kgcMUwUc.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
142⤵
PID:1036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
- Modifies registry key
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:1140

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nasEowwk.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
140⤵
PID:1648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies registry key
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OeAIUAcs.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
138⤵
PID:1300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
- Modifies registry key
PID:892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- Modifies registry key
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:1232

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ocsQIoYY.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
136⤵
PID:432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies registry key
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies registry key
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kKkccIkA.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
134⤵
PID:1808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:1232

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VEEYkoAg.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
132⤵
PID:1652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qSUQoYos.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
130⤵
PID:548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:1140

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mukAcwoE.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
128⤵
PID:908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IuYgEUIs.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
126⤵
PID:912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies registry key
PID:1312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xcQEMMAM.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
124⤵
PID:316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- Modifies registry key
PID:1056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nkkMwEwA.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
122⤵
PID:1656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UCMkYgAU.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
120⤵
PID:1168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
- Modifies registry key
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:728

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XKoIIIAc.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
118⤵
PID:1496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies registry key
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\faEwMgQU.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
116⤵
PID:1312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
- Modifies registry key
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cuAoEYMc.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
114⤵
PID:1056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOkwkUIY.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
112⤵
PID:1708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- Modifies registry key
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oCYsoQkA.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
110⤵
PID:1204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JOgAAIEU.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
108⤵
PID:1160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ksIMMwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
106⤵
PID:1704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- Modifies registry key
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
- Modifies registry key
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- Modifies registry key
PID:1432

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QoIQwwIM.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
104⤵
PID:1612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
- Modifies registry key
PID:892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
- Modifies registry key
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZsgUAkcw.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
102⤵
PID:1680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWkIgcwQ.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
100⤵
PID:1800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- Modifies registry key
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oqsAoYkw.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
98⤵
PID:2024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies registry key
PID:1524

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JocMcccc.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
96⤵
PID:1084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- Modifies registry key
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies registry key
PID:308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jMIUcgwU.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
94⤵
PID:1164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vyQMEEQI.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
92⤵
PID:892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
- Modifies registry key
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OusAAscs.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
90⤵
PID:520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
- Modifies registry key
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jicoQQok.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
88⤵
PID:908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vMUQQsMY.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
86⤵
PID:1896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- Modifies registry key
PID:316

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IYAsYoQI.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
84⤵
PID:1056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
- Modifies registry key
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DUYMAMkc.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
82⤵
PID:1840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- Modifies registry key
PID:384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BeoMEMkw.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
80⤵
PID:1536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- Modifies registry key
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\psQsUsIo.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
78⤵
PID:692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BUMAoAsE.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
76⤵
PID:292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- Modifies registry key
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jAQYcsQA.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
74⤵
PID:1652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- Modifies registry key
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- Modifies registry key
PID:520

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HIwwYwEw.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
72⤵
PID:2020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MEcswUUw.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
70⤵
PID:1648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies registry key
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- Modifies registry key
PID:692

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lWsAMgwA.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
68⤵
PID:1576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QwoEMYQs.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
66⤵
PID:1980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IIYYwEcs.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
64⤵
PID:1536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- Modifies registry key
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:560

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mOEEkMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
62⤵
PID:1700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- Modifies registry key
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies registry key
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies registry key
PID:1432

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QSgcMEAo.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
60⤵
PID:1712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vwEYcQwA.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
58⤵
PID:804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:1056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DwgAQIsw.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
56⤵
PID:1736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies registry key
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aQAswkQY.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
54⤵
PID:1264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lIUIAsIU.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
52⤵
PID:1168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
- Modifies registry key
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KOIUMEYc.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
50⤵
PID:804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- Modifies registry key
PID:560

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CeQkMswk.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
48⤵
PID:1284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:692

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rEUYQQIs.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
46⤵
PID:1056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:1204

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oUIsEEsg.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
44⤵
PID:1000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies registry key
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\maQAAYMo.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
42⤵
PID:1072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UUMoIkMI.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
40⤵
PID:828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- Modifies registry key
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DckcIYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
38⤵
PID:1736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rsosQMUU.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
36⤵
PID:1160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AekIsUMs.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
34⤵
PID:1808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies registry key
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
- Modifies registry key
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:692

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\egoMMsQM.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
32⤵
PID:1160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- Modifies registry key
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FSAIEIIk.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
30⤵
PID:1712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mwwockYY.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
28⤵
PID:892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies registry key
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- Modifies registry key
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hgwEwogA.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
26⤵
PID:1652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OGYoskUQ.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
24⤵
PID:888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HiAgccUw.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
22⤵
PID:1536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies registry key
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- Modifies registry key
PID:1800

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IwQgUIMw.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
20⤵
PID:1000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies registry key
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tskMgcoE.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
18⤵
PID:1512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies registry key
PID:308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:1808

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oIMQIgwc.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
16⤵
PID:1612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vcccsoMk.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
14⤵
PID:1432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uOUUUkso.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
12⤵
PID:828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies registry key
PID:316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AYckMIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
10⤵
PID:2044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies registry key
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:1440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- Modifies registry key
PID:1788

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vcssAgkY.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
8⤵
PID:1168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dgkcUQEU.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
6⤵
PID:1580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies registry key
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vooEYkEo.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EAUYEwUQ.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
2⤵
PID:1056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:296

C:\ProgramData\CkEAooAU\bygIQAEQ.exe
C:\ProgramData\CkEAooAU\bygIQAEQ.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CkEAooAU\bygIQAEQ.exe
MD5
226340d3a96ad80a2304d27a1301b041

SHA1
5d119418bef9008bad0b3852acbfee772b905182

SHA256
6616b6bbaf95a2d2591d6d94af29f55fe0a5b946c6389c346756ac8a132578f1

SHA512
05a2a5f2c39a9a5c4981f850a72cd13fe41c419f31e8429e7d9656cb4ed83d91a0c1c39e37457343263aac404bd9c2f40562b93a3a7784b4dc4bb1448029f595

Download Submit
C:\ProgramData\MykIcQck\RAgQIkII.exe
MD5
fe05d00ee0628ea67c6e6fdf125c2fd7

SHA1
f84753069809884820c33e4ba8fcc4abc785aad5

SHA256
5fefad9bfb4b2e864a6fb732c904f07674918b097b1fb274ab60a3eee8f44646

SHA512
e3d2673b09736cc708b7300c47c51f81ae7b8eb47fdb9edc9931bc70ca640b43a67bcd17f93c46df737284d049084b5381f6b9d6b1c2978e591b70c6d4ea58c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYckMIgQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAUYEwUQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FSAIEIIk.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiAgccUw.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwQgUIMw.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGYoskUQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgkcUQEU.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgwEwogA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwwockYY.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIMQIgwc.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tskMgcoE.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uOUUUkso.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcccsoMk.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcssAgkY.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vooEYkEo.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\dkcgokYo\TwoYcYII.exe
MD5
382eaa975c3d8e05c13d090a26eba1f3

SHA1
2cb6cbfee0a9f5c2872832a92d0fcf7dc9bf1c91

SHA256
2eb790d6b550193cb56aa99317892e0313d8764c29d3537a0e4f21857dc23b66

SHA512
e01b763dc0da7832d6de9f6afc36ff0b51b9d5556c77580fec07cc134fa97402b04237051dd6d452c981266d0f3fb05e895ebc0d1449376efa50cb7f840b6abf

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\ProgramData\MykIcQck\RAgQIkII.exe
MD5
fe05d00ee0628ea67c6e6fdf125c2fd7

SHA1
f84753069809884820c33e4ba8fcc4abc785aad5

SHA256
5fefad9bfb4b2e864a6fb732c904f07674918b097b1fb274ab60a3eee8f44646

SHA512
e3d2673b09736cc708b7300c47c51f81ae7b8eb47fdb9edc9931bc70ca640b43a67bcd17f93c46df737284d049084b5381f6b9d6b1c2978e591b70c6d4ea58c6

Download Submit
\ProgramData\MykIcQck\RAgQIkII.exe
MD5
fe05d00ee0628ea67c6e6fdf125c2fd7

SHA1
f84753069809884820c33e4ba8fcc4abc785aad5

SHA256
5fefad9bfb4b2e864a6fb732c904f07674918b097b1fb274ab60a3eee8f44646

SHA512
e3d2673b09736cc708b7300c47c51f81ae7b8eb47fdb9edc9931bc70ca640b43a67bcd17f93c46df737284d049084b5381f6b9d6b1c2978e591b70c6d4ea58c6

Download Submit
\Users\Admin\dkcgokYo\TwoYcYII.exe
MD5
382eaa975c3d8e05c13d090a26eba1f3

SHA1
2cb6cbfee0a9f5c2872832a92d0fcf7dc9bf1c91

SHA256
2eb790d6b550193cb56aa99317892e0313d8764c29d3537a0e4f21857dc23b66

SHA512
e01b763dc0da7832d6de9f6afc36ff0b51b9d5556c77580fec07cc134fa97402b04237051dd6d452c981266d0f3fb05e895ebc0d1449376efa50cb7f840b6abf

Download Submit
\Users\Admin\dkcgokYo\TwoYcYII.exe
MD5
382eaa975c3d8e05c13d090a26eba1f3

SHA1
2cb6cbfee0a9f5c2872832a92d0fcf7dc9bf1c91

SHA256
2eb790d6b550193cb56aa99317892e0313d8764c29d3537a0e4f21857dc23b66

SHA512
e01b763dc0da7832d6de9f6afc36ff0b51b9d5556c77580fec07cc134fa97402b04237051dd6d452c981266d0f3fb05e895ebc0d1449376efa50cb7f840b6abf

Download Submit
memory/292-119-0x0000000000000000-mapping.dmp

Download
memory/292-303-0x0000000002540000-0x0000000002544000-memory.dmp

Filesize
16KB

Download
memory/296-114-0x00000000026C0000-0x00000000026C4000-memory.dmp

Filesize
16KB

Download
memory/296-101-0x0000000000000000-mapping.dmp

Download
memory/308-108-0x0000000000000000-mapping.dmp

Download
memory/308-308-0x0000000002880000-0x0000000002884000-memory.dmp

Filesize
16KB

Download
memory/316-162-0x00000000027C0000-0x00000000027C4000-memory.dmp

Filesize
16KB

Download
memory/316-285-0x00000000026E0000-0x00000000026E4000-memory.dmp

Filesize
16KB

Download
memory/316-65-0x0000000000000000-mapping.dmp

Download
memory/384-145-0x00000000025B0000-0x00000000025B4000-memory.dmp

Filesize
16KB

Download
memory/384-189-0x0000000002800000-0x0000000002804000-memory.dmp

Filesize
16KB

Download
memory/384-234-0x0000000002640000-0x0000000002644000-memory.dmp

Filesize
16KB

Download
memory/432-85-0x0000000000000000-mapping.dmp

Download
memory/432-252-0x0000000002890000-0x0000000002894000-memory.dmp

Filesize
16KB

Download
memory/520-49-0x0000000002730000-0x0000000002734000-memory.dmp

Filesize
16KB

Download
memory/520-71-0x0000000000000000-mapping.dmp

Download
memory/520-43-0x0000000000000000-mapping.dmp

Download
memory/520-273-0x0000000002610000-0x0000000002614000-memory.dmp

Filesize
16KB

Download
memory/692-123-0x0000000000000000-mapping.dmp

Download
memory/692-345-0x0000000002670000-0x0000000002674000-memory.dmp

Filesize
16KB

Download
memory/804-169-0x0000000002680000-0x0000000002684000-memory.dmp

Filesize
16KB

Download
memory/828-222-0x0000000002760000-0x0000000002764000-memory.dmp

Filesize
16KB

Download
memory/828-82-0x0000000000000000-mapping.dmp

Download
memory/860-26-0x0000000000000000-mapping.dmp

Download
memory/864-32-0x0000000000000000-mapping.dmp

Download
memory/892-36-0x0000000000000000-mapping.dmp

Download
memory/908-300-0x0000000002620000-0x0000000002624000-memory.dmp

Filesize
16KB

Download
memory/912-267-0x00000000027A0000-0x00000000027A4000-memory.dmp

Filesize
16KB

Download
memory/912-179-0x0000000002660000-0x0000000002664000-memory.dmp

Filesize
16KB

Download
memory/936-67-0x0000000000000000-mapping.dmp

Download
memory/936-212-0x00000000026D0000-0x00000000026D4000-memory.dmp

Filesize
16KB

Download
memory/1000-192-0x0000000002820000-0x0000000002824000-memory.dmp

Filesize
16KB

Download
memory/1036-263-0x0000000002840000-0x0000000002844000-memory.dmp

Filesize
16KB

Download
memory/1036-204-0x0000000002760000-0x0000000002764000-memory.dmp

Filesize
16KB

Download
memory/1056-97-0x0000000000000000-mapping.dmp

Download
memory/1072-315-0x0000000002650000-0x0000000002654000-memory.dmp

Filesize
16KB

Download
memory/1072-245-0x0000000002630000-0x0000000002634000-memory.dmp

Filesize
16KB

Download
memory/1096-210-0x0000000002670000-0x0000000002674000-memory.dmp

Filesize
16KB

Download
memory/1096-27-0x0000000000000000-mapping.dmp

Download
memory/1096-237-0x0000000002690000-0x0000000002694000-memory.dmp

Filesize
16KB

Download
memory/1140-207-0x0000000002770000-0x0000000002774000-memory.dmp

Filesize
16KB

Download
memory/1140-216-0x0000000002840000-0x0000000002844000-memory.dmp

Filesize
16KB

Download
memory/1160-339-0x0000000002760000-0x0000000002764000-memory.dmp

Filesize
16KB

Download
memory/1160-125-0x0000000000000000-mapping.dmp

Download
memory/1164-318-0x00000000027C0000-0x00000000027C4000-memory.dmp

Filesize
16KB

Download
memory/1168-55-0x0000000000000000-mapping.dmp

Download
memory/1168-16-0x0000000000000000-mapping.dmp

Download
memory/1168-347-0x0000000002800000-0x0000000002804000-memory.dmp

Filesize
16KB

Download
memory/1196-103-0x0000000000000000-mapping.dmp

Download
memory/1232-63-0x0000000002940000-0x0000000002944000-memory.dmp

Filesize
16KB

Download
memory/1232-219-0x0000000002930000-0x0000000002934000-memory.dmp

Filesize
16KB

Download
memory/1232-57-0x0000000000000000-mapping.dmp

Download
memory/1236-5-0x0000000000000000-mapping.dmp

Download
memory/1284-197-0x0000000002660000-0x0000000002664000-memory.dmp

Filesize
16KB

Download
memory/1284-105-0x0000000000000000-mapping.dmp

Download
memory/1312-353-0x00000000026B0000-0x00000000026B4000-memory.dmp

Filesize
16KB

Download
memory/1388-243-0x00000000026D0000-0x00000000026D4000-memory.dmp

Filesize
16KB

Download
memory/1388-91-0x0000000000000000-mapping.dmp

Download
memory/1388-99-0x0000000002720000-0x0000000002724000-memory.dmp

Filesize
16KB

Download
memory/1404-73-0x0000000000000000-mapping.dmp

Download
memory/1432-88-0x0000000000000000-mapping.dmp

Download
memory/1440-52-0x0000000000000000-mapping.dmp

Download
memory/1468-132-0x00000000026B0000-0x00000000026B4000-memory.dmp

Filesize
16KB

Download
memory/1468-175-0x0000000002630000-0x0000000002634000-memory.dmp

Filesize
16KB

Download
memory/1496-296-0x00000000025E0000-0x00000000025E4000-memory.dmp

Filesize
16KB

Download
memory/1512-126-0x0000000000000000-mapping.dmp

Download
memory/1512-200-0x00000000025A0000-0x00000000025A4000-memory.dmp

Filesize
16KB

Download
memory/1512-28-0x0000000000000000-mapping.dmp

Download
memory/1516-61-0x0000000000000000-mapping.dmp

Download
memory/1516-279-0x00000000025C0000-0x00000000025C4000-memory.dmp

Filesize
16KB

Download
memory/1516-350-0x00000000025A0000-0x00000000025A4000-memory.dmp

Filesize
16KB

Download
memory/1580-41-0x0000000000000000-mapping.dmp

Download
memory/1580-72-0x0000000000000000-mapping.dmp

Download
memory/1600-22-0x0000000000000000-mapping.dmp

Download
memory/1604-66-0x0000000000000000-mapping.dmp

Download
memory/1608-321-0x0000000002930000-0x0000000002934000-memory.dmp

Filesize
16KB

Download
memory/1612-112-0x0000000000000000-mapping.dmp

Download
memory/1612-294-0x0000000002750000-0x0000000002754000-memory.dmp

Filesize
16KB

Download
memory/1628-25-0x0000000000000000-mapping.dmp

Download
memory/1632-23-0x0000000000000000-mapping.dmp

Download
memory/1632-86-0x0000000000000000-mapping.dmp

Download
memory/1632-138-0x00000000026B0000-0x00000000026B4000-memory.dmp

Filesize
16KB

Download
memory/1656-2-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download
memory/1656-182-0x0000000002730000-0x0000000002734000-memory.dmp

Filesize
16KB

Download
memory/1680-96-0x0000000000000000-mapping.dmp

Download
memory/1680-104-0x00000000025E0000-0x00000000025E4000-memory.dmp

Filesize
16KB

Download
memory/1680-124-0x0000000000000000-mapping.dmp

Download
memory/1692-312-0x0000000002680000-0x0000000002684000-memory.dmp

Filesize
16KB

Download
memory/1692-186-0x00000000027C0000-0x00000000027C4000-memory.dmp

Filesize
16KB

Download
memory/1692-336-0x0000000002700000-0x0000000002704000-memory.dmp

Filesize
16KB

Download
memory/1696-282-0x0000000002730000-0x0000000002734000-memory.dmp

Filesize
16KB

Download
memory/1708-120-0x0000000000000000-mapping.dmp

Download
memory/1712-228-0x00000000027F0000-0x00000000027F4000-memory.dmp

Filesize
16KB

Download
memory/1712-288-0x0000000002790000-0x0000000002794000-memory.dmp

Filesize
16KB

Download
memory/1716-87-0x0000000000000000-mapping.dmp

Download
memory/1728-20-0x0000000000000000-mapping.dmp

Download
memory/1732-18-0x0000000000000000-mapping.dmp

Download
memory/1736-260-0x00000000027C0000-0x00000000027C4000-memory.dmp

Filesize
16KB

Download
memory/1736-231-0x0000000002590000-0x0000000002594000-memory.dmp

Filesize
16KB

Download
memory/1740-48-0x0000000000000000-mapping.dmp

Download
memory/1740-269-0x0000000002720000-0x0000000002724000-memory.dmp

Filesize
16KB

Download
memory/1744-333-0x00000000026A0000-0x00000000026A4000-memory.dmp

Filesize
16KB

Download
memory/1744-69-0x0000000000000000-mapping.dmp

Download
memory/1748-122-0x00000000027C0000-0x00000000027C4000-memory.dmp

Filesize
16KB

Download
memory/1748-115-0x0000000000000000-mapping.dmp

Download
memory/1748-19-0x0000000000000000-mapping.dmp

Download
memory/1748-77-0x0000000000000000-mapping.dmp

Download
memory/1748-50-0x0000000000000000-mapping.dmp

Download
memory/1752-276-0x00000000024B0000-0x00000000024B4000-memory.dmp

Filesize
16KB

Download
memory/1752-110-0x0000000000000000-mapping.dmp

Download
memory/1752-39-0x0000000000000000-mapping.dmp

Download
memory/1752-342-0x0000000002840000-0x0000000002844000-memory.dmp

Filesize
16KB

Download
memory/1776-76-0x0000000000000000-mapping.dmp

Download
memory/1776-81-0x0000000002600000-0x0000000002604000-memory.dmp

Filesize
16KB

Download
memory/1780-15-0x0000000000000000-mapping.dmp

Download
memory/1788-53-0x0000000000000000-mapping.dmp

Download
memory/1796-90-0x0000000000000000-mapping.dmp

Download
memory/1796-47-0x0000000000000000-mapping.dmp

Download
memory/1800-239-0x0000000002780000-0x0000000002784000-memory.dmp

Filesize
16KB

Download
memory/1804-324-0x0000000002780000-0x0000000002784000-memory.dmp

Filesize
16KB

Download
memory/1808-195-0x0000000002550000-0x0000000002554000-memory.dmp

Filesize
16KB

Download
memory/1808-111-0x0000000000000000-mapping.dmp

Download
memory/1840-305-0x0000000002750000-0x0000000002754000-memory.dmp

Filesize
16KB

Download
memory/1896-291-0x00000000027F0000-0x00000000027F4000-memory.dmp

Filesize
16KB

Download
memory/1920-224-0x0000000002880000-0x0000000002884000-memory.dmp

Filesize
16KB

Download
memory/1920-33-0x0000000000000000-mapping.dmp

Download
memory/1924-30-0x0000000000000000-mapping.dmp

Download
memory/1924-40-0x0000000002850000-0x0000000002854000-memory.dmp

Filesize
16KB

Download
memory/1980-255-0x00000000028C0000-0x00000000028C4000-memory.dmp

Filesize
16KB

Download
memory/1980-248-0x00000000027C0000-0x00000000027C4000-memory.dmp

Filesize
16KB

Download
memory/1992-258-0x0000000002740000-0x0000000002744000-memory.dmp

Filesize
16KB

Download
memory/2000-37-0x0000000000000000-mapping.dmp

Download
memory/2016-151-0x0000000002640000-0x0000000002644000-memory.dmp

Filesize
16KB

Download
memory/2016-84-0x0000000000000000-mapping.dmp

Download
memory/2020-62-0x0000000000000000-mapping.dmp

Download
memory/2032-10-0x0000000000000000-mapping.dmp

Download
memory/2044-70-0x0000000000000000-mapping.dmp

Download