002dafd16a8e118d9f2e5e48f6d212a3b68407aed511147fd85ad97ac3502cd8

Analysis

max time kernel
151s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
24-02-2021 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample31.exe
Size

532KB
MD5

ec85dd4cc9423d9b2c4b006d597739cb
SHA1

49e68aeaa48bac451f082bd1bd1c7c52d1f17f61
SHA256

002dafd16a8e118d9f2e5e48f6d212a3b68407aed511147fd85ad97ac3502cd8
SHA512

3e5e9ee7a5fb22d0aa90a8610ba74cda38aee60a909e5aea37673001238601f99b3ec0fbbcd4569417f2c11560f82f894950ebe68f00ed2740175156717569b8

Score

10^/10

evasion persistence spyware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

sample31.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\oqogAkUw\\DKUQQAIY.exe,"	sample31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\oqogAkUw\\DKUQQAIY.exe,"	sample31.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

gKsscwIc.exeDKUQQAIY.exeZqoEQQoE.exe

pid process

1704 gKsscwIc.exe
3848 DKUQQAIY.exe
3920 ZqoEQQoE.exe

pid	process
1704	gKsscwIc.exe
3848	DKUQQAIY.exe
3920	ZqoEQQoE.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DKUQQAIY.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	DKUQQAIY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sample31.exegKsscwIc.exeDKUQQAIY.exeZqoEQQoE.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\gKsscwIc.exe = "C:\\Users\\Admin\\CQYkwcIg\\gKsscwIc.exe"	sample31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DKUQQAIY.exe = "C:\\ProgramData\\oqogAkUw\\DKUQQAIY.exe"	sample31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\gKsscwIc.exe = "C:\\Users\\Admin\\CQYkwcIg\\gKsscwIc.exe"	gKsscwIc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DKUQQAIY.exe = "C:\\ProgramData\\oqogAkUw\\DKUQQAIY.exe"	DKUQQAIY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DKUQQAIY.exe = "C:\\ProgramData\\oqogAkUw\\DKUQQAIY.exe"	ZqoEQQoE.exe

Drops file in System32 directory 9 IoCs

Processes:

ZqoEQQoE.exeDKUQQAIY.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\CQYkwcIg	ZqoEQQoE.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	DKUQQAIY.exe
File opened for modification	C:\Windows\SysWOW64\sheGrantAssert.rar	DKUQQAIY.exe
File opened for modification	C:\Windows\SysWOW64\sheInitializeConfirm.pptm	DKUQQAIY.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\CQYkwcIg\gKsscwIc	ZqoEQQoE.exe
File opened for modification	C:\Windows\SysWOW64\sheSearchResolve.mpg	DKUQQAIY.exe
File opened for modification	C:\Windows\SysWOW64\sheSetSubmit.xlsb	DKUQQAIY.exe
File opened for modification	C:\Windows\SysWOW64\sheSkipRedo.jpeg	DKUQQAIY.exe
File opened for modification	C:\Windows\SysWOW64\sheUnlockSave.mp3	DKUQQAIY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
4688	reg.exe
5716	reg.exe
4616	reg.exe
3584	reg.exe
388	reg.exe
5712	reg.exe
4712	reg.exe
5096	reg.exe
3984	reg.exe
5968	reg.exe
1016	reg.exe
2116	reg.exe
4844	reg.exe
5472	reg.exe
5044	reg.exe
4388	reg.exe
4672	reg.exe
4268	reg.exe
3672	reg.exe
5980	reg.exe
4704	reg.exe
348	reg.exe
4336	reg.exe
5224	reg.exe
3552	reg.exe
4548	reg.exe
3032	reg.exe
2248	reg.exe
4464	reg.exe
5000	reg.exe
1968	reg.exe
5420	reg.exe
5216	reg.exe
4116	reg.exe
5692	reg.exe
1836	reg.exe
4088	reg.exe
5188	reg.exe
2220	reg.exe
3028	reg.exe
4580	reg.exe
5564	reg.exe
5848	reg.exe
4796	reg.exe
4640	reg.exe
5544	reg.exe
5056	reg.exe
4944	reg.exe
4256	reg.exe
6052	reg.exe
4052	reg.exe
4848	reg.exe
4272	reg.exe
5484	reg.exe
5468	reg.exe
5364	reg.exe
4776	reg.exe
5108	reg.exe
4112	reg.exe
4276	reg.exe
5316	reg.exe
4904	reg.exe
4828	reg.exe
4516	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sample31.exesample31.exesample31.exesample31.exesample31.exesample31.exesample31.exesample31.exesample31.exesample31.exesample31.exesample31.exesample31.exesample31.exesample31.exesample31.exe

pid	process
644	sample31.exe
644	sample31.exe
644	sample31.exe
644	sample31.exe
3472	sample31.exe
3472	sample31.exe
3472	sample31.exe
3472	sample31.exe
2196	sample31.exe
2196	sample31.exe
2196	sample31.exe
2196	sample31.exe
3456	sample31.exe
3456	sample31.exe
3456	sample31.exe
3456	sample31.exe
2152	sample31.exe
2152	sample31.exe
2152	sample31.exe
2152	sample31.exe
584	sample31.exe
584	sample31.exe
584	sample31.exe
584	sample31.exe
3824	sample31.exe
3824	sample31.exe
3824	sample31.exe
3824	sample31.exe
1372	sample31.exe
1372	sample31.exe
1372	sample31.exe
1372	sample31.exe
4144	sample31.exe
4144	sample31.exe
4144	sample31.exe
4144	sample31.exe
4248	sample31.exe
4248	sample31.exe
4248	sample31.exe
4248	sample31.exe
4696	sample31.exe
4696	sample31.exe
4696	sample31.exe
4696	sample31.exe
4960	sample31.exe
4960	sample31.exe
4960	sample31.exe
4960	sample31.exe
3524	sample31.exe
3524	sample31.exe
3524	sample31.exe
3524	sample31.exe
4420	sample31.exe
4420	sample31.exe
4420	sample31.exe
4420	sample31.exe
4560	sample31.exe
4560	sample31.exe
4560	sample31.exe
4560	sample31.exe
4504	sample31.exe
4504	sample31.exe
4504	sample31.exe
4504	sample31.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

DKUQQAIY.exe

pid process

3848 DKUQQAIY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

DKUQQAIY.exe

pid	process
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe
3848	DKUQQAIY.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sample31.execmd.exesample31.execmd.exesample31.execmd.execmd.execmd.exesample31.exe

description	pid	process	target process
PID 644 wrote to memory of 1704	644	sample31.exe	gKsscwIc.exe
PID 644 wrote to memory of 1704	644	sample31.exe	gKsscwIc.exe
PID 644 wrote to memory of 1704	644	sample31.exe	gKsscwIc.exe
PID 644 wrote to memory of 3848	644	sample31.exe	DKUQQAIY.exe
PID 644 wrote to memory of 3848	644	sample31.exe	DKUQQAIY.exe
PID 644 wrote to memory of 3848	644	sample31.exe	DKUQQAIY.exe
PID 644 wrote to memory of 184	644	sample31.exe	cmd.exe
PID 644 wrote to memory of 184	644	sample31.exe	cmd.exe
PID 644 wrote to memory of 184	644	sample31.exe	cmd.exe
PID 644 wrote to memory of 2368	644	sample31.exe	reg.exe
PID 644 wrote to memory of 2368	644	sample31.exe	reg.exe
PID 644 wrote to memory of 2368	644	sample31.exe	reg.exe
PID 644 wrote to memory of 2220	644	sample31.exe	reg.exe
PID 644 wrote to memory of 2220	644	sample31.exe	reg.exe
PID 644 wrote to memory of 2220	644	sample31.exe	reg.exe
PID 644 wrote to memory of 760	644	sample31.exe	reg.exe
PID 644 wrote to memory of 760	644	sample31.exe	reg.exe
PID 644 wrote to memory of 760	644	sample31.exe	reg.exe
PID 184 wrote to memory of 3472	184	cmd.exe	sample31.exe
PID 184 wrote to memory of 3472	184	cmd.exe	sample31.exe
PID 184 wrote to memory of 3472	184	cmd.exe	sample31.exe
PID 3472 wrote to memory of 2236	3472	sample31.exe	cmd.exe
PID 3472 wrote to memory of 2236	3472	sample31.exe	cmd.exe
PID 3472 wrote to memory of 2236	3472	sample31.exe	cmd.exe
PID 2236 wrote to memory of 2196	2236	cmd.exe	sample31.exe
PID 2236 wrote to memory of 2196	2236	cmd.exe	sample31.exe
PID 2236 wrote to memory of 2196	2236	cmd.exe	sample31.exe
PID 3472 wrote to memory of 3812	3472	sample31.exe	reg.exe
PID 3472 wrote to memory of 3812	3472	sample31.exe	reg.exe
PID 3472 wrote to memory of 3812	3472	sample31.exe	reg.exe
PID 3472 wrote to memory of 3704	3472	sample31.exe	reg.exe
PID 3472 wrote to memory of 3704	3472	sample31.exe	reg.exe
PID 3472 wrote to memory of 3704	3472	sample31.exe	reg.exe
PID 3472 wrote to memory of 3860	3472	sample31.exe	reg.exe
PID 3472 wrote to memory of 3860	3472	sample31.exe	reg.exe
PID 3472 wrote to memory of 3860	3472	sample31.exe	reg.exe
PID 3472 wrote to memory of 3956	3472	sample31.exe	cmd.exe
PID 3472 wrote to memory of 3956	3472	sample31.exe	cmd.exe
PID 3472 wrote to memory of 3956	3472	sample31.exe	cmd.exe
PID 2196 wrote to memory of 2268	2196	sample31.exe	cmd.exe
PID 2196 wrote to memory of 2268	2196	sample31.exe	cmd.exe
PID 2196 wrote to memory of 2268	2196	sample31.exe	cmd.exe
PID 2196 wrote to memory of 2100	2196	sample31.exe	reg.exe
PID 2196 wrote to memory of 2100	2196	sample31.exe	reg.exe
PID 2196 wrote to memory of 2100	2196	sample31.exe	reg.exe
PID 2196 wrote to memory of 580	2196	sample31.exe	reg.exe
PID 2196 wrote to memory of 580	2196	sample31.exe	reg.exe
PID 2196 wrote to memory of 580	2196	sample31.exe	reg.exe
PID 2196 wrote to memory of 748	2196	sample31.exe	reg.exe
PID 2196 wrote to memory of 748	2196	sample31.exe	reg.exe
PID 2196 wrote to memory of 748	2196	sample31.exe	reg.exe
PID 3956 wrote to memory of 1424	3956	cmd.exe	cscript.exe
PID 3956 wrote to memory of 1424	3956	cmd.exe	cscript.exe
PID 3956 wrote to memory of 1424	3956	cmd.exe	cscript.exe
PID 2196 wrote to memory of 1188	2196	sample31.exe	cmd.exe
PID 2196 wrote to memory of 1188	2196	sample31.exe	cmd.exe
PID 2196 wrote to memory of 1188	2196	sample31.exe	cmd.exe
PID 2268 wrote to memory of 3456	2268	cmd.exe	sample31.exe
PID 2268 wrote to memory of 3456	2268	cmd.exe	sample31.exe
PID 2268 wrote to memory of 3456	2268	cmd.exe	sample31.exe
PID 1188 wrote to memory of 3876	1188	cmd.exe	cscript.exe
PID 1188 wrote to memory of 3876	1188	cmd.exe	cscript.exe
PID 1188 wrote to memory of 3876	1188	cmd.exe	cscript.exe
PID 3456 wrote to memory of 3184	3456	sample31.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\sample31.exe
"C:\Users\Admin\AppData\Local\Temp\sample31.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\CQYkwcIg\gKsscwIc.exe
"C:\Users\Admin\CQYkwcIg\gKsscwIc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1704

C:\ProgramData\oqogAkUw\DKUQQAIY.exe
"C:\ProgramData\oqogAkUw\DKUQQAIY.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
2⤵
- Suspicious use of WriteProcessMemory
PID:184

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
4⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
6⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
8⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
10⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
12⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
14⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
16⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
18⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
20⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
22⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
24⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
26⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
28⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
30⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
32⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
33⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
34⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
35⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
36⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
37⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
38⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
39⤵
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
40⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
41⤵
PID:3444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
42⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
43⤵
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
44⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
45⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
46⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
47⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
48⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
49⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOMQsUck.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
48⤵
PID:4204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:3964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:4196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
- Modifies registry key
PID:4116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKUkkEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
46⤵
PID:4264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IiwkYscg.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
44⤵
PID:752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:2204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiQwIwQc.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
42⤵
PID:4360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:3176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QewIAAsA.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
40⤵
PID:5032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- Modifies registry key
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies registry key
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies registry key
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQwYYEMA.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
38⤵
PID:4864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4816

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:4904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqgkYUEs.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
36⤵
PID:4356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOAwIUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
34⤵
PID:2452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:3356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies registry key
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:4668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acEUYgwg.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
32⤵
PID:5016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:4780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meIcMsAE.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
30⤵
PID:3084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JskUQAgc.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
28⤵
PID:4636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggcUkIgU.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
26⤵
PID:4208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:4180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:3344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies registry key
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OScIAoUw.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
24⤵
PID:5072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEYQYEIo.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
22⤵
PID:4812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAMUgEQM.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
20⤵
PID:4536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies registry key
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcMwkcgw.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
18⤵
PID:4344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:3412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- Modifies registry key
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEIksYQQ.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
16⤵
PID:3144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:4172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:3872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGQEksMA.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
14⤵
PID:3948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:3556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies registry key
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- Modifies registry key
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jigssUgE.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
12⤵
PID:1528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies registry key
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faoUIooc.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
10⤵
PID:2164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qusEocQM.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
8⤵
PID:3152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYswskQg.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
6⤵
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:3876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:3812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkwAMMow.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:3704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOMYgccs.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
2⤵
PID:4800

C:\ProgramData\UUUcIMAg\ZqoEQQoE.exe
C:\ProgramData\UUUcIMAg\ZqoEQQoE.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
1⤵
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
2⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
3⤵
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
4⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
5⤵
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
6⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
7⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
8⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
9⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
10⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
11⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
12⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
13⤵
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
14⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
15⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
16⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
17⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
18⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
19⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
20⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
21⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
22⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
23⤵
PID:1380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
24⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
25⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
26⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
27⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
28⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
29⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
30⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
31⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
32⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
33⤵
PID:204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
34⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
35⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
36⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
37⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
38⤵
PID:5176

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
39⤵
PID:5208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
40⤵
PID:5400

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
41⤵
PID:5444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
42⤵
PID:5652

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
43⤵
PID:5696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
44⤵
PID:5892

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
45⤵
PID:5940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
46⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
47⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
48⤵
PID:5236

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
49⤵
PID:5376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
50⤵
PID:5524

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
51⤵
PID:5640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
52⤵
PID:5404

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
53⤵
PID:5496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
54⤵
PID:6120

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
55⤵
PID:5944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
56⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
57⤵
PID:5344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
58⤵
PID:5204

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
59⤵
PID:5752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
60⤵
PID:5904

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
61⤵
PID:6116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
62⤵
PID:5924

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
63⤵
PID:5264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
64⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
65⤵
PID:5156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
66⤵
PID:5480

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
67⤵
PID:6084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
68⤵
PID:5764

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
69⤵
PID:5908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
70⤵
PID:5580

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
71⤵
PID:6044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
72⤵
PID:5428

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
73⤵
PID:5676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
74⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
75⤵
PID:5456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
76⤵
PID:3508

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
77⤵
PID:5728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
78⤵
PID:5612

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
79⤵
PID:5324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
80⤵
PID:6092

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
81⤵
PID:6020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
82⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
83⤵
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:5920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:5772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSAEcAMg.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
82⤵
PID:5228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:5220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- Modifies registry key
PID:5364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:5488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsMQYMks.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
80⤵
PID:4892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- Modifies registry key
PID:5848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
- Modifies registry key
PID:5472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:5388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:5396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuAgwAwc.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
78⤵
PID:5616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:5432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
- Modifies registry key
PID:5980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:5160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:5620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOIksEYE.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
76⤵
PID:5824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:5588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:5184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmQcUIUQ.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
74⤵
PID:5852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:6036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:5348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:5172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:5916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMggMAQE.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
72⤵
PID:5380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:5212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:5844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
- Modifies registry key
PID:5420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:4376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:5304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:5756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:5856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgMoIgMo.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
70⤵
PID:5684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwYEksEM.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
68⤵
PID:2544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:6012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- Modifies registry key
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
- Modifies registry key
PID:5216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:6008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VosckEMY.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
66⤵
PID:6128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:5928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- Modifies registry key
PID:4672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:5840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies registry key
PID:5712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgcgwAcE.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
64⤵
PID:5372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:5520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- Modifies registry key
PID:5544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:5808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:5688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEsYcUog.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
62⤵
PID:5140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:5292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:5888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:6068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:5996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgIIQwIg.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
60⤵
PID:5628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:5896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- Modifies registry key
PID:5692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
- Modifies registry key
PID:6052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies registry key
PID:5564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gacgQMgI.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
58⤵
PID:5668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:6080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:5452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:5720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:5828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WocMAEMs.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
56⤵
PID:5532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:5196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:5512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:5356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:5352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEsYgQws.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
54⤵
PID:588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:5260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
- Modifies registry key
PID:5188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYIgMsss.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
52⤵
PID:6000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:5804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:5700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:5912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:5556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:5180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:5200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UeMkcwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
50⤵
PID:5192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:5868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:5516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:5332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
- Modifies registry key
PID:5316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:5340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsYosMMM.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
48⤵
PID:5288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:5584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwwYUoos.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
46⤵
PID:4620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAgYIwUI.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
44⤵
PID:5976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:6124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- Modifies registry key
PID:5968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:5960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:5952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeYYsMME.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
42⤵
PID:5732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:5880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:5724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
- Modifies registry key
PID:5716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:5704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqoUsMMI.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
40⤵
PID:5492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:5636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- Modifies registry key
PID:5484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:5476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies registry key
PID:5468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwQQosII.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
38⤵
PID:5248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:5392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:5240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:5232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies registry key
PID:5224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQQsggwA.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
36⤵
PID:4940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:5148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies registry key
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEUQssQg.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
34⤵
PID:4076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- Modifies registry key
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQIoggUw.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
32⤵
PID:4900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- Modifies registry key
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
- Modifies registry key
PID:4516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- Modifies registry key
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XMMYsAUs.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
30⤵
PID:4968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:4252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iegkoIEc.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
28⤵
PID:4160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGgYEYIs.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
26⤵
PID:4404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies registry key
PID:4276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- Modifies registry key
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HscYUoMY.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
24⤵
PID:4628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies registry key
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:4112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- Modifies registry key
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIgosEUg.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
22⤵
PID:500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqAwcwws.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
20⤵
PID:4348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- Modifies registry key
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMkIoEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
18⤵
PID:5060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:1932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- Modifies registry key
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssEIEYYI.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
16⤵
PID:1520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwgMocww.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
14⤵
PID:4392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
- Modifies registry key
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies registry key
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies registry key
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUoMEAkA.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
12⤵
PID:3996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGwgQAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
10⤵
PID:4176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:4104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqMooQEA.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
8⤵
PID:4200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:4164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies registry key
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:4292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:4364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEkMgook.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
6⤵
PID:4544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYkQYkwM.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
4⤵
PID:3928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSkIYUkM.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
2⤵
PID:864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:4284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:4256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcIQAwoI.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
1⤵
PID:4244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
1⤵
PID:4216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmEUowQA.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
1⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
1⤵
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
1⤵
PID:3220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
1⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGEgYAMk.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
1⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
1⤵
PID:4108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuEUIQEA.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
1⤵
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:424

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
1⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
1⤵
PID:4772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\sample31.exe
C:\Users\Admin\AppData\Local\Temp\sample31
1⤵
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUowkMQo.bat" "C:\Users\Admin\AppData\Local\Temp\sample31.exe""
1⤵
PID:4600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample31"
1⤵
PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\UUUcIMAg\ZqoEQQoE.exe
MD5
6566a0053281f027ce2b532d82dff05a

SHA1
749cf3d0f986bd85a3b8cd32c7afc315cf3c7e4c

SHA256
e60b242bd554403a58ca41d7229f5f669849124d8e5d20cf2b91d578f5fc6876

SHA512
8d88d098e21fb0dd3e0f2ae6fe6be77d2cde5ca3b4486571e01c18691176d0bf01cdb36ba96e229f3b2be08d4b6b75a3a77b40475172c91345e0c7b7d6131e47

Download Submit
C:\ProgramData\UUUcIMAg\ZqoEQQoE.exe
MD5
6566a0053281f027ce2b532d82dff05a

SHA1
749cf3d0f986bd85a3b8cd32c7afc315cf3c7e4c

SHA256
e60b242bd554403a58ca41d7229f5f669849124d8e5d20cf2b91d578f5fc6876

SHA512
8d88d098e21fb0dd3e0f2ae6fe6be77d2cde5ca3b4486571e01c18691176d0bf01cdb36ba96e229f3b2be08d4b6b75a3a77b40475172c91345e0c7b7d6131e47

Download Submit
C:\ProgramData\oqogAkUw\DKUQQAIY.exe
MD5
078ad6e9cb68d6830853fae4595de884

SHA1
420b512b9a2e5c9a53dd95555b907b78baff89c2

SHA256
5866a8078d211a742def1d8f5a9e0f31ffaeef972500871e883a1c2ebfdaf24f

SHA512
3215e03b9b33cc17c0e54b85db58104958f7aca345a487746d2c5a2dac244612d1c88f99ebcd39f667330edfdfd36730983501bd066196b1d0a8d022a39ef52c

Download Submit
C:\ProgramData\oqogAkUw\DKUQQAIY.exe
MD5
078ad6e9cb68d6830853fae4595de884

SHA1
420b512b9a2e5c9a53dd95555b907b78baff89c2

SHA256
5866a8078d211a742def1d8f5a9e0f31ffaeef972500871e883a1c2ebfdaf24f

SHA512
3215e03b9b33cc17c0e54b85db58104958f7aca345a487746d2c5a2dac244612d1c88f99ebcd39f667330edfdfd36730983501bd066196b1d0a8d022a39ef52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQwYYEMA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEIksYQQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcMwkcgw.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JskUQAgc.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LqgkYUEs.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkwAMMow.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OScIAoUw.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PEYQYEIo.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QewIAAsA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SiQwIwQc.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGQEksMA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZOAwIUUQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZYswskQg.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\acEUYgwg.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\faoUIooc.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggcUkIgU.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\jigssUgE.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\meIcMsAE.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qusEocQM.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample31
MD5
477256402c581beed8f9aef56cebfb0a

SHA1
af541187d2a0baaeb1329c6234c6007c5ef322f4

SHA256
fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b

SHA512
c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAMUgEQM.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\CQYkwcIg\gKsscwIc.exe
MD5
871134565b1fa6dc4a65558edc64457e

SHA1
abaede39241d9ed5b2d473f0acf96e067b52e8a7

SHA256
7eced2a7c5dd39b41a1291b361bc628a3c496f81f9fd6da6f4b18480437824ff

SHA512
36e9dca6685b7fb98359ebaba11522045f5fa8750a7fd477684ce188ffdd3067ca046e88b5d3917417bf4f09e649ffc6a85645e80871f3bf0c87f82a16db0795

Download Submit
C:\Users\Admin\CQYkwcIg\gKsscwIc.exe
MD5
871134565b1fa6dc4a65558edc64457e

SHA1
abaede39241d9ed5b2d473f0acf96e067b52e8a7

SHA256
7eced2a7c5dd39b41a1291b361bc628a3c496f81f9fd6da6f4b18480437824ff

SHA512
36e9dca6685b7fb98359ebaba11522045f5fa8750a7fd477684ce188ffdd3067ca046e88b5d3917417bf4f09e649ffc6a85645e80871f3bf0c87f82a16db0795

Download Submit
memory/184-10-0x0000000000000000-mapping.dmp

Download
memory/580-26-0x0000000000000000-mapping.dmp

Download
memory/584-47-0x0000000000000000-mapping.dmp

Download
memory/676-37-0x0000000000000000-mapping.dmp

Download
memory/744-39-0x0000000000000000-mapping.dmp

Download
memory/748-27-0x0000000000000000-mapping.dmp

Download
memory/756-53-0x0000000000000000-mapping.dmp

Download
memory/760-13-0x0000000000000000-mapping.dmp

Download
memory/912-38-0x0000000000000000-mapping.dmp

Download
memory/948-63-0x0000000000000000-mapping.dmp

Download
memory/1188-29-0x0000000000000000-mapping.dmp

Download
memory/1208-75-0x0000000000000000-mapping.dmp

Download
memory/1372-67-0x0000000000000000-mapping.dmp

Download
memory/1424-28-0x0000000000000000-mapping.dmp

Download
memory/1528-57-0x0000000000000000-mapping.dmp

Download
memory/1704-2-0x0000000000000000-mapping.dmp

Download
memory/2100-25-0x0000000000000000-mapping.dmp

Download
memory/2116-78-0x0000000000000000-mapping.dmp

Download
memory/2148-73-0x0000000000000000-mapping.dmp

Download
memory/2152-41-0x0000000000000000-mapping.dmp

Download
memory/2164-51-0x0000000000000000-mapping.dmp

Download
memory/2196-17-0x0000000000000000-mapping.dmp

Download
memory/2208-77-0x0000000000000000-mapping.dmp

Download
memory/2220-12-0x0000000000000000-mapping.dmp

Download
memory/2236-16-0x0000000000000000-mapping.dmp

Download
memory/2248-56-0x0000000000000000-mapping.dmp

Download
memory/2260-59-0x0000000000000000-mapping.dmp

Download
memory/2268-23-0x0000000000000000-mapping.dmp

Download
memory/2368-11-0x0000000000000000-mapping.dmp

Download
memory/2844-50-0x0000000000000000-mapping.dmp

Download
memory/2868-49-0x0000000000000000-mapping.dmp

Download
memory/3028-54-0x0000000000000000-mapping.dmp

Download
memory/3032-48-0x0000000000000000-mapping.dmp

Download
memory/3144-79-0x0000000000000000-mapping.dmp

Download
memory/3152-40-0x0000000000000000-mapping.dmp

Download
memory/3156-43-0x0000000000000000-mapping.dmp

Download
memory/3184-35-0x0000000000000000-mapping.dmp

Download
memory/3412-76-0x0000000000000000-mapping.dmp

Download
memory/3456-30-0x0000000000000000-mapping.dmp

Download
memory/3468-46-0x0000000000000000-mapping.dmp

Download
memory/3472-14-0x0000000000000000-mapping.dmp

Download
memory/3556-69-0x0000000000000000-mapping.dmp

Download
memory/3704-19-0x0000000000000000-mapping.dmp

Download
memory/3812-18-0x0000000000000000-mapping.dmp

Download
memory/3824-60-0x0000000000000000-mapping.dmp

Download
memory/3848-5-0x0000000000000000-mapping.dmp

Download
memory/3860-20-0x0000000000000000-mapping.dmp

Download
memory/3872-70-0x0000000000000000-mapping.dmp

Download
memory/3876-33-0x0000000000000000-mapping.dmp

Download
memory/3944-66-0x0000000000000000-mapping.dmp

Download
memory/3948-71-0x0000000000000000-mapping.dmp

Download
memory/3956-21-0x0000000000000000-mapping.dmp

Download
memory/3972-68-0x0000000000000000-mapping.dmp

Download
memory/4052-55-0x0000000000000000-mapping.dmp

Download
memory/4144-81-0x0000000000000000-mapping.dmp

Download
memory/4172-83-0x0000000000000000-mapping.dmp

Download
memory/4212-86-0x0000000000000000-mapping.dmp

Download
memory/4248-87-0x0000000000000000-mapping.dmp

Download
memory/4268-88-0x0000000000000000-mapping.dmp

Download
memory/4280-89-0x0000000000000000-mapping.dmp

Download
memory/4300-90-0x0000000000000000-mapping.dmp

Download
memory/4344-91-0x0000000000000000-mapping.dmp

Download
memory/4452-93-0x0000000000000000-mapping.dmp

Download
memory/4472-95-0x0000000000000000-mapping.dmp

Download