279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb

Analysis

max time kernel
151s
max time network
111s
platform
windows7_x64
resource
win7v20210408
submitted
11-05-2021 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Size

532KB
MD5

2146eb12d4f3329cb86bb6d297f6c157
SHA1

8ad0a576e0f8b3cc3f10d5cf75d9bb6890ded77d
SHA256

279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
SHA512

d700600c6b41f4231b93b424624292a0cd8106204b00a3c550dab67bee526686a003511508390b3ece947506ea084e9a2cf77e0c84c00edf400f8e67099f39f9

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\oCccQYEI\\jWkAYcgU.exe,"	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\oCccQYEI\\jWkAYcgU.exe,"	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

WQwsAUUI.exejWkAYcgU.exeXyscEIwo.exe

pid process

1156 WQwsAUUI.exe
2008 jWkAYcgU.exe
1948 XyscEIwo.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

jWkAYcgU.exe

description ioc process

File created C:\Users\Admin\Pictures\RenameSearch.png.exe jWkAYcgU.exe

pid	process
1156	WQwsAUUI.exe
2008	jWkAYcgU.exe
1948	XyscEIwo.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\RenameSearch.png.exe	jWkAYcgU.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jWkAYcgU.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\International\Geo\Nation	jWkAYcgU.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1760 cmd.exe

pid	process
1760	cmd.exe

Loads dropped DLL 22 IoCs

Processes:

279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exejWkAYcgU.exe

pid	process
980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exeWQwsAUUI.exejWkAYcgU.exeXyscEIwo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WQwsAUUI.exe = "C:\\Users\\Admin\\GAgcUkcQ\\WQwsAUUI.exe"	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jWkAYcgU.exe = "C:\\ProgramData\\oCccQYEI\\jWkAYcgU.exe"	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WQwsAUUI.exe = "C:\\Users\\Admin\\GAgcUkcQ\\WQwsAUUI.exe"	WQwsAUUI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jWkAYcgU.exe = "C:\\ProgramData\\oCccQYEI\\jWkAYcgU.exe"	jWkAYcgU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jWkAYcgU.exe = "C:\\ProgramData\\oCccQYEI\\jWkAYcgU.exe"	XyscEIwo.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cscript.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.execmd.execmd.execscript.execmd.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 2 IoCs

Processes:

XyscEIwo.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\GAgcUkcQ\WQwsAUUI	XyscEIwo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\GAgcUkcQ	XyscEIwo.exe

Drops file in Windows directory 1 IoCs

Processes:

jWkAYcgU.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico jWkAYcgU.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	jWkAYcgU.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1128	reg.exe
1344	reg.exe
1140	reg.exe
912	reg.exe
936	reg.exe
976	reg.exe
2024	reg.exe
340	reg.exe
1744	reg.exe
2016	reg.exe
1316	reg.exe
948	reg.exe
980	reg.exe
1768	reg.exe
340	reg.exe
1016	reg.exe
2040	reg.exe
1796	reg.exe
552	reg.exe
1208	reg.exe
936	reg.exe
1864	reg.exe
1796	reg.exe
1488	reg.exe
884	reg.exe
1480	reg.exe
1872	reg.exe
1564	reg.exe
2000	reg.exe
1864	reg.exe
2012	reg.exe
1636	reg.exe
980	reg.exe
1592	reg.exe
1160	reg.exe
1624	reg.exe
1588	reg.exe
1800	reg.exe
2036	reg.exe
1280	reg.exe
936	reg.exe
1612	reg.exe
1340	reg.exe
344	reg.exe
1696	reg.exe
1408	reg.exe
1316	reg.exe
884	reg.exe
1744	reg.exe
1140	reg.exe
1388	reg.exe
1016	reg.exe
1788	reg.exe
1716	reg.exe
1280	reg.exe
1388	reg.exe
1760	reg.exe
1160	reg.exe
2036	reg.exe
1268	reg.exe
520	reg.exe
768	reg.exe
1488	reg.exe
1880	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exereg.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.execscript.execscript.exereg.exereg.execmd.exereg.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exereg.exereg.exereg.execonhost.execonhost.exereg.exe

pid	process
980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
748	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
748	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1616	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1616	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
816	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
816	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2012	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2012	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1140	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1140	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1608	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1608	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2044	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2044	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2036	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2036	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1588	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1588	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1872	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1872	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1092	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1092	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1340	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1340	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1408	reg.exe
1408	reg.exe
1092	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1092	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1744	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1744	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1748	cscript.exe
1748	cscript.exe
1880	cscript.exe
1880	cscript.exe
1344	reg.exe
1344	reg.exe
1316	reg.exe
1316	reg.exe
2032	cmd.exe
2032	cmd.exe
1092	reg.exe
1092	reg.exe
864	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
864	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2032	reg.exe
2032	reg.exe
1744	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1744	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1648	reg.exe
1648	reg.exe
1588	reg.exe
1588	reg.exe
1744	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1744	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1804	conhost.exe
1804	conhost.exe
1388	conhost.exe
1388	conhost.exe
884	reg.exe
884	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

jWkAYcgU.exe

pid process

2008 jWkAYcgU.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

jWkAYcgU.exe

pid	process
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe
2008	jWkAYcgU.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.execmd.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.execmd.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.execmd.exe

description	pid	process	target process
PID 980 wrote to memory of 1156	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	WQwsAUUI.exe
PID 980 wrote to memory of 1156	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	WQwsAUUI.exe
PID 980 wrote to memory of 1156	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	WQwsAUUI.exe
PID 980 wrote to memory of 1156	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	WQwsAUUI.exe
PID 980 wrote to memory of 2008	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	jWkAYcgU.exe
PID 980 wrote to memory of 2008	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	jWkAYcgU.exe
PID 980 wrote to memory of 2008	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	jWkAYcgU.exe
PID 980 wrote to memory of 2008	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	jWkAYcgU.exe
PID 980 wrote to memory of 1480	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 980 wrote to memory of 1480	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 980 wrote to memory of 1480	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 980 wrote to memory of 1480	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 980 wrote to memory of 1636	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 980 wrote to memory of 1636	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 980 wrote to memory of 1636	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 980 wrote to memory of 1636	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 980 wrote to memory of 1208	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 980 wrote to memory of 1208	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 980 wrote to memory of 1208	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 980 wrote to memory of 1208	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 980 wrote to memory of 1744	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 980 wrote to memory of 1744	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 980 wrote to memory of 1744	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 980 wrote to memory of 1744	980	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1480 wrote to memory of 1392	1480	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 1480 wrote to memory of 1392	1480	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 1480 wrote to memory of 1392	1480	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 1480 wrote to memory of 1392	1480	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 1392 wrote to memory of 892	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 1392 wrote to memory of 892	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 1392 wrote to memory of 892	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 1392 wrote to memory of 892	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 892 wrote to memory of 748	892	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 892 wrote to memory of 748	892	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 892 wrote to memory of 748	892	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 892 wrote to memory of 748	892	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 1392 wrote to memory of 936	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1392 wrote to memory of 936	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1392 wrote to memory of 936	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1392 wrote to memory of 936	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1392 wrote to memory of 1140	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1392 wrote to memory of 1140	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1392 wrote to memory of 1140	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1392 wrote to memory of 1140	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1392 wrote to memory of 1564	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1392 wrote to memory of 1564	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1392 wrote to memory of 1564	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1392 wrote to memory of 1564	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1392 wrote to memory of 1012	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 1392 wrote to memory of 1012	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 1392 wrote to memory of 1012	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 1392 wrote to memory of 1012	1392	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 748 wrote to memory of 2036	748	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 748 wrote to memory of 2036	748	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 748 wrote to memory of 2036	748	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 748 wrote to memory of 2036	748	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 748 wrote to memory of 1612	748	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 748 wrote to memory of 1612	748	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 748 wrote to memory of 1612	748	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 748 wrote to memory of 1612	748	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 2036 wrote to memory of 1616	2036	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 2036 wrote to memory of 1616	2036	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 2036 wrote to memory of 1616	2036	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 2036 wrote to memory of 1616	2036	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe

System policy modification 1 TTPs 16 IoCs

evasion

Modify Registry

T1112

Processes:

cmd.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.execmd.execscript.execscript.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.execmd.execmd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
"C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\GAgcUkcQ\WQwsAUUI.exe
"C:\Users\Admin\GAgcUkcQ\WQwsAUUI.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1156

C:\ProgramData\oCccQYEI\jWkAYcgU.exe
"C:\ProgramData\oCccQYEI\jWkAYcgU.exe"
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
2⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
4⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
6⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
8⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:816

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
10⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
12⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1140

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
14⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
16⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
18⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
20⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
22⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1872

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
24⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
25⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
26⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1340

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
28⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
29⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
30⤵
PID:340

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1092

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
32⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
33⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
34⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
35⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
36⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
37⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
38⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
39⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
40⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
41⤵
- Checks whether UAC is enabled
- System policy modification
PID:1316

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
42⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
43⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
44⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
45⤵
- Suspicious behavior: EnumeratesProcesses
PID:1092

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
46⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
47⤵
- Suspicious behavior: EnumeratesProcesses
PID:864

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
48⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
49⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
50⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
51⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
52⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
53⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
54⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
55⤵
- Checks whether UAC is enabled
- System policy modification
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
56⤵
PID:956

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
57⤵
- Suspicious behavior: EnumeratesProcesses
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
58⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
59⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
60⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
61⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
62⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
63⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
64⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
65⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
66⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
67⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
68⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
69⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
70⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
71⤵
PID:520

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
72⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
73⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
74⤵
PID:364

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
75⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
76⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
77⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
78⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
79⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
80⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
81⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
82⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
83⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
84⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
85⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
86⤵
PID:956

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
87⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
88⤵
- Checks whether UAC is enabled
- System policy modification
PID:1160

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
89⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
90⤵
- Checks whether UAC is enabled
- System policy modification
PID:1480

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
91⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
92⤵
- Checks whether UAC is enabled
- System policy modification
PID:1092

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
93⤵
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
- Modifies registry key
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies registry key
PID:936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- Modifies registry key
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIUsMogo.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
92⤵
- Deletes itself
PID:1760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
- Checks whether UAC is enabled
- System policy modification
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:1232

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oyAoYIko.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
90⤵
PID:1376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- Modifies registry key
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
- Modifies registry key
- Suspicious behavior: EnumeratesProcesses
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Suspicious behavior: EnumeratesProcesses
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- Modifies registry key
PID:1280

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dIcQMgwE.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
88⤵
- Checks whether UAC is enabled
- System policy modification
PID:2044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- Modifies registry key
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Suspicious behavior: EnumeratesProcesses
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hgQUoYEI.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
86⤵
PID:1640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies registry key
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZWMkMggU.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
84⤵
PID:968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- Modifies registry key
PID:912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
- Modifies registry key
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EakwsEwM.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
82⤵
PID:2020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TiEYgUUI.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
80⤵
PID:1356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NuksYEQg.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
78⤵
PID:1648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
- Checks whether UAC is enabled
- System policy modification
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EwQcgEEk.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
76⤵
- Suspicious behavior: EnumeratesProcesses
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- Modifies registry key
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HIkQAwgs.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
74⤵
PID:2012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- Modifies registry key
PID:340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
- Modifies registry key
- Suspicious behavior: EnumeratesProcesses
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies registry key
PID:884

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JCskwIQU.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
72⤵
PID:1660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- Modifies registry key
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
- Suspicious behavior: EnumeratesProcesses
PID:1588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\neIkMYkU.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
70⤵
PID:768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- Modifies registry key
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BiAUckEU.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
68⤵
PID:1804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- Suspicious behavior: EnumeratesProcesses
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vGMcMEcc.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
66⤵
PID:2032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:1736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies registry key
PID:980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
- Modifies registry key
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- Suspicious behavior: EnumeratesProcesses
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sKQAMAUs.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
64⤵
PID:1012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:364

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WukcAsUc.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
62⤵
PID:628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
- Suspicious behavior: EnumeratesProcesses
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- Modifies registry key
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:1128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- Modifies registry key
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nisYQMYE.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
60⤵
PID:1640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies registry key
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UCQUUUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
58⤵
PID:384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- Modifies registry key
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ogcUkEYs.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
56⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
- Modifies registry key
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies registry key
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies registry key
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Lykcoggw.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
54⤵
PID:1268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
- Modifies registry key
PID:1488

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CqIYwAcY.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
52⤵
PID:628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
- Modifies registry key
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- Modifies registry key
PID:1160

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zeAMkIQk.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
50⤵
PID:948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
- Suspicious behavior: EnumeratesProcesses
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
- Modifies registry key
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcMwMwAU.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
48⤵
PID:844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HqsMEgYs.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
46⤵
PID:2000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\POgwccoU.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
44⤵
PID:1408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- Modifies registry key
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
- Modifies registry key
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies registry key
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:520

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zcEQQksM.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
42⤵
PID:344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies registry key
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RQMMIwIA.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
40⤵
PID:2020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- Suspicious behavior: EnumeratesProcesses
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- Modifies registry key
PID:1488

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nmkMEMAA.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
38⤵
PID:1708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SUAgcscA.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
36⤵
PID:1840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies registry key
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mYUMUwgU.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
34⤵
PID:884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- Modifies registry key
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IEgYUAos.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
32⤵
PID:936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
- Modifies registry key
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies registry key
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies registry key
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tWIAsQUU.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
30⤵
PID:1872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EUIowgwQ.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
28⤵
PID:1776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- Modifies registry key
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:1388

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LqIYsYws.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
26⤵
PID:1784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies registry key
PID:1864

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uesoQYos.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
24⤵
PID:2032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:1340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yykMgUkI.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
22⤵
PID:1716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies registry key
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:520

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ugIkwUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
20⤵
PID:1092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- Modifies registry key
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
- Modifies registry key
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- Modifies registry key
PID:1268

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qmUkossc.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
18⤵
PID:1748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies registry key
PID:936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- Modifies registry key
PID:1128

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWEMIQYs.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
16⤵
PID:1880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies registry key
PID:340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mQckkEQI.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
14⤵
PID:1696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- Modifies registry key
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jiookEck.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
12⤵
PID:884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- Modifies registry key
PID:1160

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wgkcAAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
10⤵
PID:1872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- Modifies registry key
PID:976

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cwokoMsU.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
8⤵
PID:1796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uIEQoQgE.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
6⤵
PID:1700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies registry key
PID:936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LWwscckY.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
4⤵
PID:1012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qmUAEcIc.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
2⤵
PID:364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:1376

C:\ProgramData\yMkocIcs\XyscEIwo.exe
C:\ProgramData\yMkocIcs\XyscEIwo.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1982683294-1995488095-20538710351628825993141754960-77003762517573437671315786953"
1⤵
PID:2032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2129358987-1609021545-1541876499-1631855360-14269137991553503263-8968812592007264197"
1⤵
PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "668833882-33036157519205198441900613346-18461590601094826625-2141428595786737625"
1⤵
PID:1864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "170755592-577718280-1863532628-1524630186-14797002111052675126-74538751-1466696706"
1⤵
PID:768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21197084911279056877-119751337884661912145723246-9969226351510287932450488300"
1⤵
PID:1776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10973015201008684500-1698804395574672572-918870766125920896119148306591602928064"
1⤵
PID:884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19944265552068276285-1312697243-13177230081512163787-639536391-998525037-193517206"
1⤵
PID:1016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "222980157-557303902267148478-181004745812672703761451603227-1920542580848570234"
1⤵
PID:1344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-143173972017918497276542042431204328178-877850089-881180867250911399-499607309"
1⤵
PID:2044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "911409964-731915913-1073042834-511280553105378861121267747532226391281040872995"
1⤵
PID:936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "937833181384831658-20338207591011762522177680454-10311645811948289658-883592207"
1⤵
PID:2000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1522243564-2119429564-138157565919442221291510766292-45827917618835522951181130694"
1⤵
PID:844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1829686638-747101462589552582-1288509241119291589773122192-10190397991025238428"
1⤵
PID:2036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1370299040-864249290598653961-548336954-2132903602496585481115717797458394045"
1⤵
PID:1000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1317893571458323234-11609407701286693985-1049283537-1755806075-2103071057-43806100"
1⤵
PID:344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20479680343378367931249092433-700418807-3384393717733902211341570242436019048"
1⤵
PID:1708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-206890911-872763605-8349952851459242879-19282265561651262021390959904-736712980"
1⤵
PID:1316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1081105277-1882186894-2029067271805870548-10265229021956193400-1812334231-406678922"
1⤵
PID:1840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1393835145-848720729-13142918321314811537-1235077158235061025-929998579-1765054256"
1⤵
PID:1796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "322048729866247103356986642-1625612247469514509276159201620562030-2072897670"
1⤵
PID:1828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7190573998002670001376208657-895757614-1390558083-20038493401073570625-1842704943"
1⤵
PID:1952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-21217493531470043145-529850356-366331769-21245885635958612791592173777-1941976905"
1⤵
PID:1232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1677335943-19202025351261969696-94710801354760135-1097990361-1835848905-794049780"
1⤵
PID:900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "803478324-375714260-11184944492106950471936664054-204451042-595310785-491661896"
1⤵
PID:1012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1168844326-105720057-1562505303-4473506114589822496554479771663178507-206424416"
1⤵
PID:1636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-521874967-272592238-1714872655-1390534150-1461468212-311557313342125851-477417423"
1⤵
PID:1748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-505136121-14422203902016731233-1576083016-1762401526-757893271-1591883976-2093830518"
1⤵
PID:384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6387200821169349588-116579719950190045680671148911361502901897610970-1103245024"
1⤵
PID:1376

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "59456457444672398-69572333635838532-1004509419-224417516-684321411-2014270647"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "66832184718681284321588024844-1202379217-1418043624273186241191154875-768783612"
1⤵
PID:944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1664474886-2374255771331168742-78764022525466541-1915086268-400887328542723947"
1⤵
PID:340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-148033888517533685451697292869-13229932921356927852078115414728433729-963112619"
1⤵
PID:364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15340336301943966478517528947-1757464268-1459532663110924990419367066401010574949"
1⤵
PID:1208

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-139944092-1561812510933876667-514957012482771371-121214807419228528391513694422"
1⤵
PID:1408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "114999415-1922420369-721078412109185405719797417518447682041025862599-1215279495"
1⤵
PID:1748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1895963939-1627571723-1857800173-6442752581328732727777119599-572342754-1589941161"
1⤵
PID:1864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-904957384-1992334344326031620-21088573871277375229-6656187671772478350-714581713"
1⤵
PID:952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1165141342-128218293024003599417788452201789424047-1762314322858108559-523521156"
1⤵
PID:768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-467782172-1369279414-1930648157756002398165107867518913319316624057912053081925"
1⤵
PID:1736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6213291601163496347-2045252643-116279755690013497242974733171939354903907404"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-519071547-18572584471076463537-2142806429202321210464430465-832771120-1150447614"
1⤵
PID:2016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2166399071272238180-1415115192228785133789384143-2407847301508100327470057654"
1⤵
PID:1268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-99688855-11058313821087129648569305692-6718269411668585173-5402765521013760648"
1⤵
PID:1892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17112073241807965247136148213915349106391197432352218714292-863430539-433766207"
1⤵
PID:1016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1211033254-2040087736-2064055982-1161703182-108572551-19179907981429932347-1475476182"
1⤵
PID:1640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-694543691-125449015-481105926420845131-1022266584-193900149517897990871163534950"
1⤵
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1957478579-15295235671911092737-8000214692045126051-20335917843853342731812567986"
1⤵
PID:1784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "65507805300625923517412711-5781048972119122193-1284136522187641791677335096"
1⤵
PID:844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "185795859520650016-1246652836-2053828152-260644323-7226024871113058209-611364875"
1⤵
PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\oCccQYEI\jWkAYcgU.exe
MD5
29e3145ed7e1bcb1e15f2942cf3c0b3e

SHA1
745a6906ec975a4ff97bb7ef122c16f95cd604da

SHA256
3a83e061b741ea55ba33c577afc49615c5ba4f3b3651b9ba76e62eb0ce304aa2

SHA512
b33b241a1e85030efe5ef4e5f40eb7a87ed9ddf317034d9f1057af7e2ceac11b1bfe4e303e434b5ef4f3248794ce76a1fccb0065e846e94b761ddf44d804af1c

Download Submit
C:\ProgramData\yMkocIcs\XyscEIwo.exe
MD5
c7c8eed4ba930282d1e29db32d41ee44

SHA1
e635b98e199c57c5ead1ac1682956fa84e9663c7

SHA256
3952c50dd2b91fd70601c2a84a5af70c8a996ee18c69e17676cbb07d11967f31

SHA512
79a0e7f70fce91e4a9c32dca7ac0230f15ac484f383075566b1bd658869e3d846b89b2590012a0f832f0dd866b547ece208127e03400f32d938e111ef99d2571

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUIowgwQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LWwscckY.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LqIYsYws.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwokoMsU.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiookEck.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQckkEQI.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mWEMIQYs.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmUAEcIc.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmUkossc.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIEQoQgE.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uesoQYos.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugIkwUQQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgkcAAIQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\yykMgUkI.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\GAgcUkcQ\WQwsAUUI.exe
MD5
15fe363831abf1b2d4177c3d02d2f3ac

SHA1
d543fea388c3374a458cc1f02d125967dc1829d2

SHA256
0aa84bddbcdfd97262d16fab60167039991945dd7fa1cf4213b807b8f79972a9

SHA512
c7de730ed48ec1c651882aabcd054a7c430b04c8d7db74f0eaabdab25448ed3d0333335f3d94d32edbb6c96e559d63a6b5f16c9ac78e972679c6fde34a0f90b7

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
MD5
e9e67cfb6c0c74912d3743176879fc44

SHA1
c6b6791a900020abf046e0950b12939d5854c988

SHA256
bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c

SHA512
9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

Download Submit
\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
MD5
e9e67cfb6c0c74912d3743176879fc44

SHA1
c6b6791a900020abf046e0950b12939d5854c988

SHA256
bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c

SHA512
9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

Download Submit
\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe
MD5
caa6e1dcae648ce17bc57a5b7d383cc8

SHA1
21fd5579a3d001779e5b8b107a326393d35dff4c

SHA256
14ad34fa255132c22b234bb4d30fe6cfd231f4947cccdcbbb94eb85e67135d92

SHA512
e4a63894895d20d5e455d6e8c9e81256f56f30f35bf8b385be103114d2e20885f3692bb3ec5e51d1a3073a072da5405200e5ed4a35956684bb8b515a20273ccf

Download Submit
\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe
MD5
caa6e1dcae648ce17bc57a5b7d383cc8

SHA1
21fd5579a3d001779e5b8b107a326393d35dff4c

SHA256
14ad34fa255132c22b234bb4d30fe6cfd231f4947cccdcbbb94eb85e67135d92

SHA512
e4a63894895d20d5e455d6e8c9e81256f56f30f35bf8b385be103114d2e20885f3692bb3ec5e51d1a3073a072da5405200e5ed4a35956684bb8b515a20273ccf

Download Submit
\ProgramData\oCccQYEI\jWkAYcgU.exe
MD5
29e3145ed7e1bcb1e15f2942cf3c0b3e

SHA1
745a6906ec975a4ff97bb7ef122c16f95cd604da

SHA256
3a83e061b741ea55ba33c577afc49615c5ba4f3b3651b9ba76e62eb0ce304aa2

SHA512
b33b241a1e85030efe5ef4e5f40eb7a87ed9ddf317034d9f1057af7e2ceac11b1bfe4e303e434b5ef4f3248794ce76a1fccb0065e846e94b761ddf44d804af1c

Download Submit
\ProgramData\oCccQYEI\jWkAYcgU.exe
MD5
29e3145ed7e1bcb1e15f2942cf3c0b3e

SHA1
745a6906ec975a4ff97bb7ef122c16f95cd604da

SHA256
3a83e061b741ea55ba33c577afc49615c5ba4f3b3651b9ba76e62eb0ce304aa2

SHA512
b33b241a1e85030efe5ef4e5f40eb7a87ed9ddf317034d9f1057af7e2ceac11b1bfe4e303e434b5ef4f3248794ce76a1fccb0065e846e94b761ddf44d804af1c

Download Submit
\Users\Admin\GAgcUkcQ\WQwsAUUI.exe
MD5
15fe363831abf1b2d4177c3d02d2f3ac

SHA1
d543fea388c3374a458cc1f02d125967dc1829d2

SHA256
0aa84bddbcdfd97262d16fab60167039991945dd7fa1cf4213b807b8f79972a9

SHA512
c7de730ed48ec1c651882aabcd054a7c430b04c8d7db74f0eaabdab25448ed3d0333335f3d94d32edbb6c96e559d63a6b5f16c9ac78e972679c6fde34a0f90b7

Download Submit
\Users\Admin\GAgcUkcQ\WQwsAUUI.exe
MD5
15fe363831abf1b2d4177c3d02d2f3ac

SHA1
d543fea388c3374a458cc1f02d125967dc1829d2

SHA256
0aa84bddbcdfd97262d16fab60167039991945dd7fa1cf4213b807b8f79972a9

SHA512
c7de730ed48ec1c651882aabcd054a7c430b04c8d7db74f0eaabdab25448ed3d0333335f3d94d32edbb6c96e559d63a6b5f16c9ac78e972679c6fde34a0f90b7

Download Submit
memory/340-112-0x0000000000000000-mapping.dmp

Download
memory/340-158-0x0000000000000000-mapping.dmp

Download
memory/344-129-0x0000000000000000-mapping.dmp

Download
memory/364-135-0x0000000000000000-mapping.dmp

Download
memory/600-118-0x0000000000000000-mapping.dmp

Download
memory/748-81-0x0000000000000000-mapping.dmp

Download
memory/816-101-0x0000000000000000-mapping.dmp

Download
memory/864-104-0x0000000000000000-mapping.dmp

Download
memory/884-134-0x0000000000000000-mapping.dmp

Download
memory/892-80-0x0000000000000000-mapping.dmp

Download
memory/936-83-0x0000000000000000-mapping.dmp

Download
memory/936-169-0x0000000000000000-mapping.dmp

Download
memory/948-166-0x0000000000000000-mapping.dmp

Download
memory/976-107-0x0000000000000000-mapping.dmp

Download
memory/980-60-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1012-86-0x0000000000000000-mapping.dmp

Download
memory/1012-175-0x0000000000000000-mapping.dmp

Download
memory/1032-130-0x0000000000000000-mapping.dmp

Download
memory/1128-171-0x0000000000000000-mapping.dmp

Download
memory/1140-84-0x0000000000000000-mapping.dmp

Download
memory/1140-180-0x0000000000000000-mapping.dmp

Download
memory/1140-133-0x0000000000000000-mapping.dmp

Download
memory/1156-63-0x0000000000000000-mapping.dmp

Download
memory/1160-121-0x0000000000000000-mapping.dmp

Download
memory/1208-75-0x0000000000000000-mapping.dmp

Download
memory/1268-183-0x0000000000000000-mapping.dmp

Download
memory/1376-145-0x0000000000000000-mapping.dmp

Download
memory/1392-77-0x0000000000000000-mapping.dmp

Download
memory/1480-73-0x0000000000000000-mapping.dmp

Download
memory/1564-85-0x0000000000000000-mapping.dmp

Download
memory/1592-177-0x0000000000000000-mapping.dmp

Download
memory/1608-156-0x0000000000000000-mapping.dmp

Download
memory/1612-90-0x0000000000000000-mapping.dmp

Download
memory/1612-124-0x0000000000000000-mapping.dmp

Download
memory/1616-91-0x0000000000000000-mapping.dmp

Download
memory/1624-142-0x0000000000000000-mapping.dmp

Download
memory/1636-74-0x0000000000000000-mapping.dmp

Download
memory/1660-155-0x0000000000000000-mapping.dmp

Download
memory/1696-162-0x0000000000000000-mapping.dmp

Download
memory/1700-96-0x0000000000000000-mapping.dmp

Download
memory/1708-159-0x0000000000000000-mapping.dmp

Download
memory/1708-98-0x0000000000000000-mapping.dmp

Download
memory/1744-76-0x0000000000000000-mapping.dmp

Download
memory/1744-170-0x0000000000000000-mapping.dmp

Download
memory/1748-184-0x0000000000000000-mapping.dmp

Download
memory/1756-120-0x0000000000000000-mapping.dmp

Download
memory/1760-181-0x0000000000000000-mapping.dmp

Download
memory/1760-92-0x0000000000000000-mapping.dmp

Download
memory/1768-131-0x0000000000000000-mapping.dmp

Download
memory/1776-164-0x0000000000000000-mapping.dmp

Download
memory/1796-109-0x0000000000000000-mapping.dmp

Download
memory/1872-122-0x0000000000000000-mapping.dmp

Download
memory/1880-114-0x0000000000000000-mapping.dmp

Download
memory/1880-173-0x0000000000000000-mapping.dmp

Download
memory/1912-102-0x0000000000000000-mapping.dmp

Download
memory/2000-93-0x0000000000000000-mapping.dmp

Download
memory/2004-94-0x0000000000000000-mapping.dmp

Download
memory/2008-68-0x0000000000000000-mapping.dmp

Download
memory/2012-115-0x0000000000000000-mapping.dmp

Download
memory/2020-132-0x0000000000000000-mapping.dmp

Download
memory/2032-105-0x0000000000000000-mapping.dmp

Download
memory/2036-88-0x0000000000000000-mapping.dmp

Download
memory/2036-182-0x0000000000000000-mapping.dmp

Download
memory/2036-160-0x0000000000000000-mapping.dmp

Download
memory/2044-167-0x0000000000000000-mapping.dmp

Download