d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab

Analysis

max time kernel
200s
max time network
189s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
Size

437KB
MD5

a269c24d11b1fd737217af0ea28aeff0
SHA1

d09cbac123cffd29a08ff5bccd0cf44d3a66f07d
SHA256

d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
SHA512

f1673d9a6239c82a962af87d66f614a151449ea0695fce3b418be4f4c4c2cc1d000262865eab5680d1d72dc1b9198fea5e8f3eef3e24f956988b277cba081b56
SSDEEP

6144:zRy8sqRW/HtLSeuKDgGeMeFLbJukfa3WFH9wLiUEsRWjOhXET3R/xiMBOSeGUw60:5sq4/HheigxMeF3UWp9wJEB3HcSeo

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 44 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 44 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1380	ImoAMwAU.exe
1156	DmgsIMMo.exe
1508	gKkYgYIg.exe

Loads dropped DLL 22 IoCs

pid	Process
1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1156	DmgsIMMo.exe
1156	DmgsIMMo.exe
1156	DmgsIMMo.exe
1156	DmgsIMMo.exe
1156	DmgsIMMo.exe
1156	DmgsIMMo.exe
1156	DmgsIMMo.exe
1156	DmgsIMMo.exe
1156	DmgsIMMo.exe
1156	DmgsIMMo.exe
1156	DmgsIMMo.exe
1156	DmgsIMMo.exe
1156	DmgsIMMo.exe
1156	DmgsIMMo.exe
1156	DmgsIMMo.exe
1156	DmgsIMMo.exe
1156	DmgsIMMo.exe
1156	DmgsIMMo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ImoAMwAU.exe = "C:\\Users\\Admin\\SYIswIcQ\\ImoAMwAU.exe"	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DmgsIMMo.exe = "C:\\ProgramData\\RmggIUcw\\DmgsIMMo.exe"	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ImoAMwAU.exe = "C:\\Users\\Admin\\SYIswIcQ\\ImoAMwAU.exe"	ImoAMwAU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DmgsIMMo.exe = "C:\\ProgramData\\RmggIUcw\\DmgsIMMo.exe"	DmgsIMMo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DmgsIMMo.exe = "C:\\ProgramData\\RmggIUcw\\DmgsIMMo.exe"	gKkYgYIg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\TgQsgwcw.exe = "C:\\Users\\Admin\\tEsgAsks\\TgQsgwcw.exe"	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dSgscskg.exe = "C:\\ProgramData\\MCsIkQYc\\dSgscskg.exe"	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\SYIswIcQ	gKkYgYIg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\SYIswIcQ\ImoAMwAU	gKkYgYIg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
316	904	WerFault.exe	169
1068	1552	WerFault.exe	168
1148	1740	WerFault.exe	175

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
560	reg.exe
1840	reg.exe
324	reg.exe
856	reg.exe
1000	reg.exe
324	reg.exe
1180	reg.exe
780	reg.exe
2500	reg.exe
1596	reg.exe
2124	reg.exe
2624	reg.exe
2056	reg.exe
1452	reg.exe
576	reg.exe
852	reg.exe
1912	reg.exe
324	reg.exe
1484	reg.exe
2980	reg.exe
1920	reg.exe
680	reg.exe
1552	reg.exe
276	reg.exe
1176	reg.exe
860	reg.exe
1456	reg.exe
3032	reg.exe
328	reg.exe
1816	reg.exe
1208	reg.exe
1572	reg.exe
2516	reg.exe
2988	reg.exe
2440	reg.exe
696	reg.exe
1816	reg.exe
2056	reg.exe
1132	reg.exe
2380	reg.exe
472	reg.exe
280	reg.exe
436	reg.exe
1536	reg.exe
2644	reg.exe
2384	reg.exe
1484	reg.exe
1504	reg.exe
552	reg.exe
2016	reg.exe
1328	reg.exe
1180	reg.exe
1728	reg.exe
2148	reg.exe
1416	reg.exe
2632	reg.exe
2168	reg.exe
2796	reg.exe
1652	reg.exe
1148	reg.exe
708	reg.exe
2432	reg.exe
2636	reg.exe
2132	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1600	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1600	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
436	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
436	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1628	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1628	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1148	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1148	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
316	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
316	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1712	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1712	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
708	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
708	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1152	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1152	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
2020	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
2020	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
916	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
916	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1556	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1556	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1208	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1208	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1460	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1460	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
768	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
768	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
676	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
676	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1712	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1712	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
856	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
856	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1740	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1740	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1732	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1732	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1712	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1712	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1504	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1504	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
696	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
696	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
268	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
268	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1932	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1932	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1040	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
1040	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
2112	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
2112	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
2232	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
2232	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
2476	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
2476	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
2596	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
2596	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
2724	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
2724	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
2840	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
2840	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1380	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	27
PID 1792 wrote to memory of 1380	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	27
PID 1792 wrote to memory of 1380	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	27
PID 1792 wrote to memory of 1380	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	27
PID 1792 wrote to memory of 1156	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	28
PID 1792 wrote to memory of 1156	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	28
PID 1792 wrote to memory of 1156	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	28
PID 1792 wrote to memory of 1156	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	28
PID 1792 wrote to memory of 1692	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	30
PID 1792 wrote to memory of 1692	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	30
PID 1792 wrote to memory of 1692	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	30
PID 1792 wrote to memory of 1692	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	30
PID 1692 wrote to memory of 1600	1692	cmd.exe	32
PID 1692 wrote to memory of 1600	1692	cmd.exe	32
PID 1692 wrote to memory of 1600	1692	cmd.exe	32
PID 1692 wrote to memory of 1600	1692	cmd.exe	32
PID 1792 wrote to memory of 1504	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	33
PID 1792 wrote to memory of 1504	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	33
PID 1792 wrote to memory of 1504	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	33
PID 1792 wrote to memory of 1504	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	33
PID 1792 wrote to memory of 1040	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	35
PID 1792 wrote to memory of 1040	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	35
PID 1792 wrote to memory of 1040	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	35
PID 1792 wrote to memory of 1040	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	35
PID 1792 wrote to memory of 472	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	36
PID 1792 wrote to memory of 472	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	36
PID 1792 wrote to memory of 472	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	36
PID 1792 wrote to memory of 472	1792	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	36
PID 1600 wrote to memory of 1840	1600	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	39
PID 1600 wrote to memory of 1840	1600	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	39
PID 1600 wrote to memory of 1840	1600	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	39
PID 1600 wrote to memory of 1840	1600	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	39
PID 1840 wrote to memory of 436	1840	cmd.exe	41
PID 1840 wrote to memory of 436	1840	cmd.exe	41
PID 1840 wrote to memory of 436	1840	cmd.exe	41
PID 1840 wrote to memory of 436	1840	cmd.exe	41
PID 1600 wrote to memory of 1880	1600	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	42
PID 1600 wrote to memory of 1880	1600	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	42
PID 1600 wrote to memory of 1880	1600	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	42
PID 1600 wrote to memory of 1880	1600	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	42
PID 1600 wrote to memory of 1176	1600	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	44
PID 1600 wrote to memory of 1176	1600	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	44
PID 1600 wrote to memory of 1176	1600	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	44
PID 1600 wrote to memory of 1176	1600	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	44
PID 1600 wrote to memory of 1452	1600	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	46
PID 1600 wrote to memory of 1452	1600	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	46
PID 1600 wrote to memory of 1452	1600	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	46
PID 1600 wrote to memory of 1452	1600	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	46
PID 436 wrote to memory of 484	436	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	48
PID 436 wrote to memory of 484	436	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	48
PID 436 wrote to memory of 484	436	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	48
PID 436 wrote to memory of 484	436	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	48
PID 484 wrote to memory of 1628	484	cmd.exe	50
PID 484 wrote to memory of 1628	484	cmd.exe	50
PID 484 wrote to memory of 1628	484	cmd.exe	50
PID 484 wrote to memory of 1628	484	cmd.exe	50
PID 436 wrote to memory of 1920	436	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	51
PID 436 wrote to memory of 1920	436	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	51
PID 436 wrote to memory of 1920	436	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	51
PID 436 wrote to memory of 1920	436	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	51
PID 436 wrote to memory of 1484	436	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	53
PID 436 wrote to memory of 1484	436	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	53
PID 436 wrote to memory of 1484	436	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	53
PID 436 wrote to memory of 1484	436	d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe	53

C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
"C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\SYIswIcQ\ImoAMwAU.exe
  "C:\Users\Admin\SYIswIcQ\ImoAMwAU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1380
- C:\ProgramData\RmggIUcw\DmgsIMMo.exe
  "C:\ProgramData\RmggIUcw\DmgsIMMo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:1156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
    C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1840
    - - C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:436
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        8⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        10⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        12⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        14⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        16⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        18⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        20⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        22⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        24⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        25⤵
        Adds Run key to start application
        
        PID:1848
        
        C:\Users\Admin\tEsgAsks\TgQsgwcw.exe
        
        "C:\Users\Admin\tEsgAsks\TgQsgwcw.exe"
        26⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 120
        27⤵
        Program crash
        
        PID:1068
        
        C:\ProgramData\MCsIkQYc\dSgscskg.exe
        
        "C:\ProgramData\MCsIkQYc\dSgscskg.exe"
        26⤵
        
        PID:904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 124
        27⤵
        Program crash
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        26⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        28⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        30⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        32⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        34⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        36⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        38⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        40⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        42⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        44⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        46⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        48⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        50⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        52⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        54⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        56⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        58⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        60⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        62⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        64⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        65⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        66⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        67⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        68⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        69⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        70⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        71⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        72⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        73⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        74⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        75⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        76⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        77⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        78⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        79⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        80⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        81⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        82⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        83⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        84⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        85⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        86⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        87⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        88⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        89⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        90⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
        91⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab"
        92⤵
        
        PID:188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VkgsQwgI.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        88⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sAsscAYU.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        48⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EuAYIoYY.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        46⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NiQoskog.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        44⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NUYIQcIE.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        38⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SkYYYIck.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        36⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nYUgUIMI.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        34⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IaIccAYY.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        32⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EkocYMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        30⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oKkgEIEk.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        28⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DUAYMwIo.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        24⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hukkokYo.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        22⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UIYksUoU.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        20⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BasYwQcM.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        18⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lCcUUIcw.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        16⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dAUsUcAM.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        14⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oiksYcIg.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        12⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GEsgMoYo.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        10⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\doEgIMsg.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        8⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1120
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1920
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1484
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:280
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoIwsEQA.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
        6⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1580
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1880
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1176
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1452
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\vYoQwAgI.bat" "C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe""
      4⤵
      PID:1728
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1164
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1504
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1040
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:472

C:\ProgramData\GcIMkAEM\gKkYgYIg.exe
C:\ProgramData\GcIMkAEM\gKkYgYIg.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1508

C:\ProgramData\BIwskkkE\ZAocAosk.exe
C:\ProgramData\BIwskkkE\ZAocAosk.exe
1⤵
PID:1740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 120
  2⤵
  - Program crash
  PID:1148

C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab.exe
C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab
1⤵
PID:1720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GcIMkAEM\gKkYgYIg.exe

Filesize
431KB

MD5
085d8dca1a6ad3ceb0127045ec853946

SHA1
69979208311367ec673775afb982cacd8cc5d471

SHA256
9fc99e4097dd17143bd7fb3cfc39008f8f9f99040f516d61971d3a5047086bd0

SHA512
7defb0383f5f81cf81f02ed1729a2a2ae0a90422b0e82ab994f8038d6d75fd62e76228981b9324842adfe78662cb564793af0f3eb616903deb354745840dc54a

Download Submit
C:\ProgramData\GcIMkAEM\gKkYgYIg.exe

Filesize
431KB

MD5
085d8dca1a6ad3ceb0127045ec853946

SHA1
69979208311367ec673775afb982cacd8cc5d471

SHA256
9fc99e4097dd17143bd7fb3cfc39008f8f9f99040f516d61971d3a5047086bd0

SHA512
7defb0383f5f81cf81f02ed1729a2a2ae0a90422b0e82ab994f8038d6d75fd62e76228981b9324842adfe78662cb564793af0f3eb616903deb354745840dc54a

Download Submit
C:\ProgramData\RmggIUcw\DmgsIMMo.exe

Filesize
434KB

MD5
93c07390a9a652c920f2fca3e25d0f7f

SHA1
a89f638da0be28a089bdc419e3885b5e59c4da38

SHA256
9da167d8624d1fff7cc4aa2c3158dcdd80ccc4317c7a5aa42ad94a463ca4d7b9

SHA512
9f07991ce8285c8c14b57e1737861a15a140c820daac10e6a46c3cb6e8a6e311c2e726ed20461278c369852dd58e431da77c8ea61e13f274f60746549ac34dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\BasYwQcM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUAYMwIo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkocYMsQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoIwsEQA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEsgMoYo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IaIccAYY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkYYYIck.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIYksUoU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d15914551c41bad7877e2a023c925da0cedfcb6bce8dd05f494d923bd07087ab

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAUsUcAM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\doEgIMsg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hukkokYo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lCcUUIcw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYUgUIMI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oKkgEIEk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiksYcIg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYoQwAgI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\SYIswIcQ\ImoAMwAU.exe

Filesize
434KB

MD5
05b50a1d3428966a5999f1d289c9040b

SHA1
88c2297d71a125cbe15004039c155f935d380160

SHA256
5bfa7f03766ad52285882f451640068b2909fe10f05c26063c67a6794a7d67dd

SHA512
189bc493ab30f8d575daca78c875696ca9c90021baa53f4eebd89876a39901369089916b6d7910f1deaaa3ddbda28b3d53b5664999a1b812cf3d847c5c962b46

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\RmggIUcw\DmgsIMMo.exe

Filesize
434KB

MD5
93c07390a9a652c920f2fca3e25d0f7f

SHA1
a89f638da0be28a089bdc419e3885b5e59c4da38

SHA256
9da167d8624d1fff7cc4aa2c3158dcdd80ccc4317c7a5aa42ad94a463ca4d7b9

SHA512
9f07991ce8285c8c14b57e1737861a15a140c820daac10e6a46c3cb6e8a6e311c2e726ed20461278c369852dd58e431da77c8ea61e13f274f60746549ac34dee

Download Submit
\ProgramData\RmggIUcw\DmgsIMMo.exe

Filesize
434KB

MD5
93c07390a9a652c920f2fca3e25d0f7f

SHA1
a89f638da0be28a089bdc419e3885b5e59c4da38

SHA256
9da167d8624d1fff7cc4aa2c3158dcdd80ccc4317c7a5aa42ad94a463ca4d7b9

SHA512
9f07991ce8285c8c14b57e1737861a15a140c820daac10e6a46c3cb6e8a6e311c2e726ed20461278c369852dd58e431da77c8ea61e13f274f60746549ac34dee

Download Submit
\Users\Admin\SYIswIcQ\ImoAMwAU.exe

Filesize
434KB

MD5
05b50a1d3428966a5999f1d289c9040b

SHA1
88c2297d71a125cbe15004039c155f935d380160

SHA256
5bfa7f03766ad52285882f451640068b2909fe10f05c26063c67a6794a7d67dd

SHA512
189bc493ab30f8d575daca78c875696ca9c90021baa53f4eebd89876a39901369089916b6d7910f1deaaa3ddbda28b3d53b5664999a1b812cf3d847c5c962b46

Download Submit
\Users\Admin\SYIswIcQ\ImoAMwAU.exe

Filesize
434KB

MD5
05b50a1d3428966a5999f1d289c9040b

SHA1
88c2297d71a125cbe15004039c155f935d380160

SHA256
5bfa7f03766ad52285882f451640068b2909fe10f05c26063c67a6794a7d67dd

SHA512
189bc493ab30f8d575daca78c875696ca9c90021baa53f4eebd89876a39901369089916b6d7910f1deaaa3ddbda28b3d53b5664999a1b812cf3d847c5c962b46

Download Submit
memory/268-280-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/316-156-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/316-118-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/436-89-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/436-115-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/676-243-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/676-236-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/676-250-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/696-277-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/708-203-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/708-145-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/768-241-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/768-248-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/768-234-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/856-282-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/856-283-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/856-261-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/904-219-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/916-199-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/916-211-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1040-286-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1148-103-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1148-188-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1152-187-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1152-176-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1156-68-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1156-102-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1208-244-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1208-226-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1208-237-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1380-66-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1380-104-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1460-239-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1460-230-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1460-249-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1504-275-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1504-292-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1508-73-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1552-218-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1556-215-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1556-217-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1556-220-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1600-116-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1600-74-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1600-109-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1628-117-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1628-90-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1628-124-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1712-157-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1712-242-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1712-274-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1712-264-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1712-133-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1712-291-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1732-288-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1732-271-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1740-270-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1740-224-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1740-287-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1792-94-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1792-55-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1792-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1932-281-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2020-175-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2020-202-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download