e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4

Analysis

max time kernel
154s
max time network
109s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
Size

490KB
MD5

444ee2042336db25a124b2e6badc61c0
SHA1

74c2ae1e70cfb8a208861702b0a5bfe67ca44397
SHA256

e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
SHA512

690972ec07ea0dc7a55e909e385668a35c2c1848895427659847b594f0ab467c3f62bb58588421b4e8dc3f1e5ba6f9df07b54164ea89b18b9007d8f0ee8fdb64
SSDEEP

12288:N///edkn3/upJiI+qx6Xw2Xvyr0HHJAeODgm+:5/UkPuWqww2q/HDP+

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\RUQIcEsY\\hOIkkoQM.exe,"	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\RUQIcEsY\\hOIkkoQM.exe,"	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe

Modifies visibility of file extensions in Explorer 2 TTPs 48 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 48 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1392	eYgUEkYg.exe
1164	hOIkkoQM.exe
2024	AoQIIwQo.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\UnblockUninstall.png.exe	hOIkkoQM.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	hOIkkoQM.exe

Deletes itself 1 IoCs

pid	Process
1768	cmd.exe

Loads dropped DLL 26 IoCs

pid	Process
1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\eYgUEkYg.exe = "C:\\Users\\Admin\\fgIIgIss\\eYgUEkYg.exe"	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hOIkkoQM.exe = "C:\\ProgramData\\RUQIcEsY\\hOIkkoQM.exe"	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\eYgUEkYg.exe = "C:\\Users\\Admin\\fgIIgIss\\eYgUEkYg.exe"	eYgUEkYg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hOIkkoQM.exe = "C:\\ProgramData\\RUQIcEsY\\hOIkkoQM.exe"	hOIkkoQM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hOIkkoQM.exe = "C:\\ProgramData\\RUQIcEsY\\hOIkkoQM.exe"	AoQIIwQo.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\fgIIgIss	AoQIIwQo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\fgIIgIss\eYgUEkYg	AoQIIwQo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
996	reg.exe
1728	reg.exe
1252	reg.exe
308	reg.exe
1808	reg.exe
1884	reg.exe
844	reg.exe
2028	reg.exe
1568	reg.exe
1488	reg.exe
1780	reg.exe
840	reg.exe
548	reg.exe
816	reg.exe
1348	reg.exe
1804	reg.exe
1536	reg.exe
1964	reg.exe
1708	reg.exe
608	reg.exe
1368	reg.exe
1660	reg.exe
1932	reg.exe
1800	reg.exe
1804	reg.exe
1356	reg.exe
1476	reg.exe
1040	reg.exe
296	reg.exe
1464	reg.exe
992	reg.exe
528	reg.exe
732	reg.exe
1340	reg.exe
732	reg.exe
1808	reg.exe
1804	reg.exe
1932	reg.exe
512	reg.exe
1176	reg.exe
308	reg.exe
1728	reg.exe
1464	reg.exe
1436	reg.exe
996	reg.exe
1536	reg.exe
1768	reg.exe
1992	reg.exe
1124	reg.exe
288	reg.exe
1060	reg.exe
1200	reg.exe
1960	reg.exe
1520	reg.exe
1496	reg.exe
1872	reg.exe
1696	reg.exe
904	reg.exe
1220	reg.exe
1188	reg.exe
1536	reg.exe
816	reg.exe
1612	reg.exe
1568	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
2016	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
2016	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1456	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1456	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
556	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
556	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1788	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1788	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1964	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1964	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
288	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
288	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1396	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1396	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1944	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1944	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1800	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1800	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
676	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
676	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1788	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1788	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1596	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1596	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
840	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
840	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
976	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
976	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1700	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1700	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1604	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1604	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1488	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1488	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1632	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1632	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1536	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1536	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1068	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1068	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
852	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
852	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1604	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1604	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1140	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1140	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1176	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1176	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
2028	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
2028	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
600	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
600	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1484	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1484	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
428	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
428	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
992	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
992	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1140	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
1140	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe
1164	hOIkkoQM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1392	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	27
PID 1476 wrote to memory of 1392	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	27
PID 1476 wrote to memory of 1392	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	27
PID 1476 wrote to memory of 1392	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	27
PID 1476 wrote to memory of 1164	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	28
PID 1476 wrote to memory of 1164	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	28
PID 1476 wrote to memory of 1164	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	28
PID 1476 wrote to memory of 1164	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	28
PID 1476 wrote to memory of 468	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	30
PID 1476 wrote to memory of 468	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	30
PID 1476 wrote to memory of 468	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	30
PID 1476 wrote to memory of 468	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	30
PID 468 wrote to memory of 2016	468	cmd.exe	32
PID 468 wrote to memory of 2016	468	cmd.exe	32
PID 468 wrote to memory of 2016	468	cmd.exe	32
PID 468 wrote to memory of 2016	468	cmd.exe	32
PID 2016 wrote to memory of 1536	2016	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	34
PID 2016 wrote to memory of 1536	2016	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	34
PID 2016 wrote to memory of 1536	2016	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	34
PID 2016 wrote to memory of 1536	2016	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	34
PID 1536 wrote to memory of 1456	1536	cmd.exe	36
PID 1536 wrote to memory of 1456	1536	cmd.exe	36
PID 1536 wrote to memory of 1456	1536	cmd.exe	36
PID 1536 wrote to memory of 1456	1536	cmd.exe	36
PID 1456 wrote to memory of 1740	1456	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	38
PID 1456 wrote to memory of 1740	1456	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	38
PID 1456 wrote to memory of 1740	1456	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	38
PID 1456 wrote to memory of 1740	1456	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	38
PID 1740 wrote to memory of 556	1740	cmd.exe	40
PID 1740 wrote to memory of 556	1740	cmd.exe	40
PID 1740 wrote to memory of 556	1740	cmd.exe	40
PID 1740 wrote to memory of 556	1740	cmd.exe	40
PID 1476 wrote to memory of 528	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	33
PID 2016 wrote to memory of 808	2016	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	37
PID 1476 wrote to memory of 528	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	33
PID 2016 wrote to memory of 808	2016	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	37
PID 1476 wrote to memory of 528	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	33
PID 2016 wrote to memory of 808	2016	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	37
PID 1476 wrote to memory of 528	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	33
PID 2016 wrote to memory of 808	2016	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	37
PID 1476 wrote to memory of 1836	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	44
PID 1476 wrote to memory of 1836	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	44
PID 1476 wrote to memory of 1836	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	44
PID 1476 wrote to memory of 1836	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	44
PID 2016 wrote to memory of 1992	2016	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	41
PID 2016 wrote to memory of 1992	2016	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	41
PID 2016 wrote to memory of 1992	2016	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	41
PID 2016 wrote to memory of 1992	2016	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	41
PID 1476 wrote to memory of 840	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	46
PID 1476 wrote to memory of 840	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	46
PID 1476 wrote to memory of 840	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	46
PID 1476 wrote to memory of 840	1476	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	46
PID 2016 wrote to memory of 1804	2016	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	45
PID 2016 wrote to memory of 1804	2016	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	45
PID 2016 wrote to memory of 1804	2016	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	45
PID 2016 wrote to memory of 1804	2016	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	45
PID 1456 wrote to memory of 732	1456	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	51
PID 1456 wrote to memory of 732	1456	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	51
PID 1456 wrote to memory of 732	1456	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	51
PID 1456 wrote to memory of 732	1456	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	51
PID 1456 wrote to memory of 1520	1456	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	54
PID 1456 wrote to memory of 1520	1456	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	54
PID 1456 wrote to memory of 1520	1456	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	54
PID 1456 wrote to memory of 1520	1456	e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe	54

C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
"C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\fgIIgIss\eYgUEkYg.exe
  "C:\Users\Admin\fgIIgIss\eYgUEkYg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1392
- C:\ProgramData\RUQIcEsY\hOIkkoQM.exe
  "C:\ProgramData\RUQIcEsY\hOIkkoQM.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Checks computer location settings
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  PID:1164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
    C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        8⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        10⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        12⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        14⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        16⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        18⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        20⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        22⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        24⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        26⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        28⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        30⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        32⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        34⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KsoUQsYY.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        34⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aCgIUcwc.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        32⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dgsIEoUY.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        30⤵
        
        PID:520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KaUUUIIM.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        28⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WacIMAUE.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        26⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EYIgIMcU.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        24⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\naAkAosQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        22⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iOosAckY.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        20⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xwMQcMgA.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        18⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IUwIAMkg.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        16⤵
        
        PID:288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eUcoEQsg.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        14⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vAwkwIUA.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        12⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QmQIUEYE.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        10⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQIwAsgc.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        8⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1992
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:732
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:1436
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1520
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FAUoIccs.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        6⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1104
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:808
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1992
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1804
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\pGUwIkMQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
      4⤵
      PID:1596
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1348
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:528
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1836
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\imYAQgkE.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1536

C:\ProgramData\XIggcoMQ\AoQIIwQo.exe
C:\ProgramData\XIggcoMQ\AoQIIwQo.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2024

C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
  2⤵
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
    C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1488
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
      4⤵
      PID:1596
    - - C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1632
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        6⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        8⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        10⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        12⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        14⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        16⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        18⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        20⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        22⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        24⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        26⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        28⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        30⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        31⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        32⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        33⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        34⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        35⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        36⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        37⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        38⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        39⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        40⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        41⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        42⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        43⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        44⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        45⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        46⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        47⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        48⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        49⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        50⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        51⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        52⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        53⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        54⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        55⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        56⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        57⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        58⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        59⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4"
        60⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe
        
        C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4
        61⤵
        
        PID:296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Eqskckwg.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        60⤵
        Deletes itself
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SAIUsMMU.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        58⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kygwEEEA.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        56⤵
        
        PID:520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XEwIEgYE.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        54⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XgwUgQEc.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        52⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ecAMwAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        50⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WyMMMAoM.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        48⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dGEowUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        46⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OqscIUsk.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        44⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aMwYYsIY.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        42⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\skcMYkwg.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        40⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WkkEkIco.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        38⤵
        
        PID:660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\diMAcEMI.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        36⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XkwUMEos.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        34⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\haYMsgIw.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        32⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FIMUMMAM.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        30⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LEQYgQAs.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        28⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zeAMMQsM.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        26⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yUogkksw.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        24⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wmwEwQMc.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        22⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dSoEYsog.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        20⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IqUsYQcU.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        18⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bksQMosU.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        16⤵
        
        PID:660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BKcoEEAE.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        14⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wekAQggI.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        12⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vSsIsMEM.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        10⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAAoYMsI.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        8⤵
        
        PID:520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:732
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:816
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1952
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1836
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eYMskgEw.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
        6⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:296
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1744
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:996
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1124
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ACUMUkgU.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
      4⤵
      PID:1768
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1520
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2028
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1612
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\vcMwkUYQ.bat" "C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4.exe""
  2⤵
  PID:1348
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RUQIcEsY\hOIkkoQM.exe

Filesize
483KB

MD5
01e5b12419ca2ce8af83bf8e363b29ff

SHA1
75a7a566f615b44ff0bd2324765d8f9d61a44caf

SHA256
436937e1335c5404d4e561fa7698cedba0290f68f7d4b3be6e59a6322a31de6f

SHA512
3749267d2ea12e518b8c4a3c9d1035a562afb956d137b86afbeee6b404cf0a581264587faad0d7a57df63fa314f5531c4f6556b671dca28a19e41d2bd452d9f8

Download Submit
C:\ProgramData\XIggcoMQ\AoQIIwQo.exe

Filesize
486KB

MD5
19101ed0fc1279b8e5211ceb6422071d

SHA1
53edbf905e4070127e5349819e284cf89a16e769

SHA256
6c50a57665b792cd9d145cff1ef9b68472d4ba785f151ea9f11dbcafe503b753

SHA512
2ddf99a70fdbf04e470000e867f71bae4dc0e9bfa7288092f16bb812def57dff77ac062d8029e19544d545c189adcacaad8740deb50920174b92320ec37e41d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQIwAsgc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYIgIMcU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAUoIccs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUwIAMkg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KaUUUIIM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QmQIUEYE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WacIMAUE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aCgIUcwc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgsIEoUY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9043292ac23c1f176da9b907f4c9c29df7a08e16734b0633b056d8a06c854e4

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUcoEQsg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOosAckY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\imYAQgkE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\naAkAosQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pGUwIkMQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vAwkwIUA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwMQcMgA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\fgIIgIss\eYgUEkYg.exe

Filesize
480KB

MD5
e6d6e5c37532259ef697943e6b50667f

SHA1
78dd68adbb36dd6eb883fa4b5db0ac3544a78e54

SHA256
e4148755df65f59383fb762fe79e41cf1950d19867d599e756b31d9eaa3e73f2

SHA512
165ac57c4794bffcb959f4eb80ccb889067fc9fe8e280930ec4f82d382d30399980241cbddad93eed614059f22ed436d1ccc1127ae24893f586b6dbc6a4d8f9d

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
445KB

MD5
1191ba2a9908ee79c0220221233e850a

SHA1
f2acd26b864b38821ba3637f8f701b8ba19c434f

SHA256
4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d

SHA512
da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
445KB

MD5
1191ba2a9908ee79c0220221233e850a

SHA1
f2acd26b864b38821ba3637f8f701b8ba19c434f

SHA256
4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d

SHA512
da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

Download Submit
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
633KB

MD5
a9993e4a107abf84e456b796c65a9899

SHA1
5852b1acacd33118bce4c46348ee6c5aa7ad12eb

SHA256
dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc

SHA512
d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

Download Submit
\ProgramData\RUQIcEsY\hOIkkoQM.exe

Filesize
483KB

MD5
01e5b12419ca2ce8af83bf8e363b29ff

SHA1
75a7a566f615b44ff0bd2324765d8f9d61a44caf

SHA256
436937e1335c5404d4e561fa7698cedba0290f68f7d4b3be6e59a6322a31de6f

SHA512
3749267d2ea12e518b8c4a3c9d1035a562afb956d137b86afbeee6b404cf0a581264587faad0d7a57df63fa314f5531c4f6556b671dca28a19e41d2bd452d9f8

Download Submit
\ProgramData\RUQIcEsY\hOIkkoQM.exe

Filesize
483KB

MD5
01e5b12419ca2ce8af83bf8e363b29ff

SHA1
75a7a566f615b44ff0bd2324765d8f9d61a44caf

SHA256
436937e1335c5404d4e561fa7698cedba0290f68f7d4b3be6e59a6322a31de6f

SHA512
3749267d2ea12e518b8c4a3c9d1035a562afb956d137b86afbeee6b404cf0a581264587faad0d7a57df63fa314f5531c4f6556b671dca28a19e41d2bd452d9f8

Download Submit
\Users\Admin\fgIIgIss\eYgUEkYg.exe

Filesize
480KB

MD5
e6d6e5c37532259ef697943e6b50667f

SHA1
78dd68adbb36dd6eb883fa4b5db0ac3544a78e54

SHA256
e4148755df65f59383fb762fe79e41cf1950d19867d599e756b31d9eaa3e73f2

SHA512
165ac57c4794bffcb959f4eb80ccb889067fc9fe8e280930ec4f82d382d30399980241cbddad93eed614059f22ed436d1ccc1127ae24893f586b6dbc6a4d8f9d

Download Submit
\Users\Admin\fgIIgIss\eYgUEkYg.exe

Filesize
480KB

MD5
e6d6e5c37532259ef697943e6b50667f

SHA1
78dd68adbb36dd6eb883fa4b5db0ac3544a78e54

SHA256
e4148755df65f59383fb762fe79e41cf1950d19867d599e756b31d9eaa3e73f2

SHA512
165ac57c4794bffcb959f4eb80ccb889067fc9fe8e280930ec4f82d382d30399980241cbddad93eed614059f22ed436d1ccc1127ae24893f586b6dbc6a4d8f9d

Download Submit
memory/288-162-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/288-138-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/428-305-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/556-90-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/556-114-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/600-302-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/600-300-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/676-219-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/676-212-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/840-232-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/840-241-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/852-283-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/852-281-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/976-250-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/976-248-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1068-273-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1068-278-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1140-290-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1140-286-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1164-69-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1164-145-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1176-293-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1176-295-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1392-144-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1392-68-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1396-158-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1396-177-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1456-113-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1456-89-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1476-106-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1476-203-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1476-204-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1476-54-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1476-178-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1476-55-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1488-267-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1488-266-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1536-275-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1536-274-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1596-233-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1596-235-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1604-280-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1604-259-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1604-287-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1604-262-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1632-265-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1632-270-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1700-247-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1700-258-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1788-127-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1788-223-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1788-226-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1788-107-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1800-211-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1800-202-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1944-196-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1944-187-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1964-121-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1964-146-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2016-74-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2016-111-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2024-147-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2024-70-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2028-294-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2028-298-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download