ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
Size

495KB
MD5

a35715bda93abea9d7b1f8d11cd7b870
SHA1

f7b27e85b35530e346934affa326597c3b5e8059
SHA256

ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
SHA512

00fd6cb8469d0bfa63e1358d407471edc9bcdba33b325d1b38e153aeb4aa8dea01d4baf71acbd3d661711f04bbd7d75f270234aab9110fe149848078d408149e
SSDEEP

12288:EU1QF2u0MkUCXzx6PBCaI83rMcvA1fopUUfia:EeNu0uCXzx6JCx83PvANonfia

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\rSMcscQM\\qUUQYsMQ.exe,"	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\rSMcscQM\\qUUQYsMQ.exe,"	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe

Modifies visibility of file extensions in Explorer 2 TTPs 34 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 34 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
4248	zWAUMwgI.exe
3148	qUUQYsMQ.exe
3772	ZmYoEgIA.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	zWAUMwgI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zWAUMwgI.exe = "C:\\Users\\Admin\\UMwQMsQQ\\zWAUMwgI.exe"	zWAUMwgI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qUUQYsMQ.exe = "C:\\ProgramData\\rSMcscQM\\qUUQYsMQ.exe"	qUUQYsMQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qUUQYsMQ.exe = "C:\\ProgramData\\rSMcscQM\\qUUQYsMQ.exe"	ZmYoEgIA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zWAUMwgI.exe = "C:\\Users\\Admin\\UMwQMsQQ\\zWAUMwgI.exe"	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qUUQYsMQ.exe = "C:\\ProgramData\\rSMcscQM\\qUUQYsMQ.exe"	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shePingGet.png	zWAUMwgI.exe
File opened for modification	C:\Windows\SysWOW64\sheWriteConvertFrom.jpg	zWAUMwgI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\UMwQMsQQ	ZmYoEgIA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\UMwQMsQQ\zWAUMwgI	ZmYoEgIA.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	zWAUMwgI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3212	reg.exe
4344	reg.exe
5000	reg.exe
4716	reg.exe
3856	reg.exe
1784	reg.exe
4256	reg.exe
1792	reg.exe
2824	reg.exe
1736	reg.exe
3200	reg.exe
3912	reg.exe
2420	reg.exe
3200	reg.exe
1624	reg.exe
2056	reg.exe
3728	reg.exe
3100	reg.exe
3648	reg.exe
2824	reg.exe
3416	reg.exe
4856	reg.exe
3640	reg.exe
1728	reg.exe
4760	reg.exe
3748	reg.exe
5068	reg.exe
4116	reg.exe
3512	reg.exe
1784	reg.exe
3768	reg.exe
1944	reg.exe
3296	reg.exe
4468	reg.exe
1648	reg.exe
3552	reg.exe
4236	reg.exe
876	reg.exe
2920	reg.exe
364	reg.exe
1956	reg.exe
4532	reg.exe
1768	reg.exe
1648	reg.exe
4332	reg.exe
4116	reg.exe
3212	reg.exe
1564	reg.exe
4284	reg.exe
4816	reg.exe
4332	reg.exe
1316	reg.exe
1300	reg.exe
3060	reg.exe
4716	reg.exe
424	reg.exe
1352	reg.exe
1152	reg.exe
2816	reg.exe
1924	reg.exe
3112	reg.exe
576	reg.exe
4964	reg.exe
4812	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
544	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
544	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
544	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
544	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
624	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
624	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
624	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
624	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4732	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4732	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4732	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4732	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4920	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4920	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4920	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4920	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
1192	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
1192	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
1192	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
1192	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4464	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4464	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4464	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4464	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
1424	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
1424	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
1424	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
1424	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
2984	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
2984	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
2984	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
2984	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
3628	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
3628	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
3628	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
3628	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
2888	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
2888	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
2888	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
2888	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
2580	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
2580	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
2580	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
2580	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
3752	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
3752	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
3752	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
3752	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4824	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4824	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4824	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4824	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4296	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4296	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4296	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
4296	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
1200	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
1200	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
1200	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
1200	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4248	zWAUMwgI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe
4248	zWAUMwgI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 4248	1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	84
PID 1104 wrote to memory of 4248	1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	84
PID 1104 wrote to memory of 4248	1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	84
PID 1104 wrote to memory of 3148	1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	85
PID 1104 wrote to memory of 3148	1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	85
PID 1104 wrote to memory of 3148	1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	85
PID 1104 wrote to memory of 5052	1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	87
PID 1104 wrote to memory of 5052	1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	87
PID 1104 wrote to memory of 5052	1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	87
PID 5052 wrote to memory of 544	5052	cmd.exe	89
PID 5052 wrote to memory of 544	5052	cmd.exe	89
PID 5052 wrote to memory of 544	5052	cmd.exe	89
PID 1104 wrote to memory of 3912	1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	90
PID 1104 wrote to memory of 3912	1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	90
PID 1104 wrote to memory of 3912	1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	90
PID 1104 wrote to memory of 576	1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	91
PID 1104 wrote to memory of 576	1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	91
PID 1104 wrote to memory of 576	1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	91
PID 1104 wrote to memory of 3548	1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	92
PID 1104 wrote to memory of 3548	1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	92
PID 1104 wrote to memory of 3548	1104	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	92
PID 544 wrote to memory of 4504	544	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	96
PID 544 wrote to memory of 4504	544	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	96
PID 544 wrote to memory of 4504	544	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	96
PID 4504 wrote to memory of 624	4504	cmd.exe	98
PID 4504 wrote to memory of 624	4504	cmd.exe	98
PID 4504 wrote to memory of 624	4504	cmd.exe	98
PID 544 wrote to memory of 876	544	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	99
PID 544 wrote to memory of 876	544	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	99
PID 544 wrote to memory of 876	544	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	99
PID 544 wrote to memory of 4116	544	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	100
PID 544 wrote to memory of 4116	544	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	100
PID 544 wrote to memory of 4116	544	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	100
PID 544 wrote to memory of 1960	544	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	103
PID 544 wrote to memory of 1960	544	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	103
PID 544 wrote to memory of 1960	544	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	103
PID 544 wrote to memory of 2512	544	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	104
PID 544 wrote to memory of 2512	544	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	104
PID 544 wrote to memory of 2512	544	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	104
PID 624 wrote to memory of 3492	624	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	107
PID 624 wrote to memory of 3492	624	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	107
PID 624 wrote to memory of 3492	624	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	107
PID 624 wrote to memory of 4256	624	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	108
PID 624 wrote to memory of 4256	624	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	108
PID 624 wrote to memory of 4256	624	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	108
PID 624 wrote to memory of 3060	624	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	109
PID 624 wrote to memory of 3060	624	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	109
PID 624 wrote to memory of 3060	624	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	109
PID 624 wrote to memory of 1016	624	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	110
PID 624 wrote to memory of 1016	624	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	110
PID 624 wrote to memory of 1016	624	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	110
PID 624 wrote to memory of 5088	624	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	111
PID 624 wrote to memory of 5088	624	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	111
PID 624 wrote to memory of 5088	624	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	111
PID 2512 wrote to memory of 1172	2512	cmd.exe	112
PID 2512 wrote to memory of 1172	2512	cmd.exe	112
PID 2512 wrote to memory of 1172	2512	cmd.exe	112
PID 3492 wrote to memory of 4732	3492	cmd.exe	118
PID 3492 wrote to memory of 4732	3492	cmd.exe	118
PID 3492 wrote to memory of 4732	3492	cmd.exe	118
PID 4732 wrote to memory of 2188	4732	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	119
PID 4732 wrote to memory of 2188	4732	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	119
PID 4732 wrote to memory of 2188	4732	ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe	119
PID 2188 wrote to memory of 4920	2188	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
"C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\UMwQMsQQ\zWAUMwgI.exe
  "C:\Users\Admin\UMwQMsQQ\zWAUMwgI.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4248
- C:\ProgramData\rSMcscQM\qUUQYsMQ.exe
  "C:\ProgramData\rSMcscQM\qUUQYsMQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
    C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4504
    - - C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        10⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        12⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        14⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        16⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        18⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        20⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        22⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        24⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        26⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        28⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        30⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        32⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        33⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        34⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        35⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        36⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        37⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        38⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        39⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        40⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        41⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        42⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        43⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        44⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        45⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        46⤵
        
        PID:4044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        47⤵
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        48⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        49⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        50⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        51⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        52⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        53⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        54⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        55⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        56⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        57⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        58⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        59⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        60⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        61⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        62⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        63⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        64⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        65⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        66⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe
        
        C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18
        67⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18"
        68⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAssQIEE.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        68⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mawcQQsA.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        66⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pooIsgQg.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        64⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYQcwgAA.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        62⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NaQkswME.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        60⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqcQIcEA.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        58⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgckksUc.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        56⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\paocoAMg.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        54⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faMkwMQA.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        52⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByIwoogs.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        50⤵
        
        PID:3512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOUEwMAA.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        48⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEkMIgYE.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        46⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaMYcoUY.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        44⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMsUocEw.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        42⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies registry key
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcQIEUAA.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        40⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUgYEgQU.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        38⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKowkYQI.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        36⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGwgIUMI.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        34⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmsAQQoI.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        32⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqUIUMkc.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        30⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaIMgEIc.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        28⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQwIkMUw.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        26⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOIIEoUk.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        24⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScgkYgso.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        22⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuYIMUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        20⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkoUkUIk.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        18⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgYQsoMI.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        16⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keUccosE.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        14⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGIMwIQo.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        12⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIUMYMgk.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        10⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koUMQUAI.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        8⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:2920
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4256
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:3060
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKooQQAE.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
        6⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:724
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:876
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4116
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCEscYoc.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1172
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:3912
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:576
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VKggwkMM.bat" "C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18.exe""
  2⤵
  PID:3144
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2788

C:\ProgramData\xkAYAcUw\ZmYoEgIA.exe
C:\ProgramData\xkAYAcUw\ZmYoEgIA.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rSMcscQM\qUUQYsMQ.exe

Filesize
481KB

MD5
5705e340c031dee13df94d35724c52c4

SHA1
fbeaaa981864190dcb841a8b4e7c7062232c4246

SHA256
dabd5ac8def2afc540b5e9170f1d34a047da5081a51130b6d05a1f4253d56a8f

SHA512
2efc8cd8b3f91ec6595031e0abfb2373ab98634b7393f2803c3ae8180d8e6314739d187e920c48ffb69de82e2e2753795896786d13ecb1d9ff4ceb3f2fdde40f

Download Submit
C:\ProgramData\rSMcscQM\qUUQYsMQ.exe

Filesize
481KB

MD5
5705e340c031dee13df94d35724c52c4

SHA1
fbeaaa981864190dcb841a8b4e7c7062232c4246

SHA256
dabd5ac8def2afc540b5e9170f1d34a047da5081a51130b6d05a1f4253d56a8f

SHA512
2efc8cd8b3f91ec6595031e0abfb2373ab98634b7393f2803c3ae8180d8e6314739d187e920c48ffb69de82e2e2753795896786d13ecb1d9ff4ceb3f2fdde40f

Download Submit
C:\ProgramData\xkAYAcUw\ZmYoEgIA.exe

Filesize
481KB

MD5
8aac434d36432949605aaaeebd10e026

SHA1
a69f91ab0bb6a0d11809918df280e5cc59949963

SHA256
99465115d2001abd6690e2ea31bec186e5ed2ad194e4eb7ac1cf2756c4cc74ff

SHA512
04d21a6ce1c1285ddbb220c5c251aa64511438b8baf9c3e48b3d4b06769924b0769805dc3efb86f52c6e035f634ec0977fc32015ad88c7ffd6535d9b79159b23

Download Submit
C:\ProgramData\xkAYAcUw\ZmYoEgIA.exe

Filesize
481KB

MD5
8aac434d36432949605aaaeebd10e026

SHA1
a69f91ab0bb6a0d11809918df280e5cc59949963

SHA256
99465115d2001abd6690e2ea31bec186e5ed2ad194e4eb7ac1cf2756c4cc74ff

SHA512
04d21a6ce1c1285ddbb220c5c251aa64511438b8baf9c3e48b3d4b06769924b0769805dc3efb86f52c6e035f634ec0977fc32015ad88c7ffd6535d9b79159b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIUMYMgk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQwIkMUw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUgYEgQU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NKooQQAE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QCEscYoc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScgkYgso.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YqUIUMkc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZaIMgEIc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac04ac81478cef22f6178c82ac334e1e74f7b5a7c054578b3e2ba26fc7658f18

Filesize
11KB

MD5
21180e1b2fbda20e5507bde173d847e3

SHA1
e95a539196c9f821c0af9fa1697d437cc68de0aa

SHA256
b523b54113d606452672ed37cbbf21a5b488de37b5787cc25c1ec6c774b1fac1

SHA512
c38bb29a7f7bbc673dce99a72c1cc44ca9bd70e4e4e51c867df7f9472966fe2e60eee84ccac8cf3a1f30f0f960f494ee0b33922ee8dc058d8e6c9366a042c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\bKowkYQI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cOIIEoUk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgYQsoMI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkoUkUIk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\keUccosE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmsAQQoI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\koUMQUAI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oGIMwIQo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuYIMUEQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcQIEUAA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zGwgIUMI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\UMwQMsQQ\zWAUMwgI.exe

Filesize
479KB

MD5
251a97df7a0f2b37ab93ed391f5043db

SHA1
377009abbcf86c1c606dd495dd3e1a0f0a0f7b07

SHA256
80d16c47a8e7a2e85ebce52e0e5476f96c84c0f80b919e85fb421202af5c64a4

SHA512
8c275a6b7b3498dd80d32cd84c4967fc844f995f2c8fcb29e864872bb7a8a4c3c03a104f3684e1bc3eb9bcd23d5dc51c51021ce2a5dc7666a5e6e77eae668943

Download Submit
C:\Users\Admin\UMwQMsQQ\zWAUMwgI.exe

Filesize
479KB

MD5
251a97df7a0f2b37ab93ed391f5043db

SHA1
377009abbcf86c1c606dd495dd3e1a0f0a0f7b07

SHA256
80d16c47a8e7a2e85ebce52e0e5476f96c84c0f80b919e85fb421202af5c64a4

SHA512
8c275a6b7b3498dd80d32cd84c4967fc844f995f2c8fcb29e864872bb7a8a4c3c03a104f3684e1bc3eb9bcd23d5dc51c51021ce2a5dc7666a5e6e77eae668943

Download Submit
memory/364-298-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/528-295-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/544-152-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/544-157-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/624-165-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/880-313-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/880-312-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1104-311-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1104-258-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1104-135-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1128-317-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1128-316-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1192-201-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1192-191-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1200-271-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1356-293-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1356-291-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1424-225-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1480-279-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1540-284-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1540-283-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1600-304-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1600-308-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1768-315-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1768-314-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1976-310-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1976-306-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2480-301-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2480-302-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2580-250-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2580-307-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2580-303-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2584-296-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2584-297-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-288-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2888-242-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2888-245-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2984-232-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3148-267-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3148-150-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3424-274-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3628-241-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3752-255-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3752-253-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3772-151-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4248-137-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4248-259-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4296-266-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4464-213-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4532-305-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4532-309-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4732-172-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4732-179-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4824-260-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4824-262-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4884-300-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4920-190-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4944-299-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download