4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee

Analysis

max time kernel
190s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
Size

993KB
MD5

a2fd9c789420760430f75d4d3c66de70
SHA1

44f2f2d696f1fed8262f562e6795ddd74c765cf4
SHA256

4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee
SHA512

8af3479a58467a8fdc8c6723a23f8a6f52dc5f88c35666598e35cb026137d706cb5e63dfe4e80c680b8a542fc846a54e25fb9df4e5ee6c43dc08dae3f84c8007
SSDEEP

24576:jQ12MsPYeuZ/JpUW1Sr8fDXcgKnbM9aZjr5+:i5VZ/JpUWYry72lr5+

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\rkskQAYc\\QawIUQkg.exe,"	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\rkskQAYc\\QawIUQkg.exe,"	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe

Modifies visibility of file extensions in Explorer 2 TTPs 14 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 14 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1216	MqYIggAs.exe
1456	QawIUQkg.exe
1652	KaEIkMwo.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqYIggAs.exe = "C:\\Users\\Admin\\LsggsEss\\MqYIggAs.exe"	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QawIUQkg.exe = "C:\\ProgramData\\rkskQAYc\\QawIUQkg.exe"	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqYIggAs.exe = "C:\\Users\\Admin\\LsggsEss\\MqYIggAs.exe"	MqYIggAs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QawIUQkg.exe = "C:\\ProgramData\\rkskQAYc\\QawIUQkg.exe"	KaEIkMwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QawIUQkg.exe = "C:\\ProgramData\\rkskQAYc\\QawIUQkg.exe"	QawIUQkg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\LsggsEss\MqYIggAs	KaEIkMwo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\LsggsEss	KaEIkMwo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 42 IoCs

Modify Registry

T1112

pid	Process
4572	reg.exe
4776	reg.exe
3508	reg.exe
1312	reg.exe
224	reg.exe
4668	reg.exe
396	reg.exe
3908	reg.exe
4524	reg.exe
3852	reg.exe
1852	reg.exe
1904	reg.exe
316	reg.exe
2800	reg.exe
1944	reg.exe
2272	reg.exe
3752	reg.exe
260	reg.exe
4788	reg.exe
3756	reg.exe
1488	reg.exe
4240	reg.exe
5104	reg.exe
2428	reg.exe
1136	reg.exe
2416	reg.exe
3556	reg.exe
3528	reg.exe
2560	reg.exe
4760	reg.exe
2472	reg.exe
1908	reg.exe
3764	reg.exe
4444	reg.exe
4236	reg.exe
1320	reg.exe
3884	reg.exe
4464	reg.exe
4876	reg.exe
1272	reg.exe
3464	reg.exe
2860	reg.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
4456	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
4456	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
4456	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
4456	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
3280	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
3280	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
3280	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
3280	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
4224	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
4224	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
4224	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
4224	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
5008	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
5008	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
5008	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
5008	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
3272	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
3272	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
3272	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
3272	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
2552	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
2552	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
2552	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
2552	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
1772	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
1772	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
1772	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
1772	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
2608	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
2608	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
2608	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
2608	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
4408	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
4408	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
4408	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
4408	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
4208	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
4208	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
4208	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
4208	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
3976	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
3976	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
3976	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
3976	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
2656	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
2656	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
2656	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
2656	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
3464	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
3464	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
3464	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
3464	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 1216	4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	81
PID 4936 wrote to memory of 1216	4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	81
PID 4936 wrote to memory of 1216	4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	81
PID 4936 wrote to memory of 1456	4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	82
PID 4936 wrote to memory of 1456	4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	82
PID 4936 wrote to memory of 1456	4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	82
PID 4936 wrote to memory of 1000	4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	84
PID 4936 wrote to memory of 1000	4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	84
PID 4936 wrote to memory of 1000	4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	84
PID 4936 wrote to memory of 1312	4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	86
PID 4936 wrote to memory of 1312	4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	86
PID 4936 wrote to memory of 1312	4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	86
PID 4936 wrote to memory of 316	4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	87
PID 4936 wrote to memory of 316	4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	87
PID 4936 wrote to memory of 316	4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	87
PID 4936 wrote to memory of 224	4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	88
PID 4936 wrote to memory of 224	4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	88
PID 4936 wrote to memory of 224	4936	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	88
PID 1000 wrote to memory of 4456	1000	cmd.exe	92
PID 1000 wrote to memory of 4456	1000	cmd.exe	92
PID 1000 wrote to memory of 4456	1000	cmd.exe	92
PID 4456 wrote to memory of 4028	4456	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	93
PID 4456 wrote to memory of 4028	4456	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	93
PID 4456 wrote to memory of 4028	4456	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	93
PID 4028 wrote to memory of 3280	4028	cmd.exe	95
PID 4028 wrote to memory of 3280	4028	cmd.exe	95
PID 4028 wrote to memory of 3280	4028	cmd.exe	95
PID 4456 wrote to memory of 3764	4456	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	96
PID 4456 wrote to memory of 3764	4456	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	96
PID 4456 wrote to memory of 3764	4456	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	96
PID 4456 wrote to memory of 4524	4456	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	97
PID 4456 wrote to memory of 4524	4456	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	97
PID 4456 wrote to memory of 4524	4456	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	97
PID 4456 wrote to memory of 3464	4456	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	103
PID 4456 wrote to memory of 3464	4456	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	103
PID 4456 wrote to memory of 3464	4456	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	103
PID 4456 wrote to memory of 3680	4456	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	99
PID 4456 wrote to memory of 3680	4456	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	99
PID 4456 wrote to memory of 3680	4456	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	99
PID 3280 wrote to memory of 1800	3280	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	104
PID 3280 wrote to memory of 1800	3280	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	104
PID 3280 wrote to memory of 1800	3280	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	104
PID 3280 wrote to memory of 2800	3280	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	106
PID 3280 wrote to memory of 2800	3280	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	106
PID 3280 wrote to memory of 2800	3280	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	106
PID 3280 wrote to memory of 4444	3280	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	108
PID 3280 wrote to memory of 4444	3280	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	108
PID 3280 wrote to memory of 4444	3280	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	108
PID 3280 wrote to memory of 4788	3280	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	110
PID 3280 wrote to memory of 4788	3280	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	110
PID 3280 wrote to memory of 4788	3280	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	110
PID 3280 wrote to memory of 1760	3280	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	112
PID 3280 wrote to memory of 1760	3280	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	112
PID 3280 wrote to memory of 1760	3280	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	112
PID 1800 wrote to memory of 4224	1800	cmd.exe	114
PID 1800 wrote to memory of 4224	1800	cmd.exe	114
PID 1800 wrote to memory of 4224	1800	cmd.exe	114
PID 4224 wrote to memory of 820	4224	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	117
PID 4224 wrote to memory of 820	4224	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	117
PID 4224 wrote to memory of 820	4224	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	117
PID 4224 wrote to memory of 1136	4224	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	119
PID 4224 wrote to memory of 1136	4224	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	119
PID 4224 wrote to memory of 1136	4224	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	119
PID 4224 wrote to memory of 4236	4224	4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe	121

C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
"C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\LsggsEss\MqYIggAs.exe
  "C:\Users\Admin\LsggsEss\MqYIggAs.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1216
- C:\ProgramData\rkskQAYc\QawIUQkg.exe
  "C:\ProgramData\rkskQAYc\QawIUQkg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
    C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4028
    - - C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3280
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee"
        8⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee"
        10⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee"
        12⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee"
        14⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee"
        16⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee"
        18⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee"
        20⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee"
        22⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee"
        24⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee"
        26⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
        
        C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee"
        28⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwUAQQYs.bat" "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe""
        28⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kucwIMQY.bat" "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe""
        26⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaoYEcsg.bat" "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe""
        24⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEoIEgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe""
        22⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYwoIEAk.bat" "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe""
        20⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSkoMMcM.bat" "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe""
        18⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYUwkYYE.bat" "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe""
        16⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmIkAsIM.bat" "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe""
        14⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIsQggAU.bat" "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe""
        12⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hScQwUcg.bat" "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe""
        10⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XegoAkII.bat" "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe""
        8⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3972
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2800
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:4444
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:4788
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKwssIEY.bat" "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe""
        6⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3216
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:3764
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIsAsMoQ.bat" "C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe""
      4⤵
      PID:3680
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3968
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:3464
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1312
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:316
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:224

C:\ProgramData\CmkEcYkw\KaEIkMwo.exe
C:\ProgramData\CmkEcYkw\KaEIkMwo.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1652

C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee.exe
C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee
1⤵
PID:1280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CmkEcYkw\KaEIkMwo.exe

Filesize
983KB

MD5
6afee378a4031aa67123a8d81c8000e5

SHA1
e1c9237636b9bf65116e1e0e7e5eec80d2f1ff6c

SHA256
497c4ecc17bff39ef724f1865ff729ce5baaf729e3818586299c3e45043f2dc0

SHA512
63e7023ccc2498ebe898c0044e25f50c38d8bc8516269dc47070e8f3909dc857d75a5542fb94a09f23e06234166e8248512dfc8148ff8c4389367a7eb5f9c192

Download Submit
C:\ProgramData\CmkEcYkw\KaEIkMwo.exe

Filesize
983KB

MD5
6afee378a4031aa67123a8d81c8000e5

SHA1
e1c9237636b9bf65116e1e0e7e5eec80d2f1ff6c

SHA256
497c4ecc17bff39ef724f1865ff729ce5baaf729e3818586299c3e45043f2dc0

SHA512
63e7023ccc2498ebe898c0044e25f50c38d8bc8516269dc47070e8f3909dc857d75a5542fb94a09f23e06234166e8248512dfc8148ff8c4389367a7eb5f9c192

Download Submit
C:\ProgramData\rkskQAYc\QawIUQkg.exe

Filesize
983KB

MD5
99a7977ffd1ae66d522f539738edb202

SHA1
f835b8e71498a917bef4498892ce90f333a94bbf

SHA256
55055a8ca78bbf6588c7c3ee083bae342234db7d5a6062f487e7d82245848554

SHA512
c8d47132af458ee25bc77fbce034d3b49860697e9569d44c7237d1e9589ad03787e73163dc56b69b232e4748761a957e5d4ae273587486390495f206c7aafee2

Download Submit
C:\ProgramData\rkskQAYc\QawIUQkg.exe

Filesize
983KB

MD5
99a7977ffd1ae66d522f539738edb202

SHA1
f835b8e71498a917bef4498892ce90f333a94bbf

SHA256
55055a8ca78bbf6588c7c3ee083bae342234db7d5a6062f487e7d82245848554

SHA512
c8d47132af458ee25bc77fbce034d3b49860697e9569d44c7237d1e9589ad03787e73163dc56b69b232e4748761a957e5d4ae273587486390495f206c7aafee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e021e5566025c252187c30fff1724a1dd62a80347d04ffe6fbfaa826d727dee

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIsQggAU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEoIEgcQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FaoYEcsg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OSkoMMcM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PmIkAsIM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XegoAkII.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYwoIEAk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aKwssIEY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwUAQQYs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hScQwUcg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kucwIMQY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIsAsMoQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYUwkYYE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\LsggsEss\MqYIggAs.exe

Filesize
983KB

MD5
8e2d0cfa01b67a6b170fe3adaf321cbd

SHA1
27f63077b213cc6e914ff7025bec8d5ef5d1e95e

SHA256
0be491f2b6e8faf644da596b9df9a12e9af70fbc65b31a3630a5f74ea295029b

SHA512
33cb06302ce751ace5fd820c02d6b0fe486b92317cd3ce1cc307589dca52f86a3e43f7642d9c2630e5430480ae62f481c6cb2ac9d81a85535bc1da7e5ba4ffff

Download Submit
C:\Users\Admin\LsggsEss\MqYIggAs.exe

Filesize
983KB

MD5
8e2d0cfa01b67a6b170fe3adaf321cbd

SHA1
27f63077b213cc6e914ff7025bec8d5ef5d1e95e

SHA256
0be491f2b6e8faf644da596b9df9a12e9af70fbc65b31a3630a5f74ea295029b

SHA512
33cb06302ce751ace5fd820c02d6b0fe486b92317cd3ce1cc307589dca52f86a3e43f7642d9c2630e5430480ae62f481c6cb2ac9d81a85535bc1da7e5ba4ffff

Download Submit
memory/1216-142-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1216-147-0x00000000049D0000-0x00000000049D5000-memory.dmp

Filesize
20KB

Download
memory/1216-148-0x00000000049E0000-0x0000000004A06000-memory.dmp

Filesize
152KB

Download
memory/1216-168-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1280-279-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1280-282-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1456-169-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1456-149-0x00000000049E0000-0x0000000004A06000-memory.dmp

Filesize
152KB

Download
memory/1456-143-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1652-174-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1652-146-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1652-151-0x00000000036A0000-0x00000000036C6000-memory.dmp

Filesize
152KB

Download
memory/1652-150-0x0000000003690000-0x0000000003695000-memory.dmp

Filesize
20KB

Download
memory/1772-231-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1772-239-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2552-219-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2552-226-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2608-252-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2608-242-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2656-271-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2656-273-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3272-200-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3272-214-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3280-178-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3280-165-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3464-278-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3464-276-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3976-268-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3976-263-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4208-261-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4208-264-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4224-191-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4224-177-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4408-258-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4408-248-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4456-175-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4456-157-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4936-132-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4936-135-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4936-134-0x0000000004B20000-0x0000000004B46000-memory.dmp

Filesize
152KB

Download
memory/4936-133-0x0000000004B10000-0x0000000004B15000-memory.dmp

Filesize
20KB

Download
memory/5008-186-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/5008-190-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/5008-199-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download