c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
Size

447KB
MD5

27f0e4bd694a0b4aa4c7ac9b5f41e9c0
SHA1

9c0b59d7c94d2e1fddf0191480fb05cf8bedc43d
SHA256

c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
SHA512

f9a3d5829b8c62c827f2e9fc4292e33abea254f73f11e92c51eb4bc5709667bc965ba2bca0065d88380aca384aaab046708b043b8c37c8efc728c4b785fdf2ac
SSDEEP

12288:GrPsuYx8U4ie38JqfQFCoceIkUshx/I5qzheY7fy4t9UHHhrsY:Grkuq8n380HocivkY7fy4qsY

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 26 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 26 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1128	AOAsIggc.exe
4760	DmwwgIEY.exe
2248	CYQswkoU.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	DmwwgIEY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DmwwgIEY.exe = "C:\\ProgramData\\FMQYssMI\\DmwwgIEY.exe"	DmwwgIEY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DmwwgIEY.exe = "C:\\ProgramData\\FMQYssMI\\DmwwgIEY.exe"	CYQswkoU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AOAsIggc.exe = "C:\\Users\\Admin\\ycEMUIoE\\AOAsIggc.exe"	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DmwwgIEY.exe = "C:\\ProgramData\\FMQYssMI\\DmwwgIEY.exe"	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AOAsIggc.exe = "C:\\Users\\Admin\\ycEMUIoE\\AOAsIggc.exe"	AOAsIggc.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\ycEMUIoE\AOAsIggc	CYQswkoU.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	DmwwgIEY.exe
File opened for modification	C:\Windows\SysWOW64\sheCloseUnregister.docm	DmwwgIEY.exe
File opened for modification	C:\Windows\SysWOW64\sheCopyLimit.docx	DmwwgIEY.exe
File opened for modification	C:\Windows\SysWOW64\sheOptimizeApprove.exe	DmwwgIEY.exe
File opened for modification	C:\Windows\SysWOW64\sheUninstallClose.bmp	DmwwgIEY.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\ycEMUIoE	CYQswkoU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2216	reg.exe
456	reg.exe
5064	reg.exe
1500	reg.exe
5048	reg.exe
4524	reg.exe
2032	reg.exe
4312	reg.exe
4524	reg.exe
3360	reg.exe
724	reg.exe
4788	reg.exe
3104	reg.exe
4008	reg.exe
4996	reg.exe
1896	reg.exe
2732	reg.exe
2664	reg.exe
3476	reg.exe
3524	reg.exe
3672	reg.exe
2492	reg.exe
3180	reg.exe
840	reg.exe
3392	reg.exe
4340	reg.exe
4876	reg.exe
1140	reg.exe
4976	reg.exe
4952	reg.exe
5060	reg.exe
4936	reg.exe
4596	reg.exe
2936	reg.exe
3892	reg.exe
2608	reg.exe
3924	reg.exe
2228	reg.exe
1036	reg.exe
4356	reg.exe
4712	reg.exe
3512	reg.exe
940	reg.exe
4080	reg.exe
1992	reg.exe
3524	reg.exe
4876	reg.exe
4616	reg.exe
3192	reg.exe
1496	reg.exe
1992	reg.exe
4340	reg.exe
4428	reg.exe
3432	reg.exe
2176	reg.exe
2060	reg.exe
1152	reg.exe
216	reg.exe
4416	reg.exe
1756	reg.exe
1616	reg.exe
3480	reg.exe
1892	reg.exe
2712	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
2340	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
2340	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
2340	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
2340	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3156	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3156	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3156	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3156	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
2664	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
2664	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
2664	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
2664	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
444	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
444	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
444	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
444	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
2492	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
2492	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
2492	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
2492	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3728	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3728	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3728	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3728	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
4560	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
4560	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
4560	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
4560	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3988	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3988	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3988	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3988	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
2076	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
2076	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
2076	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
2076	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
4920	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
4920	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
4920	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
4920	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3092	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3092	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3092	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3092	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
1604	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
1604	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
1604	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
1604	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3564	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3564	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3564	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
3564	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
4952	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
4952	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
4952	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
4952	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
892	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
892	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
892	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
892	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4760	DmwwgIEY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe
4760	DmwwgIEY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1128	1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	80
PID 1032 wrote to memory of 1128	1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	80
PID 1032 wrote to memory of 1128	1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	80
PID 1032 wrote to memory of 4760	1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	81
PID 1032 wrote to memory of 4760	1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	81
PID 1032 wrote to memory of 4760	1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	81
PID 1032 wrote to memory of 1624	1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	83
PID 1032 wrote to memory of 1624	1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	83
PID 1032 wrote to memory of 1624	1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	83
PID 1032 wrote to memory of 2732	1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	85
PID 1032 wrote to memory of 2732	1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	85
PID 1032 wrote to memory of 2732	1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	85
PID 1624 wrote to memory of 2340	1624	cmd.exe	86
PID 1624 wrote to memory of 2340	1624	cmd.exe	86
PID 1624 wrote to memory of 2340	1624	cmd.exe	86
PID 1032 wrote to memory of 4876	1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	87
PID 1032 wrote to memory of 4876	1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	87
PID 1032 wrote to memory of 4876	1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	87
PID 1032 wrote to memory of 4900	1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	88
PID 1032 wrote to memory of 4900	1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	88
PID 1032 wrote to memory of 4900	1032	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	88
PID 2340 wrote to memory of 1140	2340	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	92
PID 2340 wrote to memory of 1140	2340	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	92
PID 2340 wrote to memory of 1140	2340	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	92
PID 1140 wrote to memory of 3156	1140	cmd.exe	94
PID 1140 wrote to memory of 3156	1140	cmd.exe	94
PID 1140 wrote to memory of 3156	1140	cmd.exe	94
PID 2340 wrote to memory of 5048	2340	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	95
PID 2340 wrote to memory of 5048	2340	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	95
PID 2340 wrote to memory of 5048	2340	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	95
PID 2340 wrote to memory of 3360	2340	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	97
PID 2340 wrote to memory of 3360	2340	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	97
PID 2340 wrote to memory of 3360	2340	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	97
PID 2340 wrote to memory of 2060	2340	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	99
PID 2340 wrote to memory of 2060	2340	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	99
PID 2340 wrote to memory of 2060	2340	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	99
PID 2340 wrote to memory of 556	2340	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	101
PID 2340 wrote to memory of 556	2340	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	101
PID 2340 wrote to memory of 556	2340	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	101
PID 3156 wrote to memory of 4196	3156	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	103
PID 3156 wrote to memory of 4196	3156	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	103
PID 3156 wrote to memory of 4196	3156	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	103
PID 4196 wrote to memory of 2664	4196	cmd.exe	105
PID 4196 wrote to memory of 2664	4196	cmd.exe	105
PID 4196 wrote to memory of 2664	4196	cmd.exe	105
PID 3156 wrote to memory of 724	3156	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	106
PID 3156 wrote to memory of 724	3156	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	106
PID 3156 wrote to memory of 724	3156	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	106
PID 3156 wrote to memory of 4340	3156	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	107
PID 3156 wrote to memory of 4340	3156	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	107
PID 3156 wrote to memory of 4340	3156	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	107
PID 556 wrote to memory of 4540	556	cmd.exe	111
PID 556 wrote to memory of 4540	556	cmd.exe	111
PID 556 wrote to memory of 4540	556	cmd.exe	111
PID 3156 wrote to memory of 3888	3156	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	109
PID 3156 wrote to memory of 3888	3156	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	109
PID 3156 wrote to memory of 3888	3156	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	109
PID 3156 wrote to memory of 3488	3156	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	112
PID 3156 wrote to memory of 3488	3156	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	112
PID 3156 wrote to memory of 3488	3156	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	112
PID 2664 wrote to memory of 5028	2664	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	115
PID 2664 wrote to memory of 5028	2664	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	115
PID 2664 wrote to memory of 5028	2664	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	115
PID 2664 wrote to memory of 4596	2664	c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe	117

C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
"C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\ycEMUIoE\AOAsIggc.exe
  "C:\Users\Admin\ycEMUIoE\AOAsIggc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1128
- C:\ProgramData\FMQYssMI\DmwwgIEY.exe
  "C:\ProgramData\FMQYssMI\DmwwgIEY.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
    C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1140
    - - C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3156
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        8⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        10⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        12⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        14⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        16⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        18⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        20⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        22⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        24⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        26⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        28⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        30⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        32⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        33⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        34⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        35⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        36⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        37⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        38⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        39⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        40⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        41⤵
        
        PID:100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        42⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        43⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        44⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        45⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        46⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
        
        C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
        47⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmgEUosA.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        48⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puMIsAYg.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        46⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuwUAEEA.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        44⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwoEcgEs.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        42⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMQgIcMc.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        40⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSYcgYcA.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        38⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoAUwwIE.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        36⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkUwsoMs.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        34⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEoAIwgM.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        32⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCEQYQYg.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        30⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIMocEEY.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        28⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIAkYckk.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        26⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMsAsMYU.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        24⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uIgwYsIg.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        22⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwsgQIAA.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        20⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HewQEgEA.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        18⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUoYcwkw.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        16⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgoMMsEI.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        14⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqIQscUU.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        12⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqIssgcA.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        10⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEYoAcgk.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        8⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1504
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:724
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:4340
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:3888
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOIEUksA.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        6⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3932
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:5048
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3360
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWAMoYsQ.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4540
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2732
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4876
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xiccokgo.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
  2⤵
  PID:4364
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1952

C:\ProgramData\wOUQEQcc\CYQswkoU.exe
C:\ProgramData\wOUQEQcc\CYQswkoU.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
1⤵
PID:384
- C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
  C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
  2⤵
  PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
    3⤵
    PID:3844
  - - C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe
      C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112
      4⤵
      PID:3264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112"
        5⤵
        
        PID:4028
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASYEIsAE.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
        5⤵
        
        PID:5052
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:4044
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:2176
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkEscQUc.bat" "C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112.exe""
    3⤵
    PID:2060
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4908
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:3924
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:3524
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:3432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FMQYssMI\DmwwgIEY.exe

Filesize
434KB

MD5
272f9056205f67758ee5343048b18512

SHA1
9580eef479b64fec8fc2daad49652abe51f122dc

SHA256
baf0b92cc37c3ff2d2ef1c07aec21796d69afd65f03d38e7aea842b3560fa968

SHA512
44a65447a890bb4af219e906106c6a0dff1f04c6649dcca058f756b8b28a67bce6e30393e9c1bc2db760eaf8f9351148cbd0a64f736b225ba302611f0c556d6a

Download Submit
C:\ProgramData\FMQYssMI\DmwwgIEY.exe

Filesize
434KB

MD5
272f9056205f67758ee5343048b18512

SHA1
9580eef479b64fec8fc2daad49652abe51f122dc

SHA256
baf0b92cc37c3ff2d2ef1c07aec21796d69afd65f03d38e7aea842b3560fa968

SHA512
44a65447a890bb4af219e906106c6a0dff1f04c6649dcca058f756b8b28a67bce6e30393e9c1bc2db760eaf8f9351148cbd0a64f736b225ba302611f0c556d6a

Download Submit
C:\ProgramData\wOUQEQcc\CYQswkoU.exe

Filesize
433KB

MD5
4694043dccb07c1e0f6c12c9f8e7a95c

SHA1
73ab5c4a53bc8d4b89a1a6e069a6d81711d0c801

SHA256
57a41096ec5443b0b9e1c7883afab47542ec888aa752b235ac8bf9aa2885f83a

SHA512
885bdc79cf430a1741692f7662eade625f64995fabb904a5e0425c8880a860ed23e5ba6a1a74c9dfeec70a3c407bdce93f26bf36f39d7eaa45191ba9d71acf68

Download Submit
C:\ProgramData\wOUQEQcc\CYQswkoU.exe

Filesize
433KB

MD5
4694043dccb07c1e0f6c12c9f8e7a95c

SHA1
73ab5c4a53bc8d4b89a1a6e069a6d81711d0c801

SHA256
57a41096ec5443b0b9e1c7883afab47542ec888aa752b235ac8bf9aa2885f83a

SHA512
885bdc79cf430a1741692f7662eade625f64995fabb904a5e0425c8880a860ed23e5ba6a1a74c9dfeec70a3c407bdce93f26bf36f39d7eaa45191ba9d71acf68

Download Submit
C:\Users\Admin\AppData\Local\Temp\BqIssgcA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgoMMsEI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HOIEUksA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HewQEgEA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoAUwwIE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSYcgYcA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VqIQscUU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c786e2f5e11dcbc288ad8010e094c719cc17340c7e20e292f961640ab3b5e112

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwsgQIAA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\hEYoAcgk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\jWAMoYsQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkUwsoMs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEoAIwgM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pIMocEEY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMsAsMYU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rCEQYQYg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMQgIcMc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIgwYsIg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUoYcwkw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIAkYckk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\ycEMUIoE\AOAsIggc.exe

Filesize
430KB

MD5
896829955d4eaf0d84fef80e8d00e2a8

SHA1
cfb7557552577fa2820b8ffe78283d90c3e27f22

SHA256
c6fe2d920628774e7d3a90f793b4f78294e9c81e73c24133f6497e6508887493

SHA512
3114c30c9b0d3ff4f266c134d58b679388ccc45001fa6d862741aa6592936663b1dd332ff5860793da5f5db57b08f9e65bdb5062724483f1dfc6a163546dba4d

Download Submit
C:\Users\Admin\ycEMUIoE\AOAsIggc.exe

Filesize
430KB

MD5
896829955d4eaf0d84fef80e8d00e2a8

SHA1
cfb7557552577fa2820b8ffe78283d90c3e27f22

SHA256
c6fe2d920628774e7d3a90f793b4f78294e9c81e73c24133f6497e6508887493

SHA512
3114c30c9b0d3ff4f266c134d58b679388ccc45001fa6d862741aa6592936663b1dd332ff5860793da5f5db57b08f9e65bdb5062724483f1dfc6a163546dba4d

Download Submit
memory/60-299-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/100-291-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/208-216-0x0000000000000000-mapping.dmp

Download
memory/444-178-0x0000000000000000-mapping.dmp

Download
memory/444-190-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/556-155-0x0000000000000000-mapping.dmp

Download
memory/616-243-0x0000000000000000-mapping.dmp

Download
memory/724-161-0x0000000000000000-mapping.dmp

Download
memory/744-298-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/744-296-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/892-269-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/972-200-0x0000000000000000-mapping.dmp

Download
memory/1032-292-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1032-297-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1032-132-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1036-223-0x0000000000000000-mapping.dmp

Download
memory/1128-144-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1128-295-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1128-133-0x0000000000000000-mapping.dmp

Download
memory/1140-150-0x0000000000000000-mapping.dmp

Download
memory/1504-181-0x0000000000000000-mapping.dmp

Download
memory/1604-257-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1616-219-0x0000000000000000-mapping.dmp

Download
memory/1624-141-0x0000000000000000-mapping.dmp

Download
memory/1816-277-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1816-278-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1892-188-0x0000000000000000-mapping.dmp

Download
memory/1992-172-0x0000000000000000-mapping.dmp

Download
memory/2060-154-0x0000000000000000-mapping.dmp

Download
memory/2076-244-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2076-237-0x0000000000000000-mapping.dmp

Download
memory/2248-147-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2340-143-0x0000000000000000-mapping.dmp

Download
memory/2340-156-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2436-236-0x0000000000000000-mapping.dmp

Download
memory/2492-185-0x0000000000000000-mapping.dmp

Download
memory/2492-198-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2492-201-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2528-229-0x0000000000000000-mapping.dmp

Download
memory/2664-175-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2664-160-0x0000000000000000-mapping.dmp

Download
memory/2664-169-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2732-142-0x0000000000000000-mapping.dmp

Download
memory/2876-215-0x0000000000000000-mapping.dmp

Download
memory/2968-274-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3092-253-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3156-166-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3156-151-0x0000000000000000-mapping.dmp

Download
memory/3160-300-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3264-301-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3264-302-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3360-212-0x0000000000000000-mapping.dmp

Download
memory/3360-153-0x0000000000000000-mapping.dmp

Download
memory/3476-199-0x0000000000000000-mapping.dmp

Download
memory/3488-165-0x0000000000000000-mapping.dmp

Download
memory/3508-195-0x0000000000000000-mapping.dmp

Download
memory/3524-222-0x0000000000000000-mapping.dmp

Download
memory/3564-261-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3564-258-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3592-221-0x0000000000000000-mapping.dmp

Download
memory/3672-231-0x0000000000000000-mapping.dmp

Download
memory/3712-184-0x0000000000000000-mapping.dmp

Download
memory/3728-196-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3728-194-0x0000000000000000-mapping.dmp

Download
memory/3728-208-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3868-192-0x0000000000000000-mapping.dmp

Download
memory/3888-164-0x0000000000000000-mapping.dmp

Download
memory/3912-203-0x0000000000000000-mapping.dmp

Download
memory/3932-177-0x0000000000000000-mapping.dmp

Download
memory/3980-174-0x0000000000000000-mapping.dmp

Download
memory/3988-225-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3988-220-0x0000000000000000-mapping.dmp

Download
memory/3988-234-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4196-158-0x0000000000000000-mapping.dmp

Download
memory/4224-283-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4292-233-0x0000000000000000-mapping.dmp

Download
memory/4340-162-0x0000000000000000-mapping.dmp

Download
memory/4356-187-0x0000000000000000-mapping.dmp

Download
memory/4416-205-0x0000000000000000-mapping.dmp

Download
memory/4524-171-0x0000000000000000-mapping.dmp

Download
memory/4524-232-0x0000000000000000-mapping.dmp

Download
memory/4540-163-0x0000000000000000-mapping.dmp

Download
memory/4548-294-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4560-224-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4560-227-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4560-211-0x0000000000000000-mapping.dmp

Download
memory/4596-170-0x0000000000000000-mapping.dmp

Download
memory/4712-197-0x0000000000000000-mapping.dmp

Download
memory/4760-136-0x0000000000000000-mapping.dmp

Download
memory/4760-293-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4760-145-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4776-240-0x0000000000000000-mapping.dmp

Download
memory/4788-186-0x0000000000000000-mapping.dmp

Download
memory/4836-287-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4856-189-0x0000000000000000-mapping.dmp

Download
memory/4876-146-0x0000000000000000-mapping.dmp

Download
memory/4900-148-0x0000000000000000-mapping.dmp

Download
memory/4904-207-0x0000000000000000-mapping.dmp

Download
memory/4920-246-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4920-247-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4952-230-0x0000000000000000-mapping.dmp

Download
memory/4952-266-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4976-204-0x0000000000000000-mapping.dmp

Download
memory/4984-226-0x0000000000000000-mapping.dmp

Download
memory/5028-168-0x0000000000000000-mapping.dmp

Download
memory/5048-152-0x0000000000000000-mapping.dmp

Download
memory/5064-206-0x0000000000000000-mapping.dmp

Download