imminent | 93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa

Analysis

max time kernel
151s
max time network
70s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
Size

3.4MB
MD5

cd1a116cef3032943798c17f6ebf2f74
SHA1

bfea3bcb3d518d827301c311925b35b60ec4b352
SHA256

93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa
SHA512

7c0baa6b99a13e50da48eebb7cf8db03cfb4327cabba3612ce344618deefba0eb0af0720e0606520d37b93eadc236d13765749b6698e5067417b050904395248
SSDEEP

98304:FVgqGGSuHqxoBHFZvPyp0HQsCht6oxp0vEMgM:WGJIoBHFRLHQsCG

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\System.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\System.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\System.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\System.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\System.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\System.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\System.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\System.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\System.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\System.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\System.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\System.exe"	reg.exe

Executes dropped EXE 45 IoCs

pid	Process
964	tmp.exe
972	tmp.exe
1068	.exe
1636	tmp.exe
1480	.exe
1212	tmp.exe
1608	.exe
608	tmp.exe
1996	.exe
2008	tmp.exe
1924	.exe
1544	tmp.exe
1084	.exe
972	tmp.exe
908	.exe
1232	tmp.exe
1688	.exe
1408	tmp.exe
1508	.exe
1832	tmp.exe
1688	tmp.exe
956	tmp.exe
1924	.exe
1324	tmp.exe
796	tmp.exe
924	tmp.exe
1628	tmp.exe
1012	.exe
584	tmp.exe
1708	.exe
1360	tmp.exe
336	tmp.exe
1084	.exe
1588	tmp.exe
1532	.exe
544	tmp.exe
1324	.exe
1416	tmp.exe
2200	tmp.exe
2208	.exe
2364	tmp.exe
2440	tmp.exe
2448	.exe
2700	tmp.exe
2716	.exe

Deletes itself 1 IoCs

pid	Process
1828	cmd.exe

Loads dropped DLL 30 IoCs

pid	Process
1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
964	tmp.exe
972	tmp.exe
1636	tmp.exe
1212	tmp.exe
608	tmp.exe
2008	tmp.exe
1544	tmp.exe
972	tmp.exe
1232	tmp.exe
1408	tmp.exe
1832	tmp.exe
1688	tmp.exe
956	tmp.exe
1324	tmp.exe
796	tmp.exe
924	tmp.exe
1628	tmp.exe
584	tmp.exe
1360	tmp.exe
336	tmp.exe
1588	tmp.exe
544	tmp.exe
1416	tmp.exe
2200	tmp.exe
2364	tmp.exe
2440	tmp.exe
2700	tmp.exe

Suspicious use of SetThreadContext 18 IoCs

description	pid	Process	procid_target
PID 964 set thread context of 1068	964	tmp.exe	42
PID 972 set thread context of 1480	972	tmp.exe	48
PID 1636 set thread context of 1608	1636	tmp.exe	61
PID 1212 set thread context of 1996	1212	tmp.exe	68
PID 608 set thread context of 1924	608	tmp.exe	76
PID 2008 set thread context of 1084	2008	tmp.exe	87
PID 1544 set thread context of 908	1544	tmp.exe	94
PID 972 set thread context of 1688	972	tmp.exe	103
PID 1232 set thread context of 1508	1232	tmp.exe	107
PID 1688 set thread context of 1924	1688	tmp.exe	132
PID 924 set thread context of 1012	924	tmp.exe	166
PID 1628 set thread context of 1708	1628	tmp.exe	171
PID 1360 set thread context of 1084	1360	tmp.exe	190
PID 336 set thread context of 1532	336	tmp.exe	197
PID 1588 set thread context of 1324	1588	tmp.exe	203
PID 1416 set thread context of 2208	1416	tmp.exe	222
PID 2364 set thread context of 2448	2364	tmp.exe	227
PID 2440 set thread context of 2716	2440	tmp.exe	237

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
364	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
964	tmp.exe
964	tmp.exe
964	tmp.exe
964	tmp.exe
964	tmp.exe
972	tmp.exe
972	tmp.exe
972	tmp.exe
972	tmp.exe
972	tmp.exe
1636	tmp.exe
1636	tmp.exe
1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
1636	tmp.exe
1636	tmp.exe
1636	tmp.exe
1212	tmp.exe
1212	tmp.exe
964	tmp.exe
1212	tmp.exe
1212	tmp.exe
1212	tmp.exe
608	tmp.exe
608	tmp.exe
972	tmp.exe
608	tmp.exe
608	tmp.exe
608	tmp.exe
2008	tmp.exe
2008	tmp.exe
1636	cmd.exe
2008	tmp.exe
2008	tmp.exe
2008	tmp.exe
1544	tmp.exe
1544	tmp.exe
1212	tmp.exe
1544	tmp.exe
1544	tmp.exe
1544	tmp.exe
972	tmp.exe
972	tmp.exe
608	tmp.exe
972	tmp.exe
972	tmp.exe
972	tmp.exe
1232	tmp.exe
1232	tmp.exe
2008	tmp.exe
1232	tmp.exe
1232	tmp.exe
1232	tmp.exe
972	tmp.exe
1544	tmp.exe
1408	tmp.exe
1408	tmp.exe
1232	tmp.exe
1408	tmp.exe
1408	tmp.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
Token: SeDebugPrivilege	964	tmp.exe
Token: SeDebugPrivilege	972	tmp.exe
Token: SeDebugPrivilege	1068	.exe
Token: SeDebugPrivilege	1636	tmp.exe
Token: SeDebugPrivilege	1212	tmp.exe
Token: SeDebugPrivilege	608	tmp.exe
Token: SeDebugPrivilege	2008	tmp.exe
Token: SeDebugPrivilege	1544	tmp.exe
Token: SeDebugPrivilege	972	tmp.exe
Token: SeDebugPrivilege	1232	tmp.exe
Token: SeDebugPrivilege	1408	tmp.exe
Token: SeDebugPrivilege	1832	tmp.exe
Token: SeDebugPrivilege	1688	tmp.exe
Token: SeDebugPrivilege	956	tmp.exe
Token: SeDebugPrivilege	1324	tmp.exe
Token: SeDebugPrivilege	796	tmp.exe
Token: SeDebugPrivilege	924	tmp.exe
Token: SeDebugPrivilege	1628	tmp.exe
Token: SeDebugPrivilege	584	tmp.exe
Token: SeDebugPrivilege	1360	tmp.exe
Token: SeDebugPrivilege	336	tmp.exe
Token: SeDebugPrivilege	1588	tmp.exe
Token: SeDebugPrivilege	544	tmp.exe
Token: SeDebugPrivilege	1416	tmp.exe
Token: SeDebugPrivilege	2200	tmp.exe
Token: SeDebugPrivilege	2364	tmp.exe
Token: SeDebugPrivilege	2440	tmp.exe
Token: SeDebugPrivilege	2700	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1068	.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1216	1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	28
PID 1808 wrote to memory of 1216	1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	28
PID 1808 wrote to memory of 1216	1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	28
PID 1808 wrote to memory of 1216	1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	28
PID 1216 wrote to memory of 1532	1216	cmd.exe	30
PID 1216 wrote to memory of 1532	1216	cmd.exe	30
PID 1216 wrote to memory of 1532	1216	cmd.exe	30
PID 1216 wrote to memory of 1532	1216	cmd.exe	30
PID 1808 wrote to memory of 964	1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	31
PID 1808 wrote to memory of 964	1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	31
PID 1808 wrote to memory of 964	1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	31
PID 1808 wrote to memory of 964	1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	31
PID 1808 wrote to memory of 1784	1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	32
PID 1808 wrote to memory of 1784	1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	32
PID 1808 wrote to memory of 1784	1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	32
PID 1808 wrote to memory of 1784	1808	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	32
PID 1532 wrote to memory of 684	1532	wscript.exe	33
PID 1532 wrote to memory of 684	1532	wscript.exe	33
PID 1532 wrote to memory of 684	1532	wscript.exe	33
PID 1532 wrote to memory of 684	1532	wscript.exe	33
PID 684 wrote to memory of 1584	684	cmd.exe	35
PID 684 wrote to memory of 1584	684	cmd.exe	35
PID 684 wrote to memory of 1584	684	cmd.exe	35
PID 684 wrote to memory of 1584	684	cmd.exe	35
PID 964 wrote to memory of 1688	964	tmp.exe	36
PID 964 wrote to memory of 1688	964	tmp.exe	36
PID 964 wrote to memory of 1688	964	tmp.exe	36
PID 964 wrote to memory of 1688	964	tmp.exe	36
PID 1688 wrote to memory of 616	1688	cmd.exe	38
PID 1688 wrote to memory of 616	1688	cmd.exe	38
PID 1688 wrote to memory of 616	1688	cmd.exe	38
PID 1688 wrote to memory of 616	1688	cmd.exe	38
PID 964 wrote to memory of 972	964	tmp.exe	39
PID 964 wrote to memory of 972	964	tmp.exe	39
PID 964 wrote to memory of 972	964	tmp.exe	39
PID 964 wrote to memory of 972	964	tmp.exe	39
PID 616 wrote to memory of 108	616	wscript.exe	40
PID 616 wrote to memory of 108	616	wscript.exe	40
PID 616 wrote to memory of 108	616	wscript.exe	40
PID 616 wrote to memory of 108	616	wscript.exe	40
PID 964 wrote to memory of 1068	964	tmp.exe	42
PID 964 wrote to memory of 1068	964	tmp.exe	42
PID 964 wrote to memory of 1068	964	tmp.exe	42
PID 964 wrote to memory of 1068	964	tmp.exe	42
PID 964 wrote to memory of 1068	964	tmp.exe	42
PID 108 wrote to memory of 1752	108	cmd.exe	43
PID 108 wrote to memory of 1752	108	cmd.exe	43
PID 108 wrote to memory of 1752	108	cmd.exe	43
PID 108 wrote to memory of 1752	108	cmd.exe	43
PID 964 wrote to memory of 1068	964	tmp.exe	42
PID 964 wrote to memory of 1068	964	tmp.exe	42
PID 964 wrote to memory of 1068	964	tmp.exe	42
PID 964 wrote to memory of 1068	964	tmp.exe	42
PID 972 wrote to memory of 1416	972	tmp.exe	44
PID 972 wrote to memory of 1416	972	tmp.exe	44
PID 972 wrote to memory of 1416	972	tmp.exe	44
PID 972 wrote to memory of 1416	972	tmp.exe	44
PID 1416 wrote to memory of 1604	1416	cmd.exe	46
PID 1416 wrote to memory of 1604	1416	cmd.exe	46
PID 1416 wrote to memory of 1604	1416	cmd.exe	46
PID 1416 wrote to memory of 1604	1416	cmd.exe	46
PID 972 wrote to memory of 1636	972	tmp.exe	47
PID 972 wrote to memory of 1636	972	tmp.exe	47
PID 972 wrote to memory of 1636	972	tmp.exe	47

C:\Users\Admin\AppData\Local\Temp\93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
"C:\Users\Admin\AppData\Local\Temp\93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:684
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\System.exe" /f
        5⤵
        Modifies WinLogon for persistence
        
        PID:1584
- C:\Users\Admin\AppData\Roaming\tmp.exe
  "C:\Users\Admin\AppData\Roaming\tmp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\SysWOW64\wscript.exe
      wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:616
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:108
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\System.exe" /f
        6⤵
        Modifies WinLogon for persistence
        
        PID:1752
- - C:\Users\Admin\AppData\Roaming\tmp.exe
    "C:\Users\Admin\AppData\Roaming\tmp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1416
    - - C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        5⤵
        
        PID:1604
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
        6⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\System.exe" /f
        7⤵
        Modifies WinLogon for persistence
        
        PID:1496
  - - C:\Users\Admin\AppData\Roaming\tmp.exe
      "C:\Users\Admin\AppData\Roaming\tmp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1636
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        5⤵
        
        PID:1624
      - C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        6⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
        7⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\System.exe" /f
        8⤵
        Modifies WinLogon for persistence
        
        PID:876
    - - C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
      - C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        7⤵
        
        PID:628
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        8⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
        9⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\System.exe" /f
        10⤵
        Modifies WinLogon for persistence
        
        PID:596
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        7⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        8⤵
        
        PID:564
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        9⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        9⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        10⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        11⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        11⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        12⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        13⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        13⤵
        
        PID:924
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        14⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
        15⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\System.exe" /f
        16⤵
        Modifies WinLogon for persistence
        
        PID:1988
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        13⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        14⤵
        
        PID:268
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        15⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
        16⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\System.exe" /f
        17⤵
        Modifies WinLogon for persistence
        
        PID:544
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        14⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        15⤵
        
        PID:976
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        16⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        15⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        16⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        17⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        16⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        17⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        18⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        18⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        19⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        19⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        20⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
        21⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\System.exe" /f
        22⤵
        Modifies WinLogon for persistence
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        19⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        20⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        21⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        20⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        21⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        22⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        22⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        23⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        23⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        24⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
        25⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\System.exe" /f
        26⤵
        Modifies WinLogon for persistence
        
        PID:924
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        25⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        24⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        25⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        26⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        27⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        28⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
        29⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\System.exe" /f
        30⤵
        Modifies WinLogon for persistence
        
        PID:2660
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        27⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        28⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        29⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
        30⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\System.exe" /f
        31⤵
        Modifies WinLogon for persistence
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        29⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        30⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
        31⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\System.exe" /f
        32⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        29⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        29⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        30⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        30⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        31⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        32⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
        33⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\System.exe" /f
        34⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        31⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        31⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        32⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        33⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        32⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        32⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        33⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        34⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
        35⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\System.exe" /f
        36⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        36⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        33⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        33⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        34⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        35⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        34⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        34⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        35⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        35⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        36⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        37⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        36⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        36⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        37⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        37⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        38⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        39⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
        40⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        38⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        38⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        39⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        39⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        40⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        40⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        41⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        42⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
        43⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        41⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        41⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        42⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        42⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        43⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        44⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        43⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        43⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        44⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        44⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        45⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        45⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        46⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        46⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        47⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        46⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        45⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        44⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        44⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        43⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        42⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        42⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        41⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        40⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        40⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        39⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        39⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        38⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        37⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        38⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        37⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        36⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        35⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        36⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        35⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        34⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        33⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        32⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        31⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        30⤵
        
        PID:560
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        31⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
        32⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        30⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        29⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        28⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        28⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        27⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        26⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        25⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        24⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        23⤵
        Executes dropped EXE
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        23⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        22⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        22⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        21⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        21⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        20⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        19⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        18⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        18⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        17⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        17⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        16⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        15⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        15⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
        16⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\System.exe" /f
        17⤵
        Modifies WinLogon for persistence
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        14⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        13⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        12⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        12⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        11⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        12⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        11⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        10⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        10⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        9⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        9⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        8⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        8⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        7⤵
        
        PID:1536
      - C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        6⤵
        Executes dropped EXE
        
        PID:1996
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        6⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        7⤵
        
        PID:1976
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        6⤵
        
        PID:824
    - - C:\Users\Admin\AppData\Roaming\.exe
        
        C:\Users\Admin\AppData\Roaming\.exe
        5⤵
        Executes dropped EXE
        
        PID:1608
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
        5⤵
        
        PID:788
  - - C:\Users\Admin\AppData\Roaming\.exe
      C:\Users\Admin\AppData\Roaming\.exe
      4⤵
      Executes dropped EXE
      PID:1480
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
      4⤵
      PID:1232
- - C:\Users\Admin\AppData\Roaming\.exe
    C:\Users\Admin\AppData\Roaming\.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
    3⤵
    PID:628
- C:\Users\Admin\AppData\Roaming\svhost.exe
  C:\Users\Admin\AppData\Roaming\svhost.exe
  2⤵
  PID:1784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\svhost.bat" "
  2⤵
  PID:960
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - Delays execution with timeout.exe
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
  2⤵
  - Deletes itself
  PID:1828

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
1⤵
PID:1368

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
1⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\System.exe" /f
1⤵
PID:2912

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
1⤵
PID:2140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Roaming\.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Roaming\.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Roaming\.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Roaming\.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Roaming\.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Roaming\.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\.bat

Filesize
196B

MD5
b868ce693a3068f91c7f8868712a30bf

SHA1
5c7f0272d9a059dfacf45219870f8e36f933d827

SHA256
302d297f64081fce79e2ecf142c182d8baddb431f59d36669c8856a168817d15

SHA512
151de146ce6d6ac0937cbd379aa7ce06c8e5329ec3d6e300474921f44ae866f1b8e9e59391efa51e3551f11b875903586a895dfc263b8024555bc824f13a27bb

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\.bat

Filesize
196B

MD5
b868ce693a3068f91c7f8868712a30bf

SHA1
5c7f0272d9a059dfacf45219870f8e36f933d827

SHA256
302d297f64081fce79e2ecf142c182d8baddb431f59d36669c8856a168817d15

SHA512
151de146ce6d6ac0937cbd379aa7ce06c8e5329ec3d6e300474921f44ae866f1b8e9e59391efa51e3551f11b875903586a895dfc263b8024555bc824f13a27bb

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\.bat

Filesize
196B

MD5
b868ce693a3068f91c7f8868712a30bf

SHA1
5c7f0272d9a059dfacf45219870f8e36f933d827

SHA256
302d297f64081fce79e2ecf142c182d8baddb431f59d36669c8856a168817d15

SHA512
151de146ce6d6ac0937cbd379aa7ce06c8e5329ec3d6e300474921f44ae866f1b8e9e59391efa51e3551f11b875903586a895dfc263b8024555bc824f13a27bb

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\.bat

Filesize
196B

MD5
b868ce693a3068f91c7f8868712a30bf

SHA1
5c7f0272d9a059dfacf45219870f8e36f933d827

SHA256
302d297f64081fce79e2ecf142c182d8baddb431f59d36669c8856a168817d15

SHA512
151de146ce6d6ac0937cbd379aa7ce06c8e5329ec3d6e300474921f44ae866f1b8e9e59391efa51e3551f11b875903586a895dfc263b8024555bc824f13a27bb

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\.bat

Filesize
196B

MD5
b868ce693a3068f91c7f8868712a30bf

SHA1
5c7f0272d9a059dfacf45219870f8e36f933d827

SHA256
302d297f64081fce79e2ecf142c182d8baddb431f59d36669c8856a168817d15

SHA512
151de146ce6d6ac0937cbd379aa7ce06c8e5329ec3d6e300474921f44ae866f1b8e9e59391efa51e3551f11b875903586a895dfc263b8024555bc824f13a27bb

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\System.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\System.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\System.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\System.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat

Filesize
76B

MD5
5e57f6f4e3242ad9719ed5e65346e83e

SHA1
72346d0208c5edeb69f41ddb4374d56d87221dad

SHA256
4ffb3e764dfbc48145231f19e2217f666bc88a44c6f29adec6a5728223048d0c

SHA512
7dcd8a5a95965b94bf26ec02ab68b8f854f399d41fb713e4387f6fddb9914c465ccf909f92ee6704e9c0397a77f11f2ca803d68184aa414651988d95824a209f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat

Filesize
76B

MD5
5e57f6f4e3242ad9719ed5e65346e83e

SHA1
72346d0208c5edeb69f41ddb4374d56d87221dad

SHA256
4ffb3e764dfbc48145231f19e2217f666bc88a44c6f29adec6a5728223048d0c

SHA512
7dcd8a5a95965b94bf26ec02ab68b8f854f399d41fb713e4387f6fddb9914c465ccf909f92ee6704e9c0397a77f11f2ca803d68184aa414651988d95824a209f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat

Filesize
76B

MD5
5e57f6f4e3242ad9719ed5e65346e83e

SHA1
72346d0208c5edeb69f41ddb4374d56d87221dad

SHA256
4ffb3e764dfbc48145231f19e2217f666bc88a44c6f29adec6a5728223048d0c

SHA512
7dcd8a5a95965b94bf26ec02ab68b8f854f399d41fb713e4387f6fddb9914c465ccf909f92ee6704e9c0397a77f11f2ca803d68184aa414651988d95824a209f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat

Filesize
76B

MD5
5e57f6f4e3242ad9719ed5e65346e83e

SHA1
72346d0208c5edeb69f41ddb4374d56d87221dad

SHA256
4ffb3e764dfbc48145231f19e2217f666bc88a44c6f29adec6a5728223048d0c

SHA512
7dcd8a5a95965b94bf26ec02ab68b8f854f399d41fb713e4387f6fddb9914c465ccf909f92ee6704e9c0397a77f11f2ca803d68184aa414651988d95824a209f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat

Filesize
76B

MD5
5e57f6f4e3242ad9719ed5e65346e83e

SHA1
72346d0208c5edeb69f41ddb4374d56d87221dad

SHA256
4ffb3e764dfbc48145231f19e2217f666bc88a44c6f29adec6a5728223048d0c

SHA512
7dcd8a5a95965b94bf26ec02ab68b8f854f399d41fb713e4387f6fddb9914c465ccf909f92ee6704e9c0397a77f11f2ca803d68184aa414651988d95824a209f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat

Filesize
76B

MD5
5e57f6f4e3242ad9719ed5e65346e83e

SHA1
72346d0208c5edeb69f41ddb4374d56d87221dad

SHA256
4ffb3e764dfbc48145231f19e2217f666bc88a44c6f29adec6a5728223048d0c

SHA512
7dcd8a5a95965b94bf26ec02ab68b8f854f399d41fb713e4387f6fddb9914c465ccf909f92ee6704e9c0397a77f11f2ca803d68184aa414651988d95824a209f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat

Filesize
76B

MD5
5e57f6f4e3242ad9719ed5e65346e83e

SHA1
72346d0208c5edeb69f41ddb4374d56d87221dad

SHA256
4ffb3e764dfbc48145231f19e2217f666bc88a44c6f29adec6a5728223048d0c

SHA512
7dcd8a5a95965b94bf26ec02ab68b8f854f399d41fb713e4387f6fddb9914c465ccf909f92ee6704e9c0397a77f11f2ca803d68184aa414651988d95824a209f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat

Filesize
210B

MD5
05176b571a0fd0930d1db2ab726a2bab

SHA1
aad674874d591fa136ec7a373ad71803125dd843

SHA256
887465aba2fffa9607b428a2535a3fb46dcfec39186aef31ae5a43f08e2c5c77

SHA512
d71d4af44a25d1da09b6b00c650039691a885b6d707ec45213507675ac4c8f483acad1231bb63ba1efa0d7c6d57aff5c4878c581190e49031288232a11f29cb6

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat

Filesize
210B

MD5
05176b571a0fd0930d1db2ab726a2bab

SHA1
aad674874d591fa136ec7a373ad71803125dd843

SHA256
887465aba2fffa9607b428a2535a3fb46dcfec39186aef31ae5a43f08e2c5c77

SHA512
d71d4af44a25d1da09b6b00c650039691a885b6d707ec45213507675ac4c8f483acad1231bb63ba1efa0d7c6d57aff5c4878c581190e49031288232a11f29cb6

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat

Filesize
274B

MD5
fff58d09806eac008467f4b7dc958f44

SHA1
05f992f37571c991baa822dd24c64ac9311cbcad

SHA256
718a21a6d4d06bfe6d9b1f5b5ed4f1f57b9789eaac0a175de61f93c515b55705

SHA512
9c06734e6020634bbe209a8f5c1f3a19adf79f7e275e3397eafc49994d458fb769d17827699f290a7d7b452fbb48a70c1184d0d297ce707e561cbf05c581d6d3

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat

Filesize
210B

MD5
05176b571a0fd0930d1db2ab726a2bab

SHA1
aad674874d591fa136ec7a373ad71803125dd843

SHA256
887465aba2fffa9607b428a2535a3fb46dcfec39186aef31ae5a43f08e2c5c77

SHA512
d71d4af44a25d1da09b6b00c650039691a885b6d707ec45213507675ac4c8f483acad1231bb63ba1efa0d7c6d57aff5c4878c581190e49031288232a11f29cb6

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat

Filesize
210B

MD5
05176b571a0fd0930d1db2ab726a2bab

SHA1
aad674874d591fa136ec7a373ad71803125dd843

SHA256
887465aba2fffa9607b428a2535a3fb46dcfec39186aef31ae5a43f08e2c5c77

SHA512
d71d4af44a25d1da09b6b00c650039691a885b6d707ec45213507675ac4c8f483acad1231bb63ba1efa0d7c6d57aff5c4878c581190e49031288232a11f29cb6

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat

Filesize
210B

MD5
05176b571a0fd0930d1db2ab726a2bab

SHA1
aad674874d591fa136ec7a373ad71803125dd843

SHA256
887465aba2fffa9607b428a2535a3fb46dcfec39186aef31ae5a43f08e2c5c77

SHA512
d71d4af44a25d1da09b6b00c650039691a885b6d707ec45213507675ac4c8f483acad1231bb63ba1efa0d7c6d57aff5c4878c581190e49031288232a11f29cb6

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat

Filesize
210B

MD5
05176b571a0fd0930d1db2ab726a2bab

SHA1
aad674874d591fa136ec7a373ad71803125dd843

SHA256
887465aba2fffa9607b428a2535a3fb46dcfec39186aef31ae5a43f08e2c5c77

SHA512
d71d4af44a25d1da09b6b00c650039691a885b6d707ec45213507675ac4c8f483acad1231bb63ba1efa0d7c6d57aff5c4878c581190e49031288232a11f29cb6

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat

Filesize
210B

MD5
05176b571a0fd0930d1db2ab726a2bab

SHA1
aad674874d591fa136ec7a373ad71803125dd843

SHA256
887465aba2fffa9607b428a2535a3fb46dcfec39186aef31ae5a43f08e2c5c77

SHA512
d71d4af44a25d1da09b6b00c650039691a885b6d707ec45213507675ac4c8f483acad1231bb63ba1efa0d7c6d57aff5c4878c581190e49031288232a11f29cb6

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\melt.bat

Filesize
120B

MD5
382ce614c807f0158023ca4b26ddbdcc

SHA1
76c3e60fa4c6e9f8497acf8b17625ab93d28ddd7

SHA256
313a0e4a537224cf215f6e90a97b265aba906871c8180d8e2ffadb01a24dc64f

SHA512
19ed4e6f81067fa268253fec6eb93c7a0143590dc7885318f60aabaa86aff6d6d1ad7aca68689672929e97692f6294846ea1e5c23da56a7d9f89269a97dd6015

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\melt.bat

Filesize
56B

MD5
8d5014ff984d6c3cf360bbe5e123d773

SHA1
b201ade1192d2891060f88903bb0dcd07cae6039

SHA256
1ec28a38e7e53314983708fc58e59f32fb576503c8b0fdad0a3b513576009500

SHA512
4d9975b965b7f61f6966f8cc4aa6bbc40fd3fdd87d7c7c026881511184aaddd02d64cd26681b73e3b5170ad21d95d5a890e1c4835ecf7af98e68185efc9bb92b

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\melt.bat

Filesize
56B

MD5
8d5014ff984d6c3cf360bbe5e123d773

SHA1
b201ade1192d2891060f88903bb0dcd07cae6039

SHA256
1ec28a38e7e53314983708fc58e59f32fb576503c8b0fdad0a3b513576009500

SHA512
4d9975b965b7f61f6966f8cc4aa6bbc40fd3fdd87d7c7c026881511184aaddd02d64cd26681b73e3b5170ad21d95d5a890e1c4835ecf7af98e68185efc9bb92b

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\melt.bat

Filesize
56B

MD5
8d5014ff984d6c3cf360bbe5e123d773

SHA1
b201ade1192d2891060f88903bb0dcd07cae6039

SHA256
1ec28a38e7e53314983708fc58e59f32fb576503c8b0fdad0a3b513576009500

SHA512
4d9975b965b7f61f6966f8cc4aa6bbc40fd3fdd87d7c7c026881511184aaddd02d64cd26681b73e3b5170ad21d95d5a890e1c4835ecf7af98e68185efc9bb92b

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\melt.bat

Filesize
56B

MD5
8d5014ff984d6c3cf360bbe5e123d773

SHA1
b201ade1192d2891060f88903bb0dcd07cae6039

SHA256
1ec28a38e7e53314983708fc58e59f32fb576503c8b0fdad0a3b513576009500

SHA512
4d9975b965b7f61f6966f8cc4aa6bbc40fd3fdd87d7c7c026881511184aaddd02d64cd26681b73e3b5170ad21d95d5a890e1c4835ecf7af98e68185efc9bb92b

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\svhost.bat

Filesize
208B

MD5
96b5b2aed599f993d37a2013d24e5bbd

SHA1
53f77f54d720f3c6f7722b2ed0a9bd3f2bb8f93a

SHA256
9fe915190b23ffea64f6ed735027828354daa24245c69137ce567e945bb111a4

SHA512
f719b5884c139a1b43ec0f6d13757e8ed59e366ae8eebe42c93e3d0f7b261e33fff77e6b8471ec25c8db43adeef9b8574c99f206b814f315b54cab97e7761ff8

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
\Users\Admin\AppData\Roaming\.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Roaming\.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Roaming\.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Roaming\.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Roaming\.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Roaming\.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Roaming\.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Roaming\svhost.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
memory/336-415-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/584-431-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/584-395-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/608-280-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/608-183-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/796-361-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/796-398-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/908-282-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/924-364-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/924-401-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/956-365-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/956-352-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/964-168-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/964-69-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/972-324-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/972-196-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/972-100-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/972-274-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1012-379-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1012-380-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1068-84-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1068-90-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1068-95-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1068-89-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1068-97-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1068-101-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1068-91-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1068-85-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1068-316-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1084-414-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1084-255-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1084-281-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1212-163-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1212-259-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1232-301-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1232-327-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1324-354-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1324-381-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1360-400-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-318-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-351-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1480-139-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1480-132-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-323-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-329-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-429-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1544-254-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1544-328-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1588-430-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1608-360-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-416-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-378-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-225-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-130-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-303-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-302-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-335-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-362-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-397-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-396-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1808-136-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1808-54-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1808-55-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1808-58-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1832-333-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1832-355-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-228-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-251-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-350-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-197-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-300-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-227-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download