fa5e38ff3f546827c5e62db27f12d68bcc4cb30285a329088c54995b2e4ec5d0

Resubmissions

28-03-2023 12:54

230328-p5kf3abb35 10

10-02-2022 06:54

220210-hn9lasfgel 10

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

v4vcmk.exe
Size

235KB
MD5

e7a30a6b98068f2c28af36b58c314c6a
SHA1

4a366530e40c4ba0f6df97c8ebce2429aea6cc35
SHA256

fa5e38ff3f546827c5e62db27f12d68bcc4cb30285a329088c54995b2e4ec5d0
SHA512

8e8bff9a8c1976ca5724a8eaec77b81f7d057311021845aa3f72a6573bf25b189e715af3902fef76079e3dd2dcc6cf7ed513f9f8df9cf60c1e23439c990b33e6
SSDEEP

3072:be0LTBeC0bt7ipg9+HaNbVW7MKcvsh/jXo+mo5vCI3nqDEmpl7Z4ovpUsttQ:tTwC0Epg9kIWl4+moESwEmD7Z7hUst2

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

Conhost.exeConhost.execmd.exereg.exereg.exereg.execmd.exeConhost.exeConhost.exereg.exeConhost.exeConhost.execscript.exereg.exeConhost.exereg.exereg.exereg.execscript.exereg.exereg.exereg.exereg.exeConhost.exereg.exereg.exeConhost.exereg.exereg.execmd.exeConhost.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.execscript.exereg.exereg.exev4vcmk.exeConhost.exereg.exereg.execmd.exereg.exereg.exeConhost.exeConhost.exeConhost.exereg.execmd.exereg.exereg.exereg.exereg.exereg.exeConhost.exeConhost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	v4vcmk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cmd.exeConhost.exereg.exeConhost.exereg.exereg.exeConhost.exeConhost.exeConhost.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.execmd.exereg.execmd.exeConhost.exemousocoreworker.execmd.exereg.exeConhost.exereg.execmd.exereg.execmd.exereg.execscript.exereg.exeConhost.exereg.execmd.execmd.exereg.exeConhost.exereg.exereg.exereg.exereg.exeConhost.execscript.exereg.exereg.exereg.exeConhost.execscript.exereg.exeConhost.exereg.exereg.exeConhost.exeConhost.exereg.execmd.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mousocoreworker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 2 IoCs

Processes:

nkMAQcEc.exebiYgYEkY.exe

pid process

1752 nkMAQcEc.exe
2952 biYgYEkY.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1752	nkMAQcEc.exe
2952	biYgYEkY.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

biYgYEkY.exev4vcmk.exenkMAQcEc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\biYgYEkY.exe = "C:\\ProgramData\\vkoAcAos\\biYgYEkY.exe"	biYgYEkY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nkMAQcEc.exe = "C:\\Users\\Admin\\biEUwQcc\\nkMAQcEc.exe"	v4vcmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\biYgYEkY.exe = "C:\\ProgramData\\vkoAcAos\\biYgYEkY.exe"	v4vcmk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nkMAQcEc.exe = "C:\\Users\\Admin\\biEUwQcc\\nkMAQcEc.exe"	nkMAQcEc.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execscript.execscript.execmd.execmd.execscript.execmd.execmd.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1012	reg.exe
1280	reg.exe
1012	reg.exe
3368	reg.exe
2140	reg.exe
984	reg.exe
2892	reg.exe
3660	reg.exe
3288	reg.exe
2212	reg.exe
4464	reg.exe
4636	reg.exe
2488	reg.exe
2536	reg.exe
460	reg.exe
4036	reg.exe
3016	reg.exe
4728	reg.exe
1224	reg.exe
2140	reg.exe
1908	reg.exe
952	reg.exe
2656	reg.exe
3244	reg.exe
4656	reg.exe
4932	reg.exe
5112	reg.exe
4680	reg.exe
4900	reg.exe
4428	reg.exe
1628	reg.exe
4512	reg.exe
3220	reg.exe
3468	reg.exe
1784	reg.exe
1160	reg.exe
1984	reg.exe
440	reg.exe
1744	reg.exe
3936	reg.exe
1872	reg.exe
2172	reg.exe
760	reg.exe
1296	reg.exe
4368	reg.exe
4236	reg.exe
2372	reg.exe
4196	reg.exe
5040	reg.exe
1500	reg.exe
860	reg.exe
4508	reg.exe
1612	reg.exe
2616	reg.exe
528	reg.exe
2576	reg.exe
380	reg.exe
648	reg.exe
4188	reg.exe
2576	reg.exe
1320	reg.exe
1284	reg.exe
2756	reg.exe
3644	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

v4vcmk.exev4vcmk.exev4vcmk.exev4vcmk.exev4vcmk.exev4vcmk.exeConhost.exereg.exeConhost.exev4vcmk.exeConhost.exev4vcmk.exev4vcmk.exeConhost.execmd.exeConhost.exe

pid	process
5064	v4vcmk.exe
5064	v4vcmk.exe
5064	v4vcmk.exe
5064	v4vcmk.exe
2628	v4vcmk.exe
2628	v4vcmk.exe
2628	v4vcmk.exe
2628	v4vcmk.exe
2604	v4vcmk.exe
2604	v4vcmk.exe
2604	v4vcmk.exe
2604	v4vcmk.exe
448	v4vcmk.exe
448	v4vcmk.exe
448	v4vcmk.exe
448	v4vcmk.exe
3936	v4vcmk.exe
3936	v4vcmk.exe
3936	v4vcmk.exe
3936	v4vcmk.exe
2220	v4vcmk.exe
2220	v4vcmk.exe
2220	v4vcmk.exe
2220	v4vcmk.exe
2676	Conhost.exe
2676	Conhost.exe
2676	Conhost.exe
2676	Conhost.exe
3644	reg.exe
3644	reg.exe
3644	reg.exe
3644	reg.exe
824	Conhost.exe
824	Conhost.exe
824	Conhost.exe
824	Conhost.exe
3364	v4vcmk.exe
3364	v4vcmk.exe
3364	v4vcmk.exe
3364	v4vcmk.exe
2000	Conhost.exe
2000	Conhost.exe
2000	Conhost.exe
2000	Conhost.exe
3540	v4vcmk.exe
3540	v4vcmk.exe
3540	v4vcmk.exe
3540	v4vcmk.exe
3952	v4vcmk.exe
3952	v4vcmk.exe
3952	v4vcmk.exe
3952	v4vcmk.exe
616	Conhost.exe
616	Conhost.exe
616	Conhost.exe
616	Conhost.exe
1556	cmd.exe
1556	cmd.exe
1556	cmd.exe
1556	cmd.exe
4756	Conhost.exe
4756	Conhost.exe
4756	Conhost.exe
4756	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

v4vcmk.execmd.execmd.exev4vcmk.execmd.exev4vcmk.execmd.execmd.exe

description	pid	process	target process
PID 5064 wrote to memory of 1752	5064	v4vcmk.exe	nkMAQcEc.exe
PID 5064 wrote to memory of 1752	5064	v4vcmk.exe	nkMAQcEc.exe
PID 5064 wrote to memory of 1752	5064	v4vcmk.exe	nkMAQcEc.exe
PID 5064 wrote to memory of 2952	5064	v4vcmk.exe	biYgYEkY.exe
PID 5064 wrote to memory of 2952	5064	v4vcmk.exe	biYgYEkY.exe
PID 5064 wrote to memory of 2952	5064	v4vcmk.exe	biYgYEkY.exe
PID 5064 wrote to memory of 2552	5064	v4vcmk.exe	cmd.exe
PID 5064 wrote to memory of 2552	5064	v4vcmk.exe	cmd.exe
PID 5064 wrote to memory of 2552	5064	v4vcmk.exe	cmd.exe
PID 5064 wrote to memory of 4324	5064	v4vcmk.exe	reg.exe
PID 5064 wrote to memory of 4324	5064	v4vcmk.exe	reg.exe
PID 5064 wrote to memory of 4324	5064	v4vcmk.exe	reg.exe
PID 5064 wrote to memory of 2040	5064	v4vcmk.exe	reg.exe
PID 5064 wrote to memory of 2040	5064	v4vcmk.exe	reg.exe
PID 5064 wrote to memory of 2040	5064	v4vcmk.exe	reg.exe
PID 5064 wrote to memory of 2192	5064	v4vcmk.exe	reg.exe
PID 5064 wrote to memory of 2192	5064	v4vcmk.exe	reg.exe
PID 5064 wrote to memory of 2192	5064	v4vcmk.exe	reg.exe
PID 5064 wrote to memory of 1996	5064	v4vcmk.exe	cmd.exe
PID 5064 wrote to memory of 1996	5064	v4vcmk.exe	cmd.exe
PID 5064 wrote to memory of 1996	5064	v4vcmk.exe	cmd.exe
PID 2552 wrote to memory of 2628	2552	cmd.exe	v4vcmk.exe
PID 2552 wrote to memory of 2628	2552	cmd.exe	v4vcmk.exe
PID 2552 wrote to memory of 2628	2552	cmd.exe	v4vcmk.exe
PID 1996 wrote to memory of 1660	1996	cmd.exe	cscript.exe
PID 1996 wrote to memory of 1660	1996	cmd.exe	cscript.exe
PID 1996 wrote to memory of 1660	1996	cmd.exe	cscript.exe
PID 2628 wrote to memory of 4908	2628	v4vcmk.exe	cmd.exe
PID 2628 wrote to memory of 4908	2628	v4vcmk.exe	cmd.exe
PID 2628 wrote to memory of 4908	2628	v4vcmk.exe	cmd.exe
PID 2628 wrote to memory of 1784	2628	v4vcmk.exe	reg.exe
PID 2628 wrote to memory of 1784	2628	v4vcmk.exe	reg.exe
PID 2628 wrote to memory of 1784	2628	v4vcmk.exe	reg.exe
PID 2628 wrote to memory of 4748	2628	v4vcmk.exe	reg.exe
PID 2628 wrote to memory of 4748	2628	v4vcmk.exe	reg.exe
PID 2628 wrote to memory of 4748	2628	v4vcmk.exe	reg.exe
PID 2628 wrote to memory of 1108	2628	v4vcmk.exe	reg.exe
PID 2628 wrote to memory of 1108	2628	v4vcmk.exe	reg.exe
PID 2628 wrote to memory of 1108	2628	v4vcmk.exe	reg.exe
PID 2628 wrote to memory of 1776	2628	v4vcmk.exe	cmd.exe
PID 2628 wrote to memory of 1776	2628	v4vcmk.exe	cmd.exe
PID 2628 wrote to memory of 1776	2628	v4vcmk.exe	cmd.exe
PID 4908 wrote to memory of 2604	4908	cmd.exe	v4vcmk.exe
PID 4908 wrote to memory of 2604	4908	cmd.exe	v4vcmk.exe
PID 4908 wrote to memory of 2604	4908	cmd.exe	v4vcmk.exe
PID 2604 wrote to memory of 4284	2604	v4vcmk.exe	cmd.exe
PID 2604 wrote to memory of 4284	2604	v4vcmk.exe	cmd.exe
PID 2604 wrote to memory of 4284	2604	v4vcmk.exe	cmd.exe
PID 1776 wrote to memory of 896	1776	cmd.exe	cscript.exe
PID 1776 wrote to memory of 896	1776	cmd.exe	cscript.exe
PID 1776 wrote to memory of 896	1776	cmd.exe	cscript.exe
PID 4284 wrote to memory of 448	4284	cmd.exe	v4vcmk.exe
PID 4284 wrote to memory of 448	4284	cmd.exe	v4vcmk.exe
PID 4284 wrote to memory of 448	4284	cmd.exe	v4vcmk.exe
PID 2604 wrote to memory of 1872	2604	v4vcmk.exe	reg.exe
PID 2604 wrote to memory of 1872	2604	v4vcmk.exe	reg.exe
PID 2604 wrote to memory of 1872	2604	v4vcmk.exe	reg.exe
PID 2604 wrote to memory of 616	2604	v4vcmk.exe	reg.exe
PID 2604 wrote to memory of 616	2604	v4vcmk.exe	reg.exe
PID 2604 wrote to memory of 616	2604	v4vcmk.exe	reg.exe
PID 2604 wrote to memory of 1540	2604	v4vcmk.exe	reg.exe
PID 2604 wrote to memory of 1540	2604	v4vcmk.exe	reg.exe
PID 2604 wrote to memory of 1540	2604	v4vcmk.exe	reg.exe
PID 2604 wrote to memory of 5016	2604	v4vcmk.exe	cmd.exe

System policy modification 1 TTPs 28 IoCs

evasion

Modify Registry

T1112

Processes:

cmd.execscript.execmd.execmd.execmd.execscript.execmd.execmd.execmd.execscript.execmd.execmd.execmd.execmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
"C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5064

C:\Users\Admin\biEUwQcc\nkMAQcEc.exe
"C:\Users\Admin\biEUwQcc\nkMAQcEc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
2⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
4⤵
- Suspicious use of WriteProcessMemory
PID:4908

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
6⤵
- Suspicious use of WriteProcessMemory
PID:4284

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
8⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
10⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
12⤵
PID:384

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
13⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
14⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
15⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
16⤵
PID:344

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
17⤵
PID:824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
18⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
20⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
21⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
22⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
24⤵
PID:3292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
26⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
27⤵
PID:616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
28⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
29⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
30⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
31⤵
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
32⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
33⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
34⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
35⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
36⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
37⤵
PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
38⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
39⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
40⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
41⤵
PID:3268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
42⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
43⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
44⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
45⤵
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
46⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
47⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
48⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
49⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
50⤵
- Modifies visibility of file extensions in Explorer
PID:3264

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
51⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
52⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
53⤵
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
54⤵
PID:4208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
- UAC bypass
PID:2616

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
55⤵
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
56⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
57⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
58⤵
PID:3864

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
59⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
60⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
61⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
62⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
63⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
64⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
65⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
66⤵
PID:4568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
67⤵
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
68⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
69⤵
PID:3136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
70⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:64

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
71⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
72⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
73⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
74⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
75⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
76⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
77⤵
PID:956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
78⤵
PID:824

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
79⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
80⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
81⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
82⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
83⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
84⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
85⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
86⤵
PID:1948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
87⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
88⤵
PID:4216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
- Modifies visibility of file extensions in Explorer
PID:4716

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
89⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
90⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
91⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
92⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
93⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
94⤵
PID:3848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
95⤵
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
96⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
97⤵
PID:648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
98⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
99⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
100⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
101⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
102⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
103⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
104⤵
PID:3104

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
105⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
106⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
107⤵
PID:1316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
108⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
109⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
110⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
111⤵
PID:896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
112⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
113⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
114⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
115⤵
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
116⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
117⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
118⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
119⤵
PID:828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
120⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
121⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
122⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
123⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
124⤵
PID:3436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
125⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
126⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
127⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
128⤵
PID:4668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
129⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
130⤵
PID:4200

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
131⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
132⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
133⤵
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
134⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
135⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
136⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
137⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
138⤵
PID:1188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
- Modifies visibility of file extensions in Explorer
PID:912

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
139⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
140⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
141⤵
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
142⤵
PID:1488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
143⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
144⤵
PID:3776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
- UAC bypass
PID:4428

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
145⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
146⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
147⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
148⤵
PID:3488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
149⤵
PID:820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
150⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
151⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
152⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4996

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
153⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
154⤵
PID:1508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
155⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
156⤵
- Modifies visibility of file extensions in Explorer
PID:3264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
157⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
158⤵
PID:3780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
159⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
160⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
161⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
162⤵
PID:4208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
163⤵
- Modifies visibility of file extensions in Explorer
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
164⤵
PID:648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:824

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
165⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
166⤵
PID:2336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe
C:\Users\Admin\AppData\Local\Temp\v4vcmk
167⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"
168⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1160

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEAgwcME.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
168⤵
PID:896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:3280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:2604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKMkogEw.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
166⤵
- Modifies visibility of file extensions in Explorer
PID:1984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
- Modifies visibility of file extensions in Explorer
PID:2372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- Modifies registry key
PID:4656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:1956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
- UAC bypass
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- UAC bypass
PID:4036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIcsMoUg.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
164⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
- Modifies visibility of file extensions in Explorer
PID:2488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
- Modifies registry key
PID:2756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:4352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:3812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:5032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
- UAC bypass
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
PID:4568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vikAcows.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
162⤵
PID:2668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:3988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:4036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CassMAcc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
160⤵
PID:4984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
- Modifies visibility of file extensions in Explorer
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Modifies registry key
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:1120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:3104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kikIccYY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
158⤵
PID:2692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:3344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYYQsUYI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
156⤵
PID:380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
- UAC bypass
PID:3896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:3312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
- UAC bypass
- Modifies registry key
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:3852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cysgoooo.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
154⤵
PID:1008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:1948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:1076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUAwgcwA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
152⤵
PID:2676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- Modifies registry key
PID:4036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
- Modifies visibility of file extensions in Explorer
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies registry key
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RewsMAAs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
150⤵
PID:2740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:3896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
- Modifies visibility of file extensions in Explorer
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FyUIIogs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
148⤵
PID:3780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:2856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
- UAC bypass
PID:4368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
- Modifies registry key
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:3772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgcgIcEA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
146⤵
PID:4072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOkQwUkE.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
144⤵
- Checks whether UAC is enabled
- System policy modification
PID:5080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
- Modifies registry key
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
- Modifies registry key
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omoYQEEo.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
142⤵
PID:4572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- Modifies registry key
PID:1160

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:2452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:1224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:3724

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcIUAsIg.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
140⤵
PID:2396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
140⤵
- Modifies visibility of file extensions in Explorer
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oeUgoQgk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
138⤵
PID:1392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:4604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- Modifies registry key
PID:4428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
- Modifies registry key
PID:4196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmUEIIgU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
136⤵
PID:3964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:3848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:1444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XacAMgMY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
134⤵
PID:2152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:4512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
- Modifies visibility of file extensions in Explorer
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:4324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
- Modifies visibility of file extensions in Explorer
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyswUskc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
132⤵
PID:2380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:2544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
- UAC bypass
PID:4044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwwoAkUE.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
130⤵
PID:624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:3016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
- Modifies visibility of file extensions in Explorer
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsgsAwwo.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
128⤵
PID:4260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
- Modifies visibility of file extensions in Explorer
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:4116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:1592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAIEMAgc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
126⤵
PID:3908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:2216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMIYUcko.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
124⤵
PID:4920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:3752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:3896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:2452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqQEEEIc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
122⤵
- Modifies visibility of file extensions in Explorer
- Checks whether UAC is enabled
- System policy modification
PID:2212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
- Modifies registry key
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQossIwc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
120⤵
PID:4196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
- Modifies visibility of file extensions in Explorer
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REwIUcso.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
118⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:3184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYwkEwco.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
116⤵
PID:5036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:2140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies registry key
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:3704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOUAEEwM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
114⤵
PID:1132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
- UAC bypass
PID:2656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- Modifies registry key
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCwsUgYY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
112⤵
PID:3812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:4328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:1120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:4528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
- Modifies visibility of file extensions in Explorer
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meUoUMQc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
110⤵
PID:5020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:4752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:4668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
- Modifies registry key
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:4196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWQUgkAQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
108⤵
PID:3528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:4020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IoYAUIsI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
106⤵
PID:992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:3428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGEgcoIk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
104⤵
- Modifies visibility of file extensions in Explorer
PID:3540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOskMAMc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
102⤵
PID:3920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- Modifies registry key
PID:2140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
- Modifies registry key
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
- Modifies registry key
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkkcIUQI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
100⤵
PID:2000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:1452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:4668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:2060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
- Modifies registry key
PID:4508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- Modifies registry key
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsUQYwgU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
98⤵
PID:4256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:1132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
- UAC bypass
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:3268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOwcMQYk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
96⤵
PID:2088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaMsUQUw.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
94⤵
PID:2152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:4044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:1444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
- Modifies visibility of file extensions in Explorer
PID:3808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hycIMMUI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
92⤵
PID:892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies registry key
PID:1744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMgwcMYc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
90⤵
PID:1916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies registry key
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies registry key
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgswAAcc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
88⤵
PID:4920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:1140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:3396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:3380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSUAEMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
86⤵
PID:3428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
- Modifies visibility of file extensions in Explorer
PID:4512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:3364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUMEkMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
84⤵
PID:1588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- Modifies registry key
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:4404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- Modifies registry key
PID:3244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuoockcY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
82⤵
PID:5020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:4068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyoAskIM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
80⤵
PID:648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
- UAC bypass
PID:2760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:1356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:3540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSsAoMIs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
78⤵
PID:2668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rakUkswg.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
76⤵
PID:3724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- Modifies registry key
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:3872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:3808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- UAC bypass
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
- Modifies registry key
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- Modifies registry key
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqgkEoos.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
74⤵
PID:4020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGYIAYwg.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
72⤵
PID:2756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies registry key
PID:648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UyQEIoYM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
70⤵
PID:3476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
- Modifies visibility of file extensions in Explorer
PID:3696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:1968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
- Modifies registry key
PID:1224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
- Modifies registry key
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgQkEgQs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
68⤵
PID:2372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- Modifies registry key
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:1952

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
- UAC bypass
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
- Modifies registry key
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEcIokMI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
66⤵
PID:2892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:1076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMckkgEs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
64⤵
PID:4344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:1852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuEcsgMo.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
62⤵
PID:2056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:4416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:4368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies registry key
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:3888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEUIUocU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
60⤵
PID:2728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:1304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:3844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWIIgMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
58⤵
PID:3796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeockogk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
56⤵
PID:2088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies registry key
PID:528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies registry key
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
- Modifies registry key
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cyMYYoIc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
54⤵
PID:1744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMwgEwwo.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
52⤵
PID:3640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeIEUEgw.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
50⤵
PID:1224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:3268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckQUgoUc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
48⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egccgMIs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
46⤵
PID:2548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- Modifies registry key
PID:4932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiEEwssA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
44⤵
PID:1396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XocAkIMs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
42⤵
PID:1400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsUYoQoE.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
40⤵
PID:2064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:4380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:1452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:4144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
- Suspicious behavior: EnumeratesProcesses
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bccUgowA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
38⤵
PID:992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies registry key
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmUIwscY.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
36⤵
PID:896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:4788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:3696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies registry key
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- Modifies registry key
PID:2616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OoMUgYsw.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
34⤵
PID:3244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:4028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:3264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAsksEUc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
32⤵
PID:2060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- Modifies registry key
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:4312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAYEUoMw.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
30⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AaosEAEc.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
28⤵
PID:3344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies registry key
- Suspicious behavior: EnumeratesProcesses
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaMwQkIU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
26⤵
PID:4144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:3320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
- Modifies visibility of file extensions in Explorer
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcMAgsgs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
24⤵
PID:4336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:3248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
- Modifies registry key
PID:3288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGgYwAcs.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
22⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BoEcwcAU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
20⤵
PID:1948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQwkQMAA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
18⤵
PID:2544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies registry key
PID:1500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
19⤵
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- Modifies registry key
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGwkAgks.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
16⤵
PID:1132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
- Modifies registry key
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
- Modifies registry key
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAkkUYIM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
14⤵
PID:716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:1460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWAoAckg.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
12⤵
PID:3608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:3760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUAocogI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
10⤵
PID:4328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKkIYgoE.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
8⤵
PID:4708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raUQkIwE.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
6⤵
PID:5016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqgQoAQU.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:896

C:\ProgramData\vkoAcAos\biYgYEkY.exe
"C:\ProgramData\vkoAcAos\biYgYEkY.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:4324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUYIockw.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:1660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:616

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- UAC bypass
PID:424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3980

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 1rYlN416v0GxKobj/yFNQw.0.2
1⤵
PID:3476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\vkoAcAos\biYgYEkY.exe
Filesize
195KB

MD5
d5a4d8d897f9886b0ffac3e6d0833c3e

SHA1
dc6de91a454979de244af33942482dd7fd585d66

SHA256
98f726bb3da781a057c18b10dfe4fd5944667052e2d544269f0fd9251e32dcf3

SHA512
6f2622a81debe28f9179d28146f08eebec5c7f44a56b73d657e8af795c6b289fe675a84aa219fc8493430a119223260be645ea627976bb9fb390bd5be13b1883

Download Submit
C:\ProgramData\vkoAcAos\biYgYEkY.exe
Filesize
195KB

MD5
d5a4d8d897f9886b0ffac3e6d0833c3e

SHA1
dc6de91a454979de244af33942482dd7fd585d66

SHA256
98f726bb3da781a057c18b10dfe4fd5944667052e2d544269f0fd9251e32dcf3

SHA512
6f2622a81debe28f9179d28146f08eebec5c7f44a56b73d657e8af795c6b289fe675a84aa219fc8493430a119223260be645ea627976bb9fb390bd5be13b1883

Download Submit
C:\ProgramData\vkoAcAos\biYgYEkY.inf
Filesize
4B

MD5
1c25b8952940d10cb854c0cb89c30678

SHA1
1b758daa49a0dbc67a370a44544c2aa23afd402f

SHA256
2fe8478021890b09ce51557ebfa7e9b126caa15fb60b2300aaf79985b33a7358

SHA512
90d60396a2a327c0fc3a05e610fc1e62a6b77212de19f3783e766f46a7b647d0e0b27de02e61a8732413f29f3bb35239e1b923431a4bb3aa3db28bd3c45f07f2

Download Submit
C:\ProgramData\vkoAcAos\biYgYEkY.inf
Filesize
4B

MD5
63c45f09be577d1565ec5f3c6b0535c9

SHA1
be449ad93e59373b33d931eb24b1d1ee4fa8efe2

SHA256
167c7f17cb202e6f037100a372541e401362243e0647414eb3bc4f26aaec6c9b

SHA512
01395c2b5c838832f732750b7e0e9bebc530aae9243bfa154583754892f023974f82aacda4f715219b018b37169957171606084cd359b302d443a62d0aa76718

Download Submit
C:\ProgramData\vkoAcAos\biYgYEkY.inf
Filesize
4B

MD5
2ecb72f124b676dbf9ca094f6052b3b9

SHA1
f938ad8d9e8120460c567e623009099ccc9b770b

SHA256
99b4c7261a6132d32d7f64c960b5c2df591b469a90843fbef52db6e61a8fb882

SHA512
30c8d33a94cf2c23e8ae63272f39812d9bdf9a6a65eccf2483c63ae33e4ef0e8137ca5d7db7319ec281c2c8ac719739497388446cd3f2a23dd51714cd665f209

Download Submit
C:\ProgramData\vkoAcAos\biYgYEkY.inf
Filesize
4B

MD5
589bbacd180592a46652cca004ce1c4c

SHA1
685f7a5ecb3b65b6ae926cdc826c0c5e405e99a3

SHA256
c6461ceb1d1f45c6a77f7b4c66c254616a9d0712ec46d8e2ebc2ad292dafa67c

SHA512
6fbdf1eac6f935001a90707fd15522b79ac8fe31dc43a68b26b4b8416b7b5514bb47f17aeeb7769a4497292673ddd21c758ee3b1f54dfcae7515a7a20f0c642a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe
Filesize
209KB

MD5
4b36e449ffdd2ee6a5addecc81c73f37

SHA1
ca58a2931b48566686f91c7a9b2efb9b1228ca8c

SHA256
afa7c5ef085d25895974220e346ab35d314abc0ff44c96d754d78dd9d4d49de7

SHA512
1848c2d2357d645c0f8f4adc6bbfb84a37e77e4118617e17e9f9c58893697a0bf0d2a2b5bd05e3c34f6bc6de24a0c572b51fc517807ff8480096f368ac235d3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe
Filesize
191KB

MD5
be03b17a28de7d88b50188306943527a

SHA1
cd7a10d84a4744fe1cc4d2ecf8b5b4b3cea66a0e

SHA256
0bc0cdc13aa6bc49a96bbfc0d6f3d7e06dcba44c944713848a53fa92ff550fe1

SHA512
3c69cbb02db225d633bcf0ca051be39620dc66a329c15b9e6971144ca7e9e86ea0848211d5cb6ffea0ac9651b4082d79a1dd4415a504879fca1bb0fcc9cabfff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe
Filesize
196KB

MD5
d523dfd6307ffc95a58f25280b3b70bc

SHA1
59f01ce3e4184f738f3f6d6391af5c103484f383

SHA256
059e3636e4201ad4eb1960cf43f441a5b53f658a39f1bb34b7476aa8089edcbf

SHA512
936be24e8bf7c82eb86820440f13a4e01e404e2eee94609197a3fa0ea14cd67ce4b50cfe13e1ddd9ddb9d1c6240da6b76e74452fffeda863b96581c201bf46a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe
Filesize
207KB

MD5
03b8caec4373add10d72a33f62859c29

SHA1
f71554be02869fc3979beed42a6b40335441093b

SHA256
a5ea97976e43f0dfe307c5fec7a88221990982824582e08c442e793ac8714067

SHA512
bd77b85fe21e5453011acf6d4c44defcc441587b6fb3f03019a8dcb754ce6067a43ecd281154d5b277663197aaa49d7b30536b18b1080f84575d8e5d9cddd666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe
Filesize
201KB

MD5
a7686b98d0eb6ca7343835db25aff469

SHA1
1d989f4212c3824cd283e3c65a62c75a6c047ee8

SHA256
bb7cc180dc64dcd8f7ee0c24643ba5a3e25d23b48aa9595cde43420a430a7a05

SHA512
3d951b04e41d1268411c73423ddc8396ff2d92cd9c2e85cb518c5e056b10347f0dcd1c31eeb3a489a6f85b463048e5b7440db5cc61231b39ca58c80e5f5a369a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe
Filesize
204KB

MD5
62d5b56a874b1cf866f4991dcfe8ed21

SHA1
ccba14f4fe11c06b16f55b2086e8b99dd36f9605

SHA256
a31f8389f0f7d2f305420e216065205af7a84624ca3d810b0ed9afd426da44b8

SHA512
5330b611555a8364627ea4a3149456a213faf932291840a41ba6dc73a344d473a76025b2c0cadc91b2128cdf12d6fdafec7b724bd40f73f937a45dc22d8c979f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWAoAckg.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYUm.exe
Filesize
1.8MB

MD5
c6966970d60aa427ca8c50f5db277be7

SHA1
db070f9b08f98616635274b7ed54005519f11e87

SHA256
7e45f60ba75cbdfc8ac0c3eb1507cb57abd8cc0e903ceeb9b2dd70108e5b0e3e

SHA512
6c448c03fededda1a580ab627c7e349caa00664814703659fe80a0175e8201bf497d8985106895cda35387fd9e57cfc8c697ad402e39fe0b0e396edf972ff7a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AaosEAEc.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcYA.exe
Filesize
198KB

MD5
7e163812401dd6347cc094d039744926

SHA1
df15b2ecf076eaee26be85ee9fcd22296be59946

SHA256
8488024816c39ee4108cbb3fda93950dacae9fe883fa244c1f312e613a395e2a

SHA512
e184253be9ce07203c6fd31e524e0ab2655c3485538d8da221151db91b96e205cf00b926864962a134110fcf7e5f79feabe033904c06cc8a477fdcfe2961e805

Download Submit
C:\Users\Admin\AppData\Local\Temp\BoEcwcAU.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMUG.exe
Filesize
197KB

MD5
3bb3b333df46d326471753f343fcc0c5

SHA1
294c8e9266c53f33b277ad00bad2817e3137abaa

SHA256
b7b5e284c8d58152f2a369f65b86ad4e748f28d6b4cf23c3de561bbe079000f8

SHA512
ac350f115fc5602172de919e589821b418e1c97358b32daf565671bade1a8cab96778ca092876cb9eede63e92022ca692870d7f39bfe73b19499c76f36a268ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYQy.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoEW.exe
Filesize
194KB

MD5
d0542920e5a510cfdcbec9825e0940c1

SHA1
c651d6d63a48f3559b6517ff3eb9c624419a309c

SHA256
b67d4536431d31f8193a82d108f894565c6ba0a858ce7ee8c23414010d43552e

SHA512
4eba46c3bf3a18d544258d8ce975af80fb8f5d1380047cb2760f2492009cb136605832dca2879a3e03cc8bdc414c287379a83a8b3e6623bf8461c322a6284815

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAkm.exe
Filesize
209KB

MD5
bc291bd174c096117c936ec1ec802172

SHA1
e4718c9106cddc2659b632c7f6953dd9303376c7

SHA256
9adf197613ef039d0f7b188cbef845b814d09d9c5cc9713ef641190a3c08f416

SHA512
379544b25dc6ea87ade144ba7c50af199076121e3cb877451a2f22eb3b8ab85b6a594d6451fadefb6d5ea3250023a8dda8d4e56507c202df8ba269ae46fdd004

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIMA.exe
Filesize
194KB

MD5
731e1d3bb586f9e872748b776813f10c

SHA1
d69dd279fec68fe3c973e214b587e85b06eec0e6

SHA256
518f69578a1eb87316c5e30de0f0c64acd256b1d49261a10c7516577784d3724

SHA512
53f6075e6662ae5f47ddee2286971dabd8583dfff587d9ab68cd57e345a4e4c90e5300cd0fdeb1342f1f65a225e81d3174e67afb4d546b224781cfdb5bcb598f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIos.exe
Filesize
200KB

MD5
df35c7d3765d53c9ade6816b066a335d

SHA1
6f982d4350f69fa567a348c7af3aa4ff87899690

SHA256
7b8eddbd1e24833de09514fbd34f479b48ede5298cdd06d0c117437ebb381861

SHA512
679c7d139aee3a2f0ddd301cdbb70891881fc2b4957054f5da81e6e0d3adf25e8c22171b7329b1902c14fb5befb134119360dfbb6888cb879a07f1595a4230a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUwK.exe
Filesize
241KB

MD5
303624b3168471dd5d336978c5780992

SHA1
2b9140d281dcbe7d035f8cbcd95e0fc41c407774

SHA256
6d080c99d41442482d387402aaac316fa8c74946a2b61c888081fd94c42718b8

SHA512
c4164dced6d975b7e801387dc722737625b322ee2ae4471ed5550a71abb3f2c782afbd951cce30aae44e2958cb179ca2fbe17422082dac68b65fa744148b310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eowa.exe
Filesize
789KB

MD5
f587296b5f55c2d9017287dcbd18b9dc

SHA1
85794ba3b573e687079c71f74073b88640936b75

SHA256
5e1f5877e90606609b58c9696fdc28ce88653106f78d6a9b990d9267e8b6da7d

SHA512
f33f53214ee9f708a6ffdeefb2a42e09ca981833d83a89f5676fa71405e330f8e3825c6dcf08cd50a4d625f8bd26d61716c49a24b311a31ab28efbd9381db4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FqgQoAQU.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcMM.exe
Filesize
575KB

MD5
88c4222e4f3c80d0ddc457654787299a

SHA1
9de57ad970d436889823750b2623920abb1d6448

SHA256
e3cb18d2ea8773890ab59bcaf4d3117676dd05fbc0f154ed3539e8c0f17dbad0

SHA512
c898d3f44b763f4d4fed9006493accab85450f0cfb6842614da97e84085fe4e42ce9836973bf79b96e98d3d2400465c190f5f695c2536441a36a0681f1d079db

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoAm.exe
Filesize
199KB

MD5
1fb4588da13aaff46118e665dec2cfb7

SHA1
f721dee51a8b0220f083679c8b5ebf81bb17ef97

SHA256
566b01092bf2d88ce8136c883dfcc27e3df0529d4976ef0e4b39fe6119264ad0

SHA512
cb2a24bdf4ac1c1e7d22f0e80769aef3d5b266806fce3b6dd6e74242aa9ccdb43a18ce001c397bcd632d7042c816a7673ea9e59422d2147c7214cd87e4d86162

Download Submit
C:\Users\Admin\AppData\Local\Temp\IggY.exe
Filesize
648KB

MD5
d72b7f5fa4588648693756774dd5aa45

SHA1
fccdd285ece84bf2a94e2ec984c2ec3ed1f88394

SHA256
642dd3a6570364cd4014b26ef7ec1dca6e2521c0f265530d3d60943386c7d1fc

SHA512
85c05727ae18028fd4362dd5c63e6e408ac22aebec2e9a17835d68e23946b0ad4d86fe97ae8cbf99f9caafd86c170b6bf4ae06521d331463da8d5066bd4093ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\KaMwQkIU.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LGgYwAcs.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LcMAgsgs.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAAK.exe
Filesize
424KB

MD5
c27c61a95fbd285fa84f9831b4dae82b

SHA1
1561afce12d4e56ba0ca60a5ec4d415b3ba4a79a

SHA256
b96b7d8068c41df09f180729495eb86681620a4213514f37d0c1c54e746bd3ee

SHA512
9c5114fe7d2feb9b34543d86260ed5437e109b89a0c162060547a514184c5102dc2ec2b0c8f7bd6dfc37e46c549b0272e319a1007812fe7b6101cc776f27ad96

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAYEUoMw.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIck.exe
Filesize
197KB

MD5
f3bc6ede07a76b307ecba4e70b2a2591

SHA1
af0def449dc14c154806027e0e8216c51e6eb908

SHA256
0d318f17d7eb542af019eb2df21dc91e83dfe47821bd3e35f9841044740c6a44

SHA512
d28c0692a235ff85d8e3c48c7c26323ee7cc85dfc85faed8773a8d42110c25f69372f0e5aac4bf7b31b9629dd6ef7c8f24c3d897b36e353d24ceb6fd18796473

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQkm.exe
Filesize
233KB

MD5
5f8af114a57f6f59fd0416c6fe64d794

SHA1
f0679244af91395184d9e5d33b02488d7fee28f6

SHA256
28fb3e88539fe20beaa75bd1affd0ffaa467bb165eafa7a3114c616c1b5f211a

SHA512
798412d745b4fb9cb21b83006c5e70c77dd7f4fc2151428398a6a1ecbbc434c603c599aceb39ed3bc264b839aea8afdd985679a42ecc7811d439be5f47bf1e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEEI.exe
Filesize
182KB

MD5
982c7b514b9dc5b1d6b7d2c5a2a54046

SHA1
141d20405f32969914aa0a6230866b36693ce5db

SHA256
5a6dd028c9abc414c241f7da97a82d9261eb5c068caecb2a0614673fb897c978

SHA512
1d9bc63f2a43edac357a28147db981c3db8e37b8bcd2da37a5943dc8389de4b0e02d3dd895518b966dd5c30a7b7b8f6b253c8278ff8f9f12e8139565d5b18670

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMou.exe
Filesize
223KB

MD5
b9692d8165a6580bcb8687b65b5d9194

SHA1
068974eff5b4c9e0630791040ea3f7ff195f10b6

SHA256
0a26284eea16c7dd9373bb18889d9aa4213712551584441c202a595e872d29a1

SHA512
10484a8b9c13c6b1cbb7ba0f3c997f27f89a41abc5fd3938e0515cf0a7c213ccc1d5283b0a9c3c032e8c467b0a6bb8024ddebef314841248d66be8c24df1a3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoMUgYsw.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAES.exe
Filesize
649KB

MD5
7d39035c63998f5c8ab1e3091122c09b

SHA1
76c9bcce781d9f2d05d5640a65a6d1c2450e15fa

SHA256
de613a5a4794944327427e652adea6dad07141de36c614e9ca18d202f7564e9a

SHA512
a7a1be6c566da92ba5cc99400113f1dcddd762564f19584a2640bcb3e5bba558ef6050a1bd0f1da24b01552c9dd783786d54fd06df7e7ea0833e3b040c471b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAkO.exe
Filesize
196KB

MD5
cabb687f48c0a59c7c375bbeb76c3f64

SHA1
38f162b08b25d972b6e3ed1f5d1a41c2e333a477

SHA256
40c6ebf9e8627af60bd67bbc08d0d930f17389ab1b1355c2e8e882e4843b2346

SHA512
ca19edb676c5e8ae946b34f41b223fbb102ff8e6ca8b5f0e84dec89ac8e7f0e94ed15ab372776472c16b8da7e75e3ac3049603858e4204903ef428b743db6e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUYIockw.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUoa.exe
Filesize
192KB

MD5
1ee2a4e35f1aee4966459dd2ea428d04

SHA1
de5d8792361e2e997a4eb1cfd2b6e7174b18c2c8

SHA256
e1d317fa99fd17980c66c4132d1a5c30889696e019b5ea7265bd078a8da86619

SHA512
2fc3f20e61d03f3cab3d63c967320de40b0862ae24f8f5e6b4a26d2d1b63fb26f17273d87bda57a00a2dd054107a31eef56483d1c2e30173848343dbbd5f6edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qckc.exe
Filesize
197KB

MD5
d639819d6aa538743e9707b853e7657a

SHA1
cd0ccc02ba243e52a899e498088e59c4c1a90ff3

SHA256
71798a68f6f2f772581d10586d59524b3c7d861fbf88de09a93f30b5c08a7a22

SHA512
1f760bac7769fede6291cb5ec912d00cd87b69ade903bcbd3ca84ed77c6f750ab4246aa9f71bf57f3913b651907f8870501a164b21a14b8e47f5c2caf414c98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgAo.exe
Filesize
201KB

MD5
257209fb57a01de53167bcf4a538213a

SHA1
fd0c193948bbd0b88bf79e7a56d3536622576075

SHA256
67827ec62ad11306d7323c4c6269a1078546f1b618f7fe7e55b62d099453509f

SHA512
8c7c7c69f8d57a76b329f85cf5c88c3d297e9954d87bfd482c8c7ca551beb3bfccc36c6a0990dc35b956f2ebfe6c9c417843c04cb4f9835024c8f2568804bd33

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoEI.exe
Filesize
188KB

MD5
c55bc06808cb75935c9f36707ce805e1

SHA1
e1f9de4b6be469cfac086347878912024b1d639e

SHA256
2d43f87f19756edbebd3fc44968b49358da46858fb8c75abeaa60d886734e7e7

SHA512
368a64d5b49bf944e8d0fac11ce2b8a9302dd3185e27bb827bb9f7cbf213b96a08877f30db508a7800159cb76eeb95eb0d7d43610339d7b0339e3d05f69b7e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUAg.exe
Filesize
205KB

MD5
7359eb7195ea01230129a274ec6ed675

SHA1
3f743679d1ae48cba2556113eb45c3a0787d3cb5

SHA256
df50d3f4d30e340a756c6b9ac3933de3d9d1d66c4edee26c0e87fd49fa492505

SHA512
6d1055b3b65923539f41bb6b4af9e549bd53dd4df405098875a1992c4be15c6ddb48a025b5487a0fd9c303ed2230493ecf4eb3a10c5fca9f8471af876cc46ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwYC.exe
Filesize
213KB

MD5
67dee420e6cc924d8dc386819dc3c1c3

SHA1
9a13f8b1c2673bb0d682f5665ca3d3049aeb2d28

SHA256
903ed72d9689f68e60d4388e998b0377fd77472b8e395a166f7104b89edb8f57

SHA512
b5728d1b8736543ef4b955ed04873bc8e4133988b9540fd35671daee7c59fa844641ee75dd2427c72c6e712e7a37187ad7f4ead6ad78681cfa6636c9e8ca572c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAkkUYIM.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usss.exe
Filesize
212KB

MD5
79414a6a753d97d2144d24c34f5ec2f0

SHA1
a6823361edec8e36d1d1cd2022b10d34302c1f6e

SHA256
a068493cd3168d83479ecdad09eacd858e82245157f325d51b0a35d038dcf950

SHA512
bc945dd50b3fea52dfa4f3547ebbbc1b1a7f8a6c5cdea68b4cfceebb3b226796147f4e9c3803e0eae056528059ac3f4d2af4295b56fb2e7862111b018f27a136

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEYM.exe
Filesize
206KB

MD5
77baaab6fafdfebf6a9401e07e28fd01

SHA1
6adbde59df5510f7373e361d3f1e188a917218b3

SHA256
2b5e98679d5f019d9e3e45c094903319694f10daec4bfffc569bd00f2a2dc0d7

SHA512
990fcbcbbc91f023dccd5c2e61daee6f550150e4b1de71a338e249d17e1be1f00cd35980f95037c1c195000883b35a039caa5d86dc8bd410a60cf29448985962

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wksw.exe
Filesize
188KB

MD5
70281ca47499434cf1b91f7043633c85

SHA1
d736f0eea2cbb2689ed89ad2bae9a01a6a906d44

SHA256
b7d161e4138da2adca2326ec8ed372bb824f20940cfb0c83d001d5a3677e09ed

SHA512
5da6fb29175e143ec4f44ed8f1479e7f6fdb21d8e7de931343fdf64baa67679356801a9261a5786d83b5dddc216abed3edc94197521de731af269b9a2bcd5910

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwwM.exe
Filesize
201KB

MD5
a47d41457ac13ebe3666278adf4780f8

SHA1
0582e5ee7d4db2a284848e8eb70fa0b2dbae73aa

SHA256
e8130b044d338bb8035b95a3dd892b5ed4078c99150c0f3e015c733e6d9d9934

SHA512
a82537677d7062c9b800d1ca984ec27ceb9a5b06250c75e68d42ea4c8458c3e46808cf2faae1f204a9b9b7e91e0b68ec6834dcdfb3d455e53e425a19332b7e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAom.exe
Filesize
197KB

MD5
668e4cac9360fc12ffc4bd45a690d1cd

SHA1
c4ea790291a2f5f4a729030f12975ef2becca44e

SHA256
8dd6156231077eca23d229a59d13ccffb03f8425d13d8224f1042ee3e395cc71

SHA512
079b09661258a91511165911fb7f35d06f58c4e5ae038dc4c0ed98ad11ae48b740123468e0b437a45d7c506b210c2e1dfe6f320b03f209eed1fe8aa7ff8300b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIUY.exe
Filesize
647KB

MD5
2e156d509c112e6fc6bcae294fc7b6ef

SHA1
7e4f0b8ea0562207a8d3f24247d29d1f7f61ef5e

SHA256
feb4b19b0bfc8320c7ca2985a5e5373ed4e75e13dde31e4fa82d43d721f520e0

SHA512
3d310aa1b0370f8cd84d31b3286747f51512db3c0ce7b22cf61c9d13936ab86f720c0c088970ef94f27d7d6858ea9d7c5f14f5d8b7ce076a599907b81befda81

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUIm.exe
Filesize
637KB

MD5
e35f3c482a8537d01118717afe849dc7

SHA1
01ca19abb98fe9b37ad265b3bcb677acd423058f

SHA256
847c493f12f439a2d7d86405f9e23a8d0b7b86f475609afb263ef3f644bedbb1

SHA512
be74759cbd105288c2a3de1b034ac0e6e6eaa1bd159fecf84028af48532d65964e1d56f0f748b5e256f619b530becb0b2b231ae7209f697e5c1dddc90150e4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yoom.exe
Filesize
207KB

MD5
da8be64b8403c22340a23b74b24acfa6

SHA1
1a014ed4474f58149a271ca4465bca5ced94fce5

SHA256
b27656c37df9338b62559447d52206b77c3579f8e9f3579e789385ac68a6f964

SHA512
87c8ea3a38b8248fd9495657dbd52a2a7740a85d51e69c157eef79554da11ddbf4ec9fc763b34925130f250764d196a48531e786564be70d8831f08734cb9e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIAa.exe
Filesize
206KB

MD5
975ec90db5bac83c8394cedcdacf84e8

SHA1
c01f601f962cac68d5819d48d4706bb07ef65b44

SHA256
2a7ca689230b85ee7a235d1a457d0df018d95c1728a627ea7e9756df51889007

SHA512
7b6e509bb9bfd3aa2253a6da5056e0d3dbe392a529ad5cda76eea95bf761d9ce71fc509992caafac0cf57e801fc5a6b1ef0ee8682197cecdd2098273d798824d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQQu.exe
Filesize
203KB

MD5
37eccb527a545cb7bb9f1677e7988fd5

SHA1
58723a62421bd13bf4fb514537965394f92287d5

SHA256
3c29efb8fb57e39efa64ce2d2a04285c42b8fab63a50ee98a5e75651b39091d5

SHA512
0c3cd60f0443acd41157972fee21eed6b84fbbbe925eb01e295661160c1553ca40998dcae61b2ed5ee9f1871c9fd77319bec297e6e1efa36291aaa04d187a67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmUIwscY.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMQk.exe
Filesize
201KB

MD5
ff9bd8b24ed6d7db96737f8bc61d1641

SHA1
6c111ac2d0568c66b07522d4de4a6aa1e6f836f6

SHA256
5a490522601e9bf40a9d93e5d8c5e82cd0ed8701d9199b514f7b74670c81b716

SHA512
b0cda28cb18ae3fd7b50b3b08750e974dac17b5859d142cddd2c77cc24392ef55840e75935dd30695a6795fd45d8b715326a98af6db902049fe31a4b4056014a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccwG.exe
Filesize
206KB

MD5
90409612e35c4f742f59280f8d5b8705

SHA1
ef46d8acdd6947b47310cfea4ddb1c719fafd886

SHA256
839529ad4525edd941ffaee917b1009e729e1da499210e7212397f58073a1080

SHA512
2f935beaf018dba26f63618eab84980c2ee8aae704fd0eaeda4bd860ed2367276a9c5e6f16823ff935c2a8ad0b57ecf66fc970dead2c1625df09d1cbaf40586e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgEa.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\cosq.exe
Filesize
193KB

MD5
8c0c63c81db27caa1e1b1ce36bee5a06

SHA1
be7f26635eec0207efc7b273271cf2c272fc91ad

SHA256
2c7bb06d4a35323c0172ce7c830aed769f706bd6b0254cdcf0c8de7aae84bcea

SHA512
bbf0f288e8d2e0ce11dd6032d917816bfb2a549245afe9a5c9c21426cb87387c400ead7f05068499be2c51053d69b27ce38e6cfef1fe120ef84e37097d95fdc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\csow.exe
Filesize
195KB

MD5
2ba301649d90c962ace7b6e1f97585f4

SHA1
e7ceff9aaa1b803740fac6a21b484b1bdc518b03

SHA256
345768d5ea6524c3a6d8e78f668eaa6d61dd838aa86c29d295c0916e4922bece

SHA512
1921ed1637f4732039b276841797f9a7181522bd7ec1f7ef6529af997b43d77b5b7802d43a0b957ab8ac883a200f9086e3027bb01407c706678a49952aebeb54

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwsE.exe
Filesize
202KB

MD5
38941d294f3799a93f99325f1625c0d7

SHA1
8994a8f802b292598343c8935a52dfde5fcf58bc

SHA256
58e90ce7078905116726e7bf9e90d92808d248e784ed13c95d929c699491f2f5

SHA512
e5c64c01d23ad1b078a45fb102a288427bf3340a5c6c98323226d9ad135736424e562d64df3bc2fa69de9af85f54aecb800b36d4c2cf6d49feddcd6b08851dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIUS.exe
Filesize
319KB

MD5
d8696dea3447d748b33e17a490cc91f7

SHA1
487d2c9b8a9a66c659ffe038fa1ccaee544e4bab

SHA256
e19fec0aff593c5a9001b41c38b61bef04eb0bc9e0cf0cb218e38c4d7819fb72

SHA512
b615f2d4ab4ba2d013135fca26f4bfba0b47b0be7d51fd63b6aedaed26a1d46a4cb72d82d4744c8fedbb8acfb5db1215d90a751b8049d057e313ca5813e7fb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKkIYgoE.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYkI.exe
Filesize
195KB

MD5
e9f962cea1f86adf927d7063b9d31a0e

SHA1
15a119312f4342840c98cd6d0a7b4670ce77ccc2

SHA256
a9f8f8573530f481fd0bf3740689fb05269fed5caab51022b551e922890b572b

SHA512
76cc58fa16efd73192055b3ba574499b08db25e6bd041ee36e409ddc7d47511f35a3cfc3d5c69b949dbef2839b3e952eb8b03f0c6202228e28274fa4fdc8288f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekcS.exe
Filesize
214KB

MD5
bcd21c04de580533dbbe65f77a30862d

SHA1
3b8c7695a8e260fb698cd385c187cc04778a65b1

SHA256
4584f787a731d41d60f86cb90473092235fd32cdc5f5dfdf34e2171d559e4c6b

SHA512
63617dfc665368e62a9ec3712ac64c24454ab29c2125d53372393b56857669633977e55cd09eb01f38554695acc250f4aed13c794abe6c2b64f5c6a738e483d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIMg.exe
Filesize
189KB

MD5
7eb9e2cf6f3f734d44af0659761fc794

SHA1
b5c28ac92ee6d96d4e395829bc80b80f820cf820

SHA256
9f3d19cff06cf105ed1d8053ad3256e2ccb884612b86e4f2dbeff842cd6066ca

SHA512
6d237958947a87783077bc4fc28adc1c943fe1c1898cb86881d8b2675af8da33cf9b52aea78bf70b67a3ca9a3673b07a0ba298223c3a3c524802948374726d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMUk.exe
Filesize
786KB

MD5
7e30f6d59c36ece0cb4b6516f7715b43

SHA1
09e07267c427673d0ce19e9d20e7b04553a6ae4d

SHA256
7663f3cf14b4f0b4c51285fb1dc10ddaf08badcdc0c8924b614caae067d4b510

SHA512
affbf63e32539de08611ba48eee5bec63d0462bf8204a97743965686d9f4e8db53203c5133c1727aecbadb4c9c412a399287f9f5ab99039bee1bfed00d714877

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYMs.exe
Filesize
202KB

MD5
24c5dae30062fb5aeb0f0bdb3a671977

SHA1
ca77d00bd9b1929c81471c9b32fd482d623ca3f2

SHA256
074e102a99a22a60367c3358524ccd66ba02ae3de86f40c56778ac49a388421d

SHA512
79315d02df9a2471c2342f5d4e1b4ba41d3a69a5429a083cb95cdb945cf2c524ee0a2cab3e55cd77b4954bcfca27092fa5c50492df5570372f5fa530c5550ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAgw.exe
Filesize
202KB

MD5
267f3b200699c8da43d60e3614ef9919

SHA1
807b6608dce8e5d55c7645a4a1a55ce2b99a2392

SHA256
36425b00c9f70371c7d6b8fe72f6ec7de5e098a4a2f232956834f25365cb78dc

SHA512
81110d574792f60b19e96ec4552c713df91542bb9a792d19c2ea63889a23323288c657a1161de2ad2f66ada0dfc9a3f9b1df3391d9fa14039b52a461cb97fe1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMEs.exe
Filesize
183KB

MD5
b4c08586f2d5cb545394dec6b88ade62

SHA1
51db49dd49d2c5ea9950ff5232da82fce4a23e97

SHA256
2757510fad3b6954e02a9b801120c9bee760a69f68a9d4b9d7e22c155f9af820

SHA512
146258e6bcc98c2be48281a808fb612a9e150304eda919d69bd03d9f539472b83c755f005997e1be2f07f8dd45b457419e4271c1a316a3789a89a8b622ae9e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAsksEUc.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMYC.exe
Filesize
202KB

MD5
a90d0e05451935df0948d1aa858d0f32

SHA1
ace4cd43a1113247a9dc34d4b1f9c78f167a69f7

SHA256
907f3123e044139598a67bd17b8620e548bdcbd240c8a72d7edf0544afe71118

SHA512
ab7ac519f22429d05ebc2757c6e5560d8e39c3fdc72329be13ad7637a5bb19976275d084e05eb428e88f388b88646e170975309b00b1a6d9fe9469008c8b75c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksIA.exe
Filesize
397KB

MD5
fdbe5ec45d8ed7f0bd412f15249665de

SHA1
4692ca27975864887e74d71bf3ff29d7537657e9

SHA256
5c0ac92297d68b42f8134ffd2ae1ed93d2f42b3b46931153fb3918859a9b4897

SHA512
a3a36629a5d602b9b26cbd29e780a2533c4ae47c5fd7148c784413f0d35e03296fff3ad16fd112f0a34aa2452cbc41e96183fe5cc2f66069c66e74761d8d0616

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUAocogI.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcQW.exe
Filesize
507KB

MD5
206e74c0a0ba64a73dea0f600cf87dcf

SHA1
ef272f248e00cc4ad123a5ccd0af647c2f94a9af

SHA256
b84df2f37ad0c643797bf6eb6f488d59bd6a28a20f26e28e3040080543cf9bf4

SHA512
8ab4e20a69b175f87219baed51269acedbc5d23aa51be547a0843e51dc3de8ddfe4f9c0156554f5ded1ace68e987162b6bc9eebe830dec55c92cd689ee80d799

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkQK.ico
Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQwkQMAA.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAQI.exe
Filesize
189KB

MD5
79e1180ef962b506b1bcfe8c58f5817e

SHA1
707d3a5a50d37c4733686d5402760993d31b6483

SHA256
34ae6541a5a6548e84f5005deb3bc0f459c62b30d49abda9d95b15c36ee872d1

SHA512
2f490182d2e6026d0c9238c408298a9204aff4ff203f2a22ca179c2c7d23df0eae8ad8b4ca550680178fea058fd6e5b711860973aa9d2cdc649c5c84d4cde3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocwA.exe
Filesize
226KB

MD5
e166ef6bb1cb88360f550a0caa6f3ae3

SHA1
a565182b64f0cc40bc547823eb3f484b7660596d

SHA256
668735422231955a45032de1345521fcb515cd33e306967905d37f29c522de82

SHA512
1a5cea7f0b878d85baa2604c4b2edacbeddc103539c7e84eb89a834012a6801597edede0453cc22f39d905518653995b5b2c61c63caa001040f07d30f3d874c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYYm.exe
Filesize
204KB

MD5
d52d417bc134ef78ad98eab860f24308

SHA1
a66a46178deef8c3b7e1e1f064a65b91a82e2e8a

SHA256
6d6a120f424fe59adc041c36d51572ab1a1cf4f5cefe01f2125f019eced39b7a

SHA512
3bfa9856d2811b859ecbde461514c8c1688fd8784c5ecf19df32b1ef9518f972bd82bee63506808aecfed803f05d6a5f4f02a74b15054db3ce775e29a442e6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcAg.exe
Filesize
185KB

MD5
093fdf69a7b57a795fb297bb8ade2559

SHA1
ee042ae659e45cddaae99b9c680a83968cd16116

SHA256
f4727dcfa6ccc4c0efaff58e67ff249287f94182aa61875a5e58ff3d5014b98d

SHA512
dd7f07b03092b33c6b64117b26bdd509323bc71de827d854318fa7f7f8796e4de316873cb1e7e0221582dc0c3132fa3ff24476fab857937ff1a0eb6026d9e0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoUI.exe
Filesize
404KB

MD5
90900cb7ea2ab2cbafab910721dc43e3

SHA1
e25cea033a46b9d961a901eb91d0e7e728d9c238

SHA256
3ae003fd4d489f7240698d1a6110f8b90dcb26b8f58aa7bc9b27c9adc7cd28c4

SHA512
8c13e430e424240c2bb9c09a01074cfe880ea1d7b49ac2943f7baefd5d318f5edb996065a899fae349ee2d7a084c2ebb1dc78fa1402ae5c4d06b5b14c0cad1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsoI.exe
Filesize
204KB

MD5
d8a96fe9aa1e0139f1d13607b0b2d236

SHA1
491e9481719b900a813ca2f203bdb249f1d7e9d4

SHA256
d86d2ac9da90889e950e4d124b0b2bf58f6951e82236a843015c72187983a7bc

SHA512
87ca2515cad3d181690ffb6f817cee9a0012d7c579a8559c9294fa8556772a3a7de426d2eed69c02f95b5c4345628af86959eeaf424fe50319e0c75d783c3619

Download Submit
C:\Users\Admin\AppData\Local\Temp\raUQkIwE.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\raUQkIwE.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEUI.exe
Filesize
650KB

MD5
5a594dca6f73cdccdf968fdb177adaa1

SHA1
e0e331ed9c296e4393825ef928400cd01840c66e

SHA256
e329a9dcaefbb34f6456548a23e49197a80e43b19094a6e53697f4ae31417385

SHA512
05d40974128069db9f03d98dc419786a295be11662cb23282be756311e1f048167cb935c09638bf2fda941b09e742d04d099406aead28512babe095b4a94a363

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMkK.exe
Filesize
205KB

MD5
a3015bf76e301d16cba31779189b0d93

SHA1
b446eb151c7b2a7ddb156fb7a2e7f2ea5fa3ac57

SHA256
8cee36767bbf117ceabf20c1eb2da4b806ad6db91caf5a41da482651d22c9d2b

SHA512
bbdbf7a867a892bcad066930e264b44cb56cfda656db261a8091c63f39e0b312ecca28a9f18e84b9b176589df62e8576d61e7df3ae27c12358e455d9efaa6fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQAG.exe
Filesize
192KB

MD5
d61651680b5bf791d8e59c8ed4ddbc5e

SHA1
bf5f77f53453ffe36eeb1ae8ff5b6cbd45917787

SHA256
685de584b7b749c650acc52ce690d9ede1b1c8f929dc85a24ecbac0e0731da64

SHA512
02c0ae9e8d01e0767fdc0d68f18ae53901a95347739b5207052ceabfcf96ecac82afd4d95813c3edba4a5871fcc2914363c0b438e7d84907d21f9b97acea3387

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQoc.exe
Filesize
215KB

MD5
df2d7bd5bb957c1670aa019ab6ada8a4

SHA1
2acdbbf6417e7b550e2d685559534a69628f1987

SHA256
c4c56fe7547efa3f0498af0f5675c249ca2df02c4b2578023064c9f01607cf9b

SHA512
3d578056e4bde1db35e14548b8616cabd46fe97756bf30816b27bf387be3eeec54adc8e47f5782428b6e8df91028c4a38e154e8c84faeccd7358156fc976b360

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUUW.exe
Filesize
827KB

MD5
653f8de4996ab87566379c2f50a370b6

SHA1
88043ea6076114e9326e07e9f2d8f84f3a33b005

SHA256
5a297794f43d6c8b38bd653d98fa3d112adc5d9d2428f44e8d7a58a736b99364

SHA512
28465b5c1a3abec893a1af3556a67ebff523daae0c53764eb5f5a158c60c80466a263621c51355fba7748f507ff951cf9fe3e0c996d1d38b3320473dc197d878

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUsM.exe
Filesize
317KB

MD5
8823f50b0d0e73fe49b3cfdebbe11ac8

SHA1
1ec592f54e8723753c7e0bf672f8660ab5665a94

SHA256
b1104caed456c8e1910af5d2310bc8f35a0a107136f709060b40ec52fa1b1bcb

SHA512
c7b9e4f634205875ffddba1d05aed8662068b36f24adf38831d64b476f222fd4bb68aeee8473a0926ee57ec2700fe57e73b3f8b86c4461476ba2cafae7f48a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugAg.exe
Filesize
830KB

MD5
200a0e6fa0c5f0bc56914a21038fcd73

SHA1
240325b92c29fc5921da798fbac85157ee2fb5fc

SHA256
5174ad4bfe38fef0700ab54d3118aaa88621ff43bded4542013879429600b5c2

SHA512
c0d619d3296c44ad76eb4d466a0e5abdae93ca133691d76191545a534156e3e30d9480115175af7f4956bfec3a96ac9269bc46475c256c3f3f27786dab210dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4vcmk
Filesize
48KB

MD5
6f90adcbf8a3254558fe0aa75e416573

SHA1
5e5baaa632e90d78297f3c5edb9c592f15c53d4d

SHA256
e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb

SHA512
0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4vcmk
Filesize
48KB

MD5
6f90adcbf8a3254558fe0aa75e416573

SHA1
5e5baaa632e90d78297f3c5edb9c592f15c53d4d

SHA256
e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb

SHA512
0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4vcmk
Filesize
48KB

MD5
6f90adcbf8a3254558fe0aa75e416573

SHA1
5e5baaa632e90d78297f3c5edb9c592f15c53d4d

SHA256
e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb

SHA512
0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4vcmk
Filesize
48KB

MD5
6f90adcbf8a3254558fe0aa75e416573

SHA1
5e5baaa632e90d78297f3c5edb9c592f15c53d4d

SHA256
e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb

SHA512
0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4vcmk
Filesize
48KB

MD5
6f90adcbf8a3254558fe0aa75e416573

SHA1
5e5baaa632e90d78297f3c5edb9c592f15c53d4d

SHA256
e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb

SHA512
0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4vcmk
Filesize
48KB

MD5
6f90adcbf8a3254558fe0aa75e416573

SHA1
5e5baaa632e90d78297f3c5edb9c592f15c53d4d

SHA256
e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb

SHA512
0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4vcmk
Filesize
48KB

MD5
6f90adcbf8a3254558fe0aa75e416573

SHA1
5e5baaa632e90d78297f3c5edb9c592f15c53d4d

SHA256
e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb

SHA512
0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4vcmk
Filesize
48KB

MD5
6f90adcbf8a3254558fe0aa75e416573

SHA1
5e5baaa632e90d78297f3c5edb9c592f15c53d4d

SHA256
e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb

SHA512
0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4vcmk
Filesize
48KB

MD5
6f90adcbf8a3254558fe0aa75e416573

SHA1
5e5baaa632e90d78297f3c5edb9c592f15c53d4d

SHA256
e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb

SHA512
0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4vcmk
Filesize
48KB

MD5
6f90adcbf8a3254558fe0aa75e416573

SHA1
5e5baaa632e90d78297f3c5edb9c592f15c53d4d

SHA256
e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb

SHA512
0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4vcmk
Filesize
48KB

MD5
6f90adcbf8a3254558fe0aa75e416573

SHA1
5e5baaa632e90d78297f3c5edb9c592f15c53d4d

SHA256
e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb

SHA512
0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4vcmk
Filesize
48KB

MD5
6f90adcbf8a3254558fe0aa75e416573

SHA1
5e5baaa632e90d78297f3c5edb9c592f15c53d4d

SHA256
e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb

SHA512
0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4vcmk
Filesize
48KB

MD5
6f90adcbf8a3254558fe0aa75e416573

SHA1
5e5baaa632e90d78297f3c5edb9c592f15c53d4d

SHA256
e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb

SHA512
0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4vcmk
Filesize
48KB

MD5
6f90adcbf8a3254558fe0aa75e416573

SHA1
5e5baaa632e90d78297f3c5edb9c592f15c53d4d

SHA256
e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb

SHA512
0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4vcmk
Filesize
48KB

MD5
6f90adcbf8a3254558fe0aa75e416573

SHA1
5e5baaa632e90d78297f3c5edb9c592f15c53d4d

SHA256
e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb

SHA512
0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4vcmk
Filesize
48KB

MD5
6f90adcbf8a3254558fe0aa75e416573

SHA1
5e5baaa632e90d78297f3c5edb9c592f15c53d4d

SHA256
e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb

SHA512
0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4vcmk
Filesize
48KB

MD5
6f90adcbf8a3254558fe0aa75e416573

SHA1
5e5baaa632e90d78297f3c5edb9c592f15c53d4d

SHA256
e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb

SHA512
0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4vcmk
Filesize
48KB

MD5
6f90adcbf8a3254558fe0aa75e416573

SHA1
5e5baaa632e90d78297f3c5edb9c592f15c53d4d

SHA256
e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb

SHA512
0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEIM.exe
Filesize
5.2MB

MD5
bb175493711b2d77b87b6756f94fb708

SHA1
88462b1d786c0f6a1524c8eedbb3d12e8a172bb9

SHA256
2bdc0966b02e0dd7bf13c8a887b52f51b7bbeef335c22683ad91102af6c13e58

SHA512
9f5892a59f1fa01b3fa0b7029ae2b67a523e7a210467142a6a815d223a61838110120844b6dfdfd85d590148e39a57070b0394bfec7313a22f46a0a4f166a221

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQoI.exe
Filesize
190KB

MD5
e141dcebb1554c0cfb0bc3abc6fd77a4

SHA1
aa60220b7da01d48c56b58d09ada19aefc63291b

SHA256
90e9c62165982ec3ad0c75f23da67cd88fdb85546796d169733a2f6fa8d26bdc

SHA512
259b66b653dde8ef13b4a834db0e9545847e33db714e7eee08e8f51e0d036bc5e78b6121061f7a0d48f7d954f938e7b5b9494171b8fd65a0d566989b296d9760

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwcc.exe
Filesize
205KB

MD5
0fe5741dac81bc4829d64640e15c914f

SHA1
7a3081ce295ac1c3a3c7437b0fc347c76138779c

SHA256
d3cd338a326b4134a6490796ed24f3e209807304e17cad57ad6916be4e7226c1

SHA512
4d8d08ac1ac1282f7ca6c276f817765f0f5717d9c8b662376722eda747e86d6eb44d71f4eb9b7ff5bee618b3b8039d4591d20b99a79c91accc5652cc2682bb71

Download Submit
C:\Users\Admin\AppData\Local\Temp\xGwkAgks.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIkc.exe
Filesize
189KB

MD5
e4679881b94c3d02a9f3741ceb9271e4

SHA1
98a36d60c9c425763d7b4d4dfdc858d416aedf72

SHA256
56b12168387b2ebd91e2f3c6c4bd599199d634bcf509ac6ac5e1e64cb6fc4eb2

SHA512
10ecfce16a2f51172bd4e28d85db3074615d3d49f550a3354b014312a55e34ec4c1056969602d36888411b8a95501ffc231813b3b6b5edd8f846b6ff96511d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysMo.exe
Filesize
216KB

MD5
e5af1a0e2f4bcca753e229cfef358b7a

SHA1
a4c29f9c5d362240b4106087434f9f5406f330b6

SHA256
dcb2987df3a9b63015bd87a1fe63a428207d80be576ffd5ff3a7fa7f1c11f409

SHA512
44fb47e736f5e6ffae6c373a11fec21473d6f9ac4d89041bdbe736319eb66d2d13fbc2f8beea01944cb4322df8a0f2b4ae71789f442d076e4c019e7ded810740

Download Submit
C:\Users\Admin\biEUwQcc\nkMAQcEc.exe
Filesize
197KB

MD5
3fd13fb1799e07d85d676f007a54d538

SHA1
980ab4c7fef91348b42b2b9a57331c541fd7fcc5

SHA256
ae92c919e9e31a4d9a31bdc1158dc03ff903b3a9207991e25873f676bf70377e

SHA512
daea231aad3e7d78dec2e954c4faa3061a96e858cb4e8db03473972c8e320b0719921cc7c2fd2daabb0c995c892c33d5b6774ca72d9c19f1243f60bc0cc662a3

Download Submit
C:\Users\Admin\biEUwQcc\nkMAQcEc.exe
Filesize
197KB

MD5
3fd13fb1799e07d85d676f007a54d538

SHA1
980ab4c7fef91348b42b2b9a57331c541fd7fcc5

SHA256
ae92c919e9e31a4d9a31bdc1158dc03ff903b3a9207991e25873f676bf70377e

SHA512
daea231aad3e7d78dec2e954c4faa3061a96e858cb4e8db03473972c8e320b0719921cc7c2fd2daabb0c995c892c33d5b6774ca72d9c19f1243f60bc0cc662a3

Download Submit
C:\Users\Admin\biEUwQcc\nkMAQcEc.inf
Filesize
4B

MD5
1c25b8952940d10cb854c0cb89c30678

SHA1
1b758daa49a0dbc67a370a44544c2aa23afd402f

SHA256
2fe8478021890b09ce51557ebfa7e9b126caa15fb60b2300aaf79985b33a7358

SHA512
90d60396a2a327c0fc3a05e610fc1e62a6b77212de19f3783e766f46a7b647d0e0b27de02e61a8732413f29f3bb35239e1b923431a4bb3aa3db28bd3c45f07f2

Download Submit
C:\Users\Admin\biEUwQcc\nkMAQcEc.inf
Filesize
4B

MD5
63c45f09be577d1565ec5f3c6b0535c9

SHA1
be449ad93e59373b33d931eb24b1d1ee4fa8efe2

SHA256
167c7f17cb202e6f037100a372541e401362243e0647414eb3bc4f26aaec6c9b

SHA512
01395c2b5c838832f732750b7e0e9bebc530aae9243bfa154583754892f023974f82aacda4f715219b018b37169957171606084cd359b302d443a62d0aa76718

Download Submit
C:\Users\Admin\biEUwQcc\nkMAQcEc.inf
Filesize
4B

MD5
2ecb72f124b676dbf9ca094f6052b3b9

SHA1
f938ad8d9e8120460c567e623009099ccc9b770b

SHA256
99b4c7261a6132d32d7f64c960b5c2df591b469a90843fbef52db6e61a8fb882

SHA512
30c8d33a94cf2c23e8ae63272f39812d9bdf9a6a65eccf2483c63ae33e4ef0e8137ca5d7db7319ec281c2c8ac719739497388446cd3f2a23dd51714cd665f209

Download Submit
C:\Users\Admin\biEUwQcc\nkMAQcEc.inf
Filesize
4B

MD5
589bbacd180592a46652cca004ce1c4c

SHA1
685f7a5ecb3b65b6ae926cdc826c0c5e405e99a3

SHA256
c6461ceb1d1f45c6a77f7b4c66c254616a9d0712ec46d8e2ebc2ad292dafa67c

SHA512
6fbdf1eac6f935001a90707fd15522b79ac8fe31dc43a68b26b4b8416b7b5514bb47f17aeeb7769a4497292673ddd21c758ee3b1f54dfcae7515a7a20f0c642a

Download Submit
memory/448-193-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/616-317-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/824-253-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/956-569-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1400-550-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1508-504-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1508-500-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1556-330-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1752-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-448-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2000-280-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2088-430-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2216-631-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2216-638-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2220-207-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2220-218-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2372-440-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2372-479-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2372-486-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2372-585-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2488-369-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2488-361-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2604-181-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2604-171-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2604-629-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2628-165-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2676-231-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2740-496-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2908-355-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2952-168-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3136-532-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3136-524-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3224-523-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3232-513-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3268-403-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3364-260-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3364-265-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3468-656-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3540-293-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3644-242-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3748-648-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3788-395-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3788-390-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3936-206-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3952-305-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3968-380-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4052-551-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4052-559-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4236-414-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4236-422-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4368-458-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4456-413-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4656-540-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4756-342-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4756-331-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4900-595-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4932-460-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4932-467-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4980-577-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4984-597-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4984-477-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4984-609-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5064-153-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5064-136-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download