70545c9965821803457d4365df75607a048330318a475c9a9edb1c30cca6a09b

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

965ad2194c6756exeexeexeex.exe
Size

203KB
MD5

965ad2194c675628306ad5c88672924b
SHA1

a3de1053ab42a63dacfc9950da8a35721bdc2d7d
SHA256

70545c9965821803457d4365df75607a048330318a475c9a9edb1c30cca6a09b
SHA512

950e98b4c6b2a13cc96db091522ae537f5194cb992eac1572c0dab4464d5ae605a55a5c4da40b56af5e3c5a1c141918416f0b662c340490ddc47026160d7da5a
SSDEEP

6144:Xb966THtJEaFBTSjZkgnjfiNFwwzTdSvw/:X5fEaFBTsZkgnjfiNFwwzk2

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 43 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	965ad2194c6756exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	965ad2194c6756exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	965ad2194c6756exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe

UAC bypass 3 TTPs 44 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	965ad2194c6756exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	965ad2194c6756exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	965ad2194c6756exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wmiprvse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	YSMowYQo.exe

Executes dropped EXE 2 IoCs

pid	Process
3184	YSMowYQo.exe
2448	sWAMgQIs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YSMowYQo.exe = "C:\\Users\\Admin\\wkYcIIEw\\YSMowYQo.exe"	965ad2194c6756exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sWAMgQIs.exe = "C:\\ProgramData\\AUowMMcI\\sWAMgQIs.exe"	965ad2194c6756exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YSMowYQo.exe = "C:\\Users\\Admin\\wkYcIIEw\\YSMowYQo.exe"	YSMowYQo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sWAMgQIs.exe = "C:\\ProgramData\\AUowMMcI\\sWAMgQIs.exe"	sWAMgQIs.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	965ad2194c6756exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	965ad2194c6756exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	965ad2194c6756exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	965ad2194c6756exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	965ad2194c6756exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	965ad2194c6756exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	YSMowYQo.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	YSMowYQo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2280	reg.exe
1100	reg.exe
4044	reg.exe
4516	reg.exe
964	reg.exe
2132	reg.exe
3908	reg.exe
260	reg.exe
4788	reg.exe
60	reg.exe
4396	reg.exe
4304	reg.exe
1156	reg.exe
3844	reg.exe
3552	reg.exe
1468	reg.exe
4824	reg.exe
3724	reg.exe
4492	reg.exe
2828	reg.exe
1748	reg.exe
2112	reg.exe
3524	reg.exe
796	reg.exe
212	reg.exe
2952	reg.exe
1108	reg.exe
1620	reg.exe
3020	reg.exe
4484	reg.exe
3700	reg.exe
4820	reg.exe
3992	reg.exe
1256	reg.exe
2028	reg.exe
1032	reg.exe
3692	reg.exe
5060	reg.exe
1428	reg.exe
4016	reg.exe
2264	reg.exe
1136	reg.exe
972	reg.exe
3244	reg.exe
3468	reg.exe
1408	reg.exe
1352	reg.exe
348	reg.exe
2520	reg.exe
4248	reg.exe
1828	reg.exe
3132	reg.exe
2544	reg.exe
1956	reg.exe
380	reg.exe
4540	reg.exe
4556	reg.exe
4656	reg.exe
4236	reg.exe
3420	reg.exe
3416	reg.exe
1540	reg.exe
1828	reg.exe
4680	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4368	965ad2194c6756exeexeexeex.exe
4368	965ad2194c6756exeexeexeex.exe
4368	965ad2194c6756exeexeexeex.exe
4368	965ad2194c6756exeexeexeex.exe
400	965ad2194c6756exeexeexeex.exe
400	965ad2194c6756exeexeexeex.exe
400	965ad2194c6756exeexeexeex.exe
400	965ad2194c6756exeexeexeex.exe
432	965ad2194c6756exeexeexeex.exe
432	965ad2194c6756exeexeexeex.exe
432	965ad2194c6756exeexeexeex.exe
432	965ad2194c6756exeexeexeex.exe
1620	965ad2194c6756exeexeexeex.exe
1620	965ad2194c6756exeexeexeex.exe
1620	965ad2194c6756exeexeexeex.exe
1620	965ad2194c6756exeexeexeex.exe
4408	965ad2194c6756exeexeexeex.exe
4408	965ad2194c6756exeexeexeex.exe
4408	965ad2194c6756exeexeexeex.exe
4408	965ad2194c6756exeexeexeex.exe
4264	965ad2194c6756exeexeexeex.exe
4264	965ad2194c6756exeexeexeex.exe
4264	965ad2194c6756exeexeexeex.exe
4264	965ad2194c6756exeexeexeex.exe
1632	965ad2194c6756exeexeexeex.exe
1632	965ad2194c6756exeexeexeex.exe
1632	965ad2194c6756exeexeexeex.exe
1632	965ad2194c6756exeexeexeex.exe
2264	965ad2194c6756exeexeexeex.exe
2264	965ad2194c6756exeexeexeex.exe
2264	965ad2194c6756exeexeexeex.exe
2264	965ad2194c6756exeexeexeex.exe
1148	Conhost.exe
1148	Conhost.exe
1148	Conhost.exe
1148	Conhost.exe
4720	965ad2194c6756exeexeexeex.exe
4720	965ad2194c6756exeexeexeex.exe
4720	965ad2194c6756exeexeexeex.exe
4720	965ad2194c6756exeexeexeex.exe
3944	Conhost.exe
3944	Conhost.exe
3944	Conhost.exe
3944	Conhost.exe
3676	cmd.exe
3676	cmd.exe
3676	cmd.exe
3676	cmd.exe
4132	cscript.exe
4132	cscript.exe
4132	cscript.exe
4132	cscript.exe
384	Conhost.exe
384	Conhost.exe
384	Conhost.exe
384	Conhost.exe
2344	Conhost.exe
2344	Conhost.exe
2344	Conhost.exe
2344	Conhost.exe
964	reg.exe
964	reg.exe
964	reg.exe
964	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3184	YSMowYQo.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe
3184	YSMowYQo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 3184	4368	965ad2194c6756exeexeexeex.exe	84
PID 4368 wrote to memory of 3184	4368	965ad2194c6756exeexeexeex.exe	84
PID 4368 wrote to memory of 3184	4368	965ad2194c6756exeexeexeex.exe	84
PID 4368 wrote to memory of 2448	4368	965ad2194c6756exeexeexeex.exe	85
PID 4368 wrote to memory of 2448	4368	965ad2194c6756exeexeexeex.exe	85
PID 4368 wrote to memory of 2448	4368	965ad2194c6756exeexeexeex.exe	85
PID 4368 wrote to memory of 3756	4368	965ad2194c6756exeexeexeex.exe	86
PID 4368 wrote to memory of 3756	4368	965ad2194c6756exeexeexeex.exe	86
PID 4368 wrote to memory of 3756	4368	965ad2194c6756exeexeexeex.exe	86
PID 4368 wrote to memory of 3416	4368	965ad2194c6756exeexeexeex.exe	88
PID 4368 wrote to memory of 3416	4368	965ad2194c6756exeexeexeex.exe	88
PID 4368 wrote to memory of 3416	4368	965ad2194c6756exeexeexeex.exe	88
PID 4368 wrote to memory of 3132	4368	965ad2194c6756exeexeexeex.exe	90
PID 4368 wrote to memory of 3132	4368	965ad2194c6756exeexeexeex.exe	90
PID 4368 wrote to memory of 3132	4368	965ad2194c6756exeexeexeex.exe	90
PID 4368 wrote to memory of 4656	4368	965ad2194c6756exeexeexeex.exe	89
PID 4368 wrote to memory of 4656	4368	965ad2194c6756exeexeexeex.exe	89
PID 4368 wrote to memory of 4656	4368	965ad2194c6756exeexeexeex.exe	89
PID 4368 wrote to memory of 4972	4368	965ad2194c6756exeexeexeex.exe	92
PID 4368 wrote to memory of 4972	4368	965ad2194c6756exeexeexeex.exe	92
PID 4368 wrote to memory of 4972	4368	965ad2194c6756exeexeexeex.exe	92
PID 3756 wrote to memory of 400	3756	cmd.exe	96
PID 3756 wrote to memory of 400	3756	cmd.exe	96
PID 3756 wrote to memory of 400	3756	cmd.exe	96
PID 4972 wrote to memory of 4456	4972	cmd.exe	97
PID 4972 wrote to memory of 4456	4972	cmd.exe	97
PID 4972 wrote to memory of 4456	4972	cmd.exe	97
PID 400 wrote to memory of 992	400	965ad2194c6756exeexeexeex.exe	98
PID 400 wrote to memory of 992	400	965ad2194c6756exeexeexeex.exe	98
PID 400 wrote to memory of 992	400	965ad2194c6756exeexeexeex.exe	98
PID 400 wrote to memory of 1416	400	965ad2194c6756exeexeexeex.exe	100
PID 400 wrote to memory of 1416	400	965ad2194c6756exeexeexeex.exe	100
PID 400 wrote to memory of 1416	400	965ad2194c6756exeexeexeex.exe	100
PID 400 wrote to memory of 3468	400	965ad2194c6756exeexeexeex.exe	101
PID 400 wrote to memory of 3468	400	965ad2194c6756exeexeexeex.exe	101
PID 400 wrote to memory of 3468	400	965ad2194c6756exeexeexeex.exe	101
PID 400 wrote to memory of 60	400	965ad2194c6756exeexeexeex.exe	107
PID 400 wrote to memory of 60	400	965ad2194c6756exeexeexeex.exe	107
PID 400 wrote to memory of 60	400	965ad2194c6756exeexeexeex.exe	107
PID 400 wrote to memory of 3692	400	965ad2194c6756exeexeexeex.exe	104
PID 400 wrote to memory of 3692	400	965ad2194c6756exeexeexeex.exe	104
PID 400 wrote to memory of 3692	400	965ad2194c6756exeexeexeex.exe	104
PID 992 wrote to memory of 432	992	cmd.exe	108
PID 992 wrote to memory of 432	992	cmd.exe	108
PID 992 wrote to memory of 432	992	cmd.exe	108
PID 3692 wrote to memory of 3992	3692	cmd.exe	109
PID 3692 wrote to memory of 3992	3692	cmd.exe	109
PID 3692 wrote to memory of 3992	3692	cmd.exe	109
PID 432 wrote to memory of 2136	432	965ad2194c6756exeexeexeex.exe	110
PID 432 wrote to memory of 2136	432	965ad2194c6756exeexeexeex.exe	110
PID 432 wrote to memory of 2136	432	965ad2194c6756exeexeexeex.exe	110
PID 432 wrote to memory of 3524	432	965ad2194c6756exeexeexeex.exe	112
PID 432 wrote to memory of 3524	432	965ad2194c6756exeexeexeex.exe	112
PID 432 wrote to memory of 3524	432	965ad2194c6756exeexeexeex.exe	112
PID 432 wrote to memory of 2132	432	965ad2194c6756exeexeexeex.exe	113
PID 432 wrote to memory of 2132	432	965ad2194c6756exeexeexeex.exe	113
PID 432 wrote to memory of 2132	432	965ad2194c6756exeexeexeex.exe	113
PID 432 wrote to memory of 1464	432	965ad2194c6756exeexeexeex.exe	114
PID 432 wrote to memory of 1464	432	965ad2194c6756exeexeexeex.exe	114
PID 432 wrote to memory of 1464	432	965ad2194c6756exeexeexeex.exe	114
PID 432 wrote to memory of 212	432	965ad2194c6756exeexeexeex.exe	116
PID 432 wrote to memory of 212	432	965ad2194c6756exeexeexeex.exe	116
PID 432 wrote to memory of 212	432	965ad2194c6756exeexeexeex.exe	116
PID 2136 wrote to memory of 1620	2136	cmd.exe	120

System policy modification 1 TTPs 16 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	965ad2194c6756exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	965ad2194c6756exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	965ad2194c6756exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	965ad2194c6756exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	965ad2194c6756exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	965ad2194c6756exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe

C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Users\Admin\wkYcIIEw\YSMowYQo.exe
  "C:\Users\Admin\wkYcIIEw\YSMowYQo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3184
- C:\ProgramData\AUowMMcI\sWAMgQIs.exe
  "C:\ProgramData\AUowMMcI\sWAMgQIs.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
    C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:432
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        8⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        10⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        12⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        14⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        16⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        17⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        18⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        20⤵
        
        PID:3076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        21⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        22⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        23⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        24⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        25⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        26⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        27⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        28⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        29⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        30⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        31⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        32⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        33⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        34⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        35⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        36⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        37⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        38⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        39⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        40⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        41⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        42⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        43⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        44⤵
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        45⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        46⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        47⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        48⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        49⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        50⤵
        
        PID:3276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        51⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        52⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        53⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        54⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        55⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        56⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        57⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        58⤵
        
        PID:1872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        59⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        60⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        61⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        62⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        63⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        64⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        65⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        66⤵
        
        PID:4660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        67⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        68⤵
        
        PID:3000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        69⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        70⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        71⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        72⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        73⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        74⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        75⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        76⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        77⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        78⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        79⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        80⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        81⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        82⤵
        
        PID:1092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        83⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        84⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        85⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        86⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        87⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        88⤵
        
        PID:804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex
        89⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex"
        90⤵
        
        PID:2828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:4556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIoEgYMg.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        90⤵
        
        PID:2028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwMYscYA.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        88⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:5080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcYMAccI.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        86⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:4484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:5060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:4236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        UAC bypass
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gawgMowo.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        84⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rEEQgcMU.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        82⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:3076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:5004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcIYAEUo.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        80⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmoAQMwY.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        78⤵
        
        PID:3700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:3756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkQoYwYs.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        76⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAwMQYsg.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        74⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOIQQcwM.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        72⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:3024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWkokIsA.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        70⤵
        
        PID:2888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        Modifies registry key
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcAAcUgY.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        68⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        Modifies registry key
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CuMYYcIQ.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        66⤵
        
        PID:2028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        UAC bypass
        
        PID:4688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EugMAMQA.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        64⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:3692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:32
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaEkwAYo.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        62⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIQYcUYs.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        60⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oassYcEE.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        58⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgkEswQY.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        56⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        Suspicious behavior: EnumeratesProcesses
        
        PID:964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:1748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XqksIkQA.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        54⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWAQYYgM.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        52⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGEooIAE.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        50⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:32
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqwIEMMI.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        48⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKcIYQwU.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        46⤵
        
        PID:4664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        UAC bypass
        
        PID:1980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iocskcME.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        44⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:1620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        Modifies registry key
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEYgYAwc.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        42⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuMwUUgM.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        40⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies registry key
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\taUcoUkU.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        38⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUsgsMgQ.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        36⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies registry key
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWkoUssk.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        34⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:3792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies registry key
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOQYMQsM.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        32⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IaYMAsoE.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        30⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:4680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqQYgQwc.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        28⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        Modifies registry key
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        Modifies registry key
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYokAkUg.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        26⤵
        
        PID:992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OoEsYUck.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        24⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIEggYEM.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        22⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIMYgMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        20⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEskgEUg.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        18⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MScsgMwc.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        16⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWYsAAUY.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        14⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqUQUsMo.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        12⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYYwAIwM.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        10⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMcQosII.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        8⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3636
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3524
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2132
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1464
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWAswcMA.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
        6⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1648
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1416
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAQEEswM.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3992
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:60
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:3416
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4656
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKcQkUIs.bat" "C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1140

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv dTFOHDHKy0qC4uzETCV4XA.0.1
1⤵
PID:3676

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- UAC bypass
PID:3992

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Modifies visibility of file extensions in Explorer
PID:4236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

Filesize
382KB

MD5
ec5fdeac78c40489daf98485ad08d91a

SHA1
4df3c272bf6954bc9f35c2f0e7590a3de4ba77af

SHA256
cd2c6512949a5c503c37370bc34e30b348686dfdd3a2e1384bd836aca5de49fd

SHA512
f17449e97ea04264e7164df49b02ac7b9abc440a9b4918aa2c4b54e3fe9c489a64a3c83e40caf5802ff29d4437b06ecc36c10751b18dcb40fff54fa41805b87b

Download Submit
C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe

Filesize
516KB

MD5
24aeb685f6b14c3730513e5dfd46188d

SHA1
2263e34291e39f2dfb0643fd5136d09e09eed611

SHA256
5c97cd1a5754bbf95d300d3e6db3739dfa6efd2d86513c662ca7296a926e4bd3

SHA512
962ab671dd5e15c60ea3ab6766e82e912fb308dae6121d14e8cbcb743f8ed30adde1062eaea4176a2cc9299267f3b66e4d8d1c17f625789bbef7f9c9c4c6d5f2

Download Submit
C:\ProgramData\AUowMMcI\sWAMgQIs.exe

Filesize
184KB

MD5
f58d3546edd10ce729d9ff982c854d56

SHA1
e468f48ae714ca8918c7571946402cf306277db0

SHA256
5218d251efc5316e97db4210b068bdee4b69e7449663f195716e66897bd540ef

SHA512
f9a3efd34adda6701495b60b8ace765a8c06b4e37e077e8f0a508cbc8fb73ce9835830bf458cea9f6c916aef66b84eab15b3977b27213951d27996ae3f30ff80

Download Submit
C:\ProgramData\AUowMMcI\sWAMgQIs.exe

Filesize
184KB

MD5
f58d3546edd10ce729d9ff982c854d56

SHA1
e468f48ae714ca8918c7571946402cf306277db0

SHA256
5218d251efc5316e97db4210b068bdee4b69e7449663f195716e66897bd540ef

SHA512
f9a3efd34adda6701495b60b8ace765a8c06b4e37e077e8f0a508cbc8fb73ce9835830bf458cea9f6c916aef66b84eab15b3977b27213951d27996ae3f30ff80

Download Submit
C:\ProgramData\AUowMMcI\sWAMgQIs.inf

Filesize
4B

MD5
59f362a43a57fdc601495d55fc2d03d2

SHA1
b0a4e9731e6f8f2f1ac9fa8ee9aa2b1c842f7d62

SHA256
6373dcb9d7ba54f927d2274b2add9950c951dc02eeb4735ec71336e8ff18eb35

SHA512
fe0a786c2eb794b2061783ad6f4d929a3cee6ac05f14005412012fb642a2a95198e7379d9d60b06736917ad484c1260f4307dbf21fe2a3e821bb2ee3c3754f22

Download Submit
C:\ProgramData\AUowMMcI\sWAMgQIs.inf

Filesize
4B

MD5
ccd2d7a252c8b07be65a1d1d9e7b1a6b

SHA1
b345a6dcde92e21862a70e9a30a87e4bc45561c8

SHA256
99868f95d47e16a7ac3dbf63d3db365e602173f23bf17c7d0f05a1fd4c9b3612

SHA512
db36fd77ab9178971b84736f992701aaa0d2e10820fdd66403af86202e90043f8d66ef5675de9cb444ff113ed226bb20668308d5111b5b9143756e50787edb9d

Download Submit
C:\ProgramData\AUowMMcI\sWAMgQIs.inf

Filesize
4B

MD5
39b19a9775889cf496db4e54818a459f

SHA1
b820858105293428c8b4cd256521278ede85d45f

SHA256
2613c1e345d719b736addcd5df1be4db7e5ccb24ed3081cbb1c18f994e709c19

SHA512
34089133f87693e712461301316044f555ad1d860e3d759f67d5b114a1eb04a67ab853bfcc5cf37079ae514ac5ab6177a029bcdb54949834300e9d0323f5d6f2

Download Submit
C:\ProgramData\AUowMMcI\sWAMgQIs.inf

Filesize
4B

MD5
87ffd80c449b2108ed646faa2f07245d

SHA1
c6eabf23d9136e73b21c470a948f68b55a74c1a4

SHA256
69315c7cf9bbebd1bbe245701e5a681ee19f3448904b6795f62ec51ffcee32c6

SHA512
b327f180a4e9a0416a7e908e9bd3c412f6d4dc0e3af93e2f467fc87b9e6393e6263a2a739a05f2938a768934b22219e8c3fcda599f38e7b45a227bd5814547b3

Download Submit
C:\ProgramData\AUowMMcI\sWAMgQIs.inf

Filesize
4B

MD5
7f2e7affb0b6b5a8c9ddab6bc3262869

SHA1
0832af922349570b1bbcc2d39a01ef3033ea9545

SHA256
4f5920eb703870ed947b29283d503d15fbf44fdde29a122820838feabd9e01c4

SHA512
5b194f82f21adbe203b2ca477dfb875f89e0747c2020e487f744d10f143f122f26212331468f6339d33d112d8770ab4c11c96b7b658c3a66f6baa2ad17caff7d

Download Submit
C:\ProgramData\AUowMMcI\sWAMgQIs.inf

Filesize
4B

MD5
cc9944e56247e20a231608837d27efc0

SHA1
380c216679966b2f53dd43de54de53d678a2d71a

SHA256
89efbedf6950a1dd929e3c2e803e05aac76d47ec20f1d41b03ebadeaa99b2267

SHA512
3fc4065b6f3abb96fb391d4e2202a3d91e7bbe55f82d9cc7bc9ddfeb23783ab092e1d95e0a5e89b1189b794d3d9c2d23401def2a4b5a7984723d1d25954170d9

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
329KB

MD5
5612002a7d83092513e8b8bc8bf0efd1

SHA1
54608c19e9fe52056e70713d22e4e663e4abdbce

SHA256
5d929a04e4fc918b1de465846f2ead067590ddf12f944568dcffbee121c8cf43

SHA512
7af25801e4e0ec7a45702c1c1bcf9f26def835e27c4df52a27dd589706c97a8bbb03433cd29b00304e444961ff3fba2e4d87cffa1303a8d587b28bde16b6c1ca

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
246KB

MD5
4f53d7bc48ebf4424890d8772e8bfb18

SHA1
8bd71ecc264c013be2122cd72e9981e185c15f14

SHA256
8940a84ce0fe01be3e9cf0dadd90ec42fade16c131586ee1bc9a6bae42970fb2

SHA512
646def221d141a37bd390c6d8fdef934fbb42e9ee801e18ae2e8945a05d80771659a9478721191b0d3001389ff9949bcfbd5752eb7b7b3b8fd26800599640cd0

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
233KB

MD5
688f8c49016f3ca1be5929fb29a6a589

SHA1
2bb662e50a6ae3790c40f19ca14f3ce3e6b46f7e

SHA256
d6be68c98b9d0f389d0383edf58d6c7b1a49c9dc34a0ad4d8acf4d424444bfca

SHA512
73f7f770618933b9d941dc297e1268ed04941fb25142916968f21514ed26795ee83df30aac67f189c128c5a67d2eb6933013264ad2e1a96be645606c2ba87cfa

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
235KB

MD5
2586a5d9d176ca8a508188783e0ba28b

SHA1
a88aaf4e51e7d690d00f354e4a93087c8706549b

SHA256
e51505b614c225823cc296f78414387d7437a885b3d2ec1919f4dbbf5b4fa4da

SHA512
02cbe38cc6e445444df5861b6dd893a0c076e6e7ffdb017de2172a523109e0a7ba2504c3ceccf0db4fc8f489ba43afca1237fbc76e758016788ec74636b6c654

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
774KB

MD5
917190103bb3c033fe0a10fc8ad7edc1

SHA1
2c0c76faea556c90f92b762eb5300f79d37bdede

SHA256
7bc2e88b928db8ccea08391ecea55605383b7398aa577a02500e5886c5df0801

SHA512
2b879609416a648629995a9f45e22f9e4765f8104d82892524fd0a39afc1b923236ced78bd62e27235db34a428497314aa934e765707921c03b5e4cf15b69709

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

Filesize
203KB

MD5
716cbc5a7759c952229ea9d2326503a9

SHA1
c8b412e98dbe22ff7fadfabdfae029fca260176a

SHA256
622b942331fcc8d935f1b04f238e2aa74958bd95e66cff27d5c337dcdfb0e0c8

SHA512
d20a58a1c07779705cd08707e6ffde6841bb1b46c30711fb7c9342eac710a07ab88cf603f130bce1ab0d00244902b3bec6ff66b179134ff1311278223077f918

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

Filesize
190KB

MD5
d01f2c38ecc4b8d17c367eaa954433db

SHA1
ae6d4f1d1b485574329740ab8f2fc48f8695ba35

SHA256
a84b6c0a8f18c29e9b9309649ecddb80d76b2520da3ce79ffa415cee5a567ff1

SHA512
c29d0359f7c12975640bde81843832eded8143b25ae25c3af6087e16a8e46d59d06bf8611c3a629919b3945177bbdb774d38f53dc1aa14fe5b7b102677094f29

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
626KB

MD5
6b163075e029df27b7fee9777da4ce8a

SHA1
a8b537196d25c3ad1a3dfc0e964e5fc33ffebd72

SHA256
26bac538c6dbb7aa5bba06101e507644acafe1a00e40a5e8aa40a3098c58bdf1

SHA512
134bfce8ce1cc4e6ef091637ff784da9bb4a22baea4e63c9a6d5eb2302165258e682520950e75dfde262c1e0a11039d238a45d1a28eb0f11816e18d2b0c01921

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
812KB

MD5
2aed9f0fbc921b04dbbd1101aa7cff32

SHA1
3196274f1556a808fdea7750e8cd8fd41c95f977

SHA256
b824a6bb769293e8314eddc7a2f6fd5c2a3769ad921b9e92aeefd12ec07f7604

SHA512
ba1b93df57c8eebd42dbc0b289e0c3a3b2bc9337be5ec745961cee163fa60451bbc387cfb3d5e152c9294de8c25271b88d4826f337d6d6b5b9c13dd353167926

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
642KB

MD5
ad890678bc07f1df9f4f49b18c33ac25

SHA1
0dd5d9e79224122445bced514a725c3ac6ac29f6

SHA256
02b44c639e6cdcc12b85ff47862f24c6b7e7aaf35093b24d976c87256f9d3b3f

SHA512
6b99e2dbc8ac402e56d5f05efdeb6671c003fd4ad2dee727c2be1b58cf509b98c5da74e97497c9670beead47edea31da48966b5101d4bb9db243609844e94059

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

Filesize
182KB

MD5
9c3c3eaf8269abbc868521e7863bacaf

SHA1
5789c178a3e150045ce2a472528beabd5d2227b6

SHA256
e89ce334ba32bb0596e9ec9c1658c03e6144b420a5304326ccb608db2bc21aeb

SHA512
5d1926129a2fea6374d7fb9aa22e3d0417a17dfd19bd0e9e890de5cfbb3d5629443ef23eab7cc3d8641f91da0ea973a972c087035e306e6723d2615756368af1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe

Filesize
205KB

MD5
644de6c075c96131726db0ba3f5c3082

SHA1
036de57e01df9a4d1e1c56f55730cd506cda7085

SHA256
59a082febf7d4125cd1aabc8cea1629d4504438e87f6bc83f1cc8d795fb6566c

SHA512
0ad8c6b0826ae2a2566b00876652c4187f6d1afc8fcaade01d4187d9c15aa61d6dd69dfc8ecdcaf055e8c0a5944d941bb1b681fb1a7ea621589cc46586fc2f51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

Filesize
189KB

MD5
26054665cf97e37fe4ab474f25c3a5ef

SHA1
2f9bd5e8cb2a500f867da5ca6a33cad0c46bf003

SHA256
a36524a626c9833a78dc3d278def69036b5cbcbd5b6f08ac848d870a2c2cd1e8

SHA512
0e8787a8ccc3b271ce8589fd261eddb4c95dbe51a83fd66228af5a73c934ad80a55dc3ccd865dd875f59d4c2d18521f5bc96ac04f425b76f814ca74de29a7f13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

Filesize
214KB

MD5
770e9cbec7bdd7c381a15515d20d98b4

SHA1
2fb6bde833bf901b268c4a47663001d746f46b64

SHA256
5ab2b98e7f772fe337738d43318e2151b9158c3ec4f30bf53ce9453564d4bd35

SHA512
6425a2c0564499db4ffed1112f97274f9f49f8817a8d018ab1efa4d7aaae81e7cbe98ef16a952f2c40687c4f35a611292e5172688b3455d82b52348d32a65000

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

Filesize
191KB

MD5
61a934d0cb4028e9f52b9f74b976cac2

SHA1
3bd78cfd6e2ef914d6afedd6cbffa6c868905048

SHA256
d4e438e9edf245362d75f392c3b069bffa65695266e7e23b71b09c059068e82a

SHA512
d6fc35dd34ac695f7e51eba087ad40c3865cb704917e1e288af63f957336f18366351b3243fd4fd00f9ff75a03db8ebf5d9074601d31c650ef2b5e3c652bc000

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe

Filesize
191KB

MD5
08f9f664664f537f28bc2e6386ce20c6

SHA1
56989c6553d0ccdbd86332e3ebbfafa6c754a8ab

SHA256
11a5f8e0b059175fcdcea541c4182d8254db552eaea49543a35a781b7d8048bf

SHA512
dfb73f685b97363e56dfe2772d10409195488acf9c4a6612579cc5d9e4bba578aec4aba6a83c7eeb83fd1c7e46900e585a717770883d717f51aa3b4636c2c3a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe

Filesize
204KB

MD5
ccf73d66a07be3d326b01e57299d2af9

SHA1
3780416d95fe40cfdec726f3657276516cfea1fe

SHA256
0f22aebd2024c1f637c99d11efc4dfeae856ae78806a2dab51b92f3705721273

SHA512
31b2ffc5a3a8f9ec287d0474853b64aa29c789e18f0821c6ee54052d733f989b76a72dbad38036aa591625906e875cc6acaf0c5944f19bf3672da3596381da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

Filesize
204KB

MD5
2f49ced9a502d38b6c2a2e4530ffc712

SHA1
0488e086a34abfd6df5045946db9fd311f4ade38

SHA256
98767c5633b954ee90bae78b25e7d34442192ea54a9fc5e27743d56708f1c59c

SHA512
26899b1486ae8a1dbe5e1a386261781469857245b4d72bdcb55f8a265e5eb40253fec68e4a1c2ea23a399413ae98c9dbd605b19b2e70c2715a471c66db73ca8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
1.8MB

MD5
802a80a0258f6c31eca1e183a36eddf3

SHA1
09207544f77528c513f10aed5743edbb985821b9

SHA256
5667104a9084ff7b6f18b021b8a2762b7f70486de673127650a04d71ed2806f1

SHA512
2e4158260fc64ce6100e636ae3364c8036ce37211e25841f69c584ca011607989fe5a61819c0d49db77d3ab3553bdc7e0ab914e08f40c59194e30c7196271e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex

Filesize
9KB

MD5
112e4e050c21a89c34b07deeca8028e8

SHA1
96a099194834410a80ec0084cb2ddae7dc14a1e2

SHA256
decd001e84b93162cfde052bcea5acfc49d525c980d157536b189a79d9fab43f

SHA512
205ae1b0ce6f93083000f16b3a2e00f8eda4505838be5a47adcbeb2261f3ac83e1c4a3b1c7e63e110d40aee7c36bfbb274f5785614979d27fb7ca7b81d8845ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex

Filesize
9KB

MD5
112e4e050c21a89c34b07deeca8028e8

SHA1
96a099194834410a80ec0084cb2ddae7dc14a1e2

SHA256
decd001e84b93162cfde052bcea5acfc49d525c980d157536b189a79d9fab43f

SHA512
205ae1b0ce6f93083000f16b3a2e00f8eda4505838be5a47adcbeb2261f3ac83e1c4a3b1c7e63e110d40aee7c36bfbb274f5785614979d27fb7ca7b81d8845ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex

Filesize
9KB

MD5
112e4e050c21a89c34b07deeca8028e8

SHA1
96a099194834410a80ec0084cb2ddae7dc14a1e2

SHA256
decd001e84b93162cfde052bcea5acfc49d525c980d157536b189a79d9fab43f

SHA512
205ae1b0ce6f93083000f16b3a2e00f8eda4505838be5a47adcbeb2261f3ac83e1c4a3b1c7e63e110d40aee7c36bfbb274f5785614979d27fb7ca7b81d8845ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex

Filesize
9KB

MD5
112e4e050c21a89c34b07deeca8028e8

SHA1
96a099194834410a80ec0084cb2ddae7dc14a1e2

SHA256
decd001e84b93162cfde052bcea5acfc49d525c980d157536b189a79d9fab43f

SHA512
205ae1b0ce6f93083000f16b3a2e00f8eda4505838be5a47adcbeb2261f3ac83e1c4a3b1c7e63e110d40aee7c36bfbb274f5785614979d27fb7ca7b81d8845ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex

Filesize
9KB

MD5
112e4e050c21a89c34b07deeca8028e8

SHA1
96a099194834410a80ec0084cb2ddae7dc14a1e2

SHA256
decd001e84b93162cfde052bcea5acfc49d525c980d157536b189a79d9fab43f

SHA512
205ae1b0ce6f93083000f16b3a2e00f8eda4505838be5a47adcbeb2261f3ac83e1c4a3b1c7e63e110d40aee7c36bfbb274f5785614979d27fb7ca7b81d8845ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex

Filesize
9KB

MD5
112e4e050c21a89c34b07deeca8028e8

SHA1
96a099194834410a80ec0084cb2ddae7dc14a1e2

SHA256
decd001e84b93162cfde052bcea5acfc49d525c980d157536b189a79d9fab43f

SHA512
205ae1b0ce6f93083000f16b3a2e00f8eda4505838be5a47adcbeb2261f3ac83e1c4a3b1c7e63e110d40aee7c36bfbb274f5785614979d27fb7ca7b81d8845ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex

Filesize
9KB

MD5
112e4e050c21a89c34b07deeca8028e8

SHA1
96a099194834410a80ec0084cb2ddae7dc14a1e2

SHA256
decd001e84b93162cfde052bcea5acfc49d525c980d157536b189a79d9fab43f

SHA512
205ae1b0ce6f93083000f16b3a2e00f8eda4505838be5a47adcbeb2261f3ac83e1c4a3b1c7e63e110d40aee7c36bfbb274f5785614979d27fb7ca7b81d8845ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex

Filesize
9KB

MD5
112e4e050c21a89c34b07deeca8028e8

SHA1
96a099194834410a80ec0084cb2ddae7dc14a1e2

SHA256
decd001e84b93162cfde052bcea5acfc49d525c980d157536b189a79d9fab43f

SHA512
205ae1b0ce6f93083000f16b3a2e00f8eda4505838be5a47adcbeb2261f3ac83e1c4a3b1c7e63e110d40aee7c36bfbb274f5785614979d27fb7ca7b81d8845ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex

Filesize
9KB

MD5
112e4e050c21a89c34b07deeca8028e8

SHA1
96a099194834410a80ec0084cb2ddae7dc14a1e2

SHA256
decd001e84b93162cfde052bcea5acfc49d525c980d157536b189a79d9fab43f

SHA512
205ae1b0ce6f93083000f16b3a2e00f8eda4505838be5a47adcbeb2261f3ac83e1c4a3b1c7e63e110d40aee7c36bfbb274f5785614979d27fb7ca7b81d8845ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex

Filesize
9KB

MD5
112e4e050c21a89c34b07deeca8028e8

SHA1
96a099194834410a80ec0084cb2ddae7dc14a1e2

SHA256
decd001e84b93162cfde052bcea5acfc49d525c980d157536b189a79d9fab43f

SHA512
205ae1b0ce6f93083000f16b3a2e00f8eda4505838be5a47adcbeb2261f3ac83e1c4a3b1c7e63e110d40aee7c36bfbb274f5785614979d27fb7ca7b81d8845ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex

Filesize
9KB

MD5
112e4e050c21a89c34b07deeca8028e8

SHA1
96a099194834410a80ec0084cb2ddae7dc14a1e2

SHA256
decd001e84b93162cfde052bcea5acfc49d525c980d157536b189a79d9fab43f

SHA512
205ae1b0ce6f93083000f16b3a2e00f8eda4505838be5a47adcbeb2261f3ac83e1c4a3b1c7e63e110d40aee7c36bfbb274f5785614979d27fb7ca7b81d8845ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex

Filesize
9KB

MD5
112e4e050c21a89c34b07deeca8028e8

SHA1
96a099194834410a80ec0084cb2ddae7dc14a1e2

SHA256
decd001e84b93162cfde052bcea5acfc49d525c980d157536b189a79d9fab43f

SHA512
205ae1b0ce6f93083000f16b3a2e00f8eda4505838be5a47adcbeb2261f3ac83e1c4a3b1c7e63e110d40aee7c36bfbb274f5785614979d27fb7ca7b81d8845ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex

Filesize
9KB

MD5
112e4e050c21a89c34b07deeca8028e8

SHA1
96a099194834410a80ec0084cb2ddae7dc14a1e2

SHA256
decd001e84b93162cfde052bcea5acfc49d525c980d157536b189a79d9fab43f

SHA512
205ae1b0ce6f93083000f16b3a2e00f8eda4505838be5a47adcbeb2261f3ac83e1c4a3b1c7e63e110d40aee7c36bfbb274f5785614979d27fb7ca7b81d8845ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex

Filesize
9KB

MD5
112e4e050c21a89c34b07deeca8028e8

SHA1
96a099194834410a80ec0084cb2ddae7dc14a1e2

SHA256
decd001e84b93162cfde052bcea5acfc49d525c980d157536b189a79d9fab43f

SHA512
205ae1b0ce6f93083000f16b3a2e00f8eda4505838be5a47adcbeb2261f3ac83e1c4a3b1c7e63e110d40aee7c36bfbb274f5785614979d27fb7ca7b81d8845ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex

Filesize
9KB

MD5
112e4e050c21a89c34b07deeca8028e8

SHA1
96a099194834410a80ec0084cb2ddae7dc14a1e2

SHA256
decd001e84b93162cfde052bcea5acfc49d525c980d157536b189a79d9fab43f

SHA512
205ae1b0ce6f93083000f16b3a2e00f8eda4505838be5a47adcbeb2261f3ac83e1c4a3b1c7e63e110d40aee7c36bfbb274f5785614979d27fb7ca7b81d8845ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex

Filesize
9KB

MD5
112e4e050c21a89c34b07deeca8028e8

SHA1
96a099194834410a80ec0084cb2ddae7dc14a1e2

SHA256
decd001e84b93162cfde052bcea5acfc49d525c980d157536b189a79d9fab43f

SHA512
205ae1b0ce6f93083000f16b3a2e00f8eda4505838be5a47adcbeb2261f3ac83e1c4a3b1c7e63e110d40aee7c36bfbb274f5785614979d27fb7ca7b81d8845ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\965ad2194c6756exeexeexeex

Filesize
9KB

MD5
112e4e050c21a89c34b07deeca8028e8

SHA1
96a099194834410a80ec0084cb2ddae7dc14a1e2

SHA256
decd001e84b93162cfde052bcea5acfc49d525c980d157536b189a79d9fab43f

SHA512
205ae1b0ce6f93083000f16b3a2e00f8eda4505838be5a47adcbeb2261f3ac83e1c4a3b1c7e63e110d40aee7c36bfbb274f5785614979d27fb7ca7b81d8845ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\DoEI.exe

Filesize
308KB

MD5
c7cd208ab2a08dd7544824b36af11df6

SHA1
7e08855a6e66785535d0a7bda72e7c9d99a90cd7

SHA256
c4f3b03cc3447fe0887d05422eb4a0ecb7e47ef594f79380b4caed3deffde6f5

SHA512
5587515ba9aef02db0257d9dbf9c1ca7d6de7c19bc89efe8c3eb5e2ac6758e56926691a0dd06bb9cc19ff6eef83700f876aa4bc7809bec9ce26a0437d814db9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUUC.exe

Filesize
220KB

MD5
03fb177306bee33d35b6570f25a5537a

SHA1
93dfe5e0f7af9c54a3c0b69143bb5380e02e2be4

SHA256
bf2710f89f5447599075e3eb977f0a931ce00650f9c20013b33e03ce4f9d153e

SHA512
8d8d0dd7c3cb64476d7d6eb5165d2234dcd57318c8e3fa7aee963b97a901a8d79b72a360a1b615204c5128fe07dfe47abc437cced966bdb2600f9a0763178eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\EskQ.exe

Filesize
786KB

MD5
729286d4ac4aa0ca3b59cd5697cf923f

SHA1
3d27255d34cca3a4d4dd55185f264e820c3ac493

SHA256
e2e8b7bfbba9823eecd15661b9c0552f98edf2f738fdd213d3927d56202abc61

SHA512
430cfb579f15c16751862327432f8e6744feae145132d260535dd0546d5abbc38f95b6311c3fb2b77ab9bd3fc24cffff527db568116b1b8ddde4e16cb9818e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FKcQkUIs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQgm.exe

Filesize
205KB

MD5
6744a684fef0633baf7897b373bd457d

SHA1
48ac3e174c806165a9b9e71bdf7cf9c96ea2cbb1

SHA256
80439e8d80c140bd9f6c2fe95bb79365e30693171ccaf32be9df8898de817e71

SHA512
5143f6feec432d6abbaf5e7b3b9e5eab321fbd0e6c0617e37be92f5535c7f81cf3bca613f6236c695443f3803aba83666a24faec0e4e40a5bc437c7983bd9884

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fscc.exe

Filesize
318KB

MD5
f0df3887046d4e74bf542daaeb6ab352

SHA1
e185425473b94d9b7e0ebb7c7d29e62ed312da18

SHA256
eb927f8f4a59ae043aed02b99950440594e5ad92e4eac8d4e7b789fd8c86f0d0

SHA512
5b16d98d08a2df5d98679b3250af793b6b42f23cd0af3fc28a4137222aa60d8b8e40ff0458fa5f28f79df2d1cb79516fcc4a1451872d323fb2e08f663a0bbddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAsA.exe

Filesize
186KB

MD5
b72be49633102689e98edb1860b2ef79

SHA1
5db45ab0e4e3c261e5b40eb43429e83921758122

SHA256
317f466f041c3b8ddc1612cd987ef592326452691312e9cd486493aa9e5ab621

SHA512
ede5ce20f960f13ddf61eba65755f48abb23a555a2d63005e7bf970d69555737cf0eca0b9ae863a46ce0cdeec6c78ddee6280defb5ec3f3515ace463b81633f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIsy.exe

Filesize
208KB

MD5
4d6dbaefff849892e68bd8bbaad50311

SHA1
972fd925472adabcac8a512daccece305fc7f915

SHA256
fe2b21b05153ad8cc7230d24e8e3fd2fff47088bf10d6b3319c61e276d925f4b

SHA512
bce2d80db9e7b53ce38827ee459e74e4242320c737fdf09053baa36c8973df935b36dd2e41371297454446f0972c434d0aaec14d9b19436debc7a62b7e43dfbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcMu.exe

Filesize
185KB

MD5
bff78f6ec46db9804a9f9fa299d3fb61

SHA1
1abb8abeb438429a84b2a2af5de3d94793190fa0

SHA256
8a72643923d4d6d091d347a893e9c22920c153c56a12f25279bb1ab672a1243c

SHA512
8734d57c71aeb7b0813b97057504c1bc92ddd1fe3a96df189d7e756764d0445a8bf23bec15c6965b3f9671ecaa169ebeb5b16ae8835fe637df075c6edc0f16d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gccs.exe

Filesize
214KB

MD5
2b94bf59ec0c0cca60ec522c467a8c21

SHA1
1531c8652dfb9778e43c71902c29fa8bffdb73df

SHA256
04f1f9680feb73b44c59d822f5dec239c823a397e238c6ae09a498d956eafc49

SHA512
00feafd7137459cf6224d56309c0ac407e4aeb81983a1bedbaf7864d4c86a51146ff08364c66efbc8694f79496b91ba3b7a8ac345d4a36989d5727ccf8a6727f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoAe.exe

Filesize
202KB

MD5
fa8983fcfb5b257d9b7a9e4f509ec2cf

SHA1
9c655c65675728befa1a35cf334ebeef445a7463

SHA256
99db668383290ff65cd75c6d61e468b86374f129d3998dc99f3d3b05327a4a64

SHA512
2b6f53eb2bb70f8fe3100498228294d7d45a04473ba2c9b59f7d5dd5ba6647d04b7a7c06d55ba2d113124643524198b7466b6652e1c7a0b96d1a9ac9641f552f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkcQ.exe

Filesize
186KB

MD5
1a781172aff08729529393a96d029963

SHA1
bbd26afb024184cf215ea83f0a432a170218b525

SHA256
07beb08d6f8e6fd818e868bb9514e96fa0fab3d9547442a9630fe64c790452fe

SHA512
0a1254049d2a83cbc28401ccf8b956efac04abdfceaef1630f3c709619536dc9fb5aabf8b9b3ffaf9f3b83e83ef3b40348ae7dedaa8406eacc8addbb536b31f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEEu.exe

Filesize
692KB

MD5
a2d656e338d2f9d3d7586db60de614e6

SHA1
29297c1e2edde2615326d8891bd49fefb828de62

SHA256
90b130deb5e05b603c5031d55c1581aa036670305b966030849ee51fe056d09f

SHA512
118246230ef723d1849e18fcee80c16f07a4cd18e8e152ab52929a98d01ace535e0862abfb87a08b4f2787a6de7cb053188c157979a64aa6541028c2fa13dbc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYoC.exe

Filesize
1.0MB

MD5
1ea69bc5af9b6425f7c5e3e3473b8fee

SHA1
6e1d3ef96c09cd9174780d6241779ccec2465cfb

SHA256
922f65e169bd60a35f193ecd9a71dcd2416101ed1a4ad3b641ef45edadc132f0

SHA512
c43ec31fa6143e1aeb8ec6d5216cbfed7219944b9b06ba3d685566c0b6f7f5e546cc500c113a95eb25f6995f08cf8723be1db13dead7617ea94c453112796a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IaYMAsoE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkcE.exe

Filesize
5.9MB

MD5
43b652af00e8f7758ff2aeae4528a694

SHA1
87615e56b02767b477af9dc83c86f4ff1dd40201

SHA256
7d8f62250b0c8aa60cfb4d3e98443f0530a671cfbd03eddbfb7264ca541d6914

SHA512
e4cb2c736062c58d75619a17bbf62e19d786b8a41232d3e72ed36c00b10b05c6e8e2d9bb4d8bbb0558380d603e370e476908c257eeec248e36b8751f4280e6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JgEI.exe

Filesize
203KB

MD5
e6d014ae6ee198590ea77e3dae15b167

SHA1
a0da00843011c4f0eca21b04faadb090e26c5ebc

SHA256
155e1455a2e1e5c1a9094b9b4fe12f3f0dfa01fe69e5e75317b853e79e539047

SHA512
853aea8441e806a5d2925336efafdfdc92dbdb2c35a03b115509e78bff27888852df9dd2823c6a7e47b20352bb00be56368f62c61d0c89e8c269511dc819f186

Download Submit
C:\Users\Admin\AppData\Local\Temp\KWAswcMA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KWAswcMA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYUi.exe

Filesize
201KB

MD5
e3874c7c26c2c7566453bdab48eef8d7

SHA1
33aa8c1d7190ca9df3924e3f39dffc336560f352

SHA256
e016ddc55a611d17a1f9cf0d99a5070efca3095cd154320dea4fd905a706c1f4

SHA512
2ef3e2073e8aa5151ffecbdd8cce5832c0b6dbc73d1d8a2a84c0c756de11e7f3a9f2acc77d87d28b40776456e9b3e1f88c04cc5f3b8799f54d8d123319e4e7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQQS.exe

Filesize
205KB

MD5
f56656f5a7156b9785332e06620a4b87

SHA1
bb73c719c1200543612721bab09f3e1ac32a87fc

SHA256
f2fb5d40b79a139f244e7a2d7ddd77da1f22fa0216ab229281a1c29f776b9464

SHA512
d9ff9e6a8122b7d971eef200ca67b451643fc39009c4d0a2c80e51686a5e0fcbc1cd00c7a7756266f4ab952745cfd2496007e3d646f9b9e5604a984dd0ff47f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lokg.exe

Filesize
184KB

MD5
67ecbaaea6955c25a3a594f9c623549a

SHA1
0d7cca0f1407f9f846a11177dd9da2025a620eeb

SHA256
0e10afeac4e5e4ea08934105b7984895b006625292ea7f2fcdd94ff0c64bf237

SHA512
09d5d4c0852bfd9a38e3cbcc578bb8820ef4b423a078de395e38120e49098ec0c7c1e7b72b375cad5dc86731d8abd0ba10bcd89a0058f460e89af943b6d09539

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsQO.exe

Filesize
198KB

MD5
36a4b331fe831b4d90372a0b562a3c64

SHA1
16c73211864fd03ac960fa1c79e69c0c3d2215b0

SHA256
9e7059b06de591d1ab6ff72c5ea93f2437dc6406cd61f93aaaf2d9424d9da19b

SHA512
5e33b0a46eab50275505449229ee61d8f03a97faaf8cd4e0c810d4ad9449c12a6e1af495469459190634d3846e4c67351a6f6ab6f44669055791a9c1a5619f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAUm.exe

Filesize
546KB

MD5
9d0a8431ea61e41f209c733d2c80cee0

SHA1
05602d5e27089168bf08a16510d1bd02c1c5bfcb

SHA256
fa0d4946f36f365f14f3e731f147bc4504ab093b4575794aed1ab1d53bca2e3c

SHA512
598f08cd3f27a44664d0c9cc7d793f57ef51b4eb357d3158660b8fd3d0d50b3463ffb0f42b48bed68da6c1a8a1c6507f24dedce5779eb86fdc5b30d137a1bea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAcE.exe

Filesize
235KB

MD5
d2944dd69c12678899dbaa8119859286

SHA1
7b695c0941417e614bb0684ab0e415389f547ed7

SHA256
f04b87c220517090b8597aa7cba3b851f79c42affe9eb4bc222cd901564f8bf9

SHA512
e6dd09ef4d2eba0731d3c03e5d081600c21aa8bbe0ed9a06182cca0b78831c2ccc68c5652ef32d2a7b3e6e0ee2b660e8a3e018505a3a64ce19af3cf6f399b282

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEAs.exe

Filesize
197KB

MD5
92ada01603472c9773f0a958a7da4c58

SHA1
0eacc1db92919588c567a0235e2d99e9df185a5f

SHA256
eaf278a37c7961804f0984619c94e0b2a18417c2d21b476ab4a43e3ed16c9761

SHA512
4a17d6b6884a604e62f1e5a9035793c2a2980a25a8ffd32d060e40c93e3842dd1baf4139b2d7221d3060488bf74cd4135e32498f38b2579624907708dae4eba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEsg.exe

Filesize
190KB

MD5
0e009701f1af2b0b6517a44db0e22b3d

SHA1
14404c80e4f99f95f06036996c56d13175df9458

SHA256
8a8416b1a0fd46f3928588296ba6685a1b5d1e5371f47f6dfafebed59d2898a0

SHA512
7826979d9dc08e9d719eee376922925a5d4adf71411ff445bf4bd91d4423bcd61d0a82ae4745daf80dc5afeb5749f3b203da525b3d4fb8d2452a5e4669d1f24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQQA.exe

Filesize
204KB

MD5
b917ecc5273a8375ad80cef318e9ac0e

SHA1
410d225433bd73fc9c1244cdb894724fa1139149

SHA256
d27c9900d736ceab3994679bc07b8a6e0c2aca15a01697839c56b47123f145b1

SHA512
f5d3721113e8c46cf6c0ff8aa83f23994b4d189ad8b140d0baaa1e9c7bb028fc6196d8e2ad64cd4480288ada83738660e04f2e125a59a335113edaec4b13aba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MScsgMwc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAkY.exe

Filesize
403KB

MD5
2fc1001a2915aedb9a34c13fc8727241

SHA1
2b196b87161932a9fb440d2d44c2ff908b453ada

SHA256
30e5f7cef3d5dff38cbc28cc628c7e2f443324bed8f6a81af7919a165c631087

SHA512
909ccbb9f21b072639796a853c2260b4791848e1ffa40f2761daf17c91a90b4c86ef5026b84b1d8e96e77f6a3403b89f87af3c61aa158b661a54aca8ec483981

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoEsYUck.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoQA.exe

Filesize
1.6MB

MD5
e5741f20108e273d5f097ae1ed17fece

SHA1
3a9b41bd9ee2d61a8370cd8e67e64025d6d6df5e

SHA256
66cd6d3a907d361180d098fd282bab56d648e72d67689138da765b6d1a82b8c5

SHA512
c00370db02f4746261e5615c55d71c33e3d214730dad3fff0bf2f5858c1bf0d54f50a1f8381eefb2310ba19d0f38757231400ad7c8e0d99de20b1041a83ce059

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIEY.exe

Filesize
197KB

MD5
276ccef17b7da2da6f649b6c1b087dd0

SHA1
9522d91ddb236378ce60ed6e9e3e59c668701b32

SHA256
8933cf31265465a4193cc94e4f13056b1bfe5dc7877a8f53eb217030c5d3272e

SHA512
a30e373935f7c302d2eb713dbbe10108eb62b836aaeccbd6839427b78b1190ac07be6a69d3c666a14d55f4e112a5bb8681904685ae96af01ea2ce37291a2f9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYMU.exe

Filesize
214KB

MD5
7cc7102435453f71f0fb586f5555c3bc

SHA1
b7c7626a79d10c4a0a04c38d918d9066146bac84

SHA256
587664865265ff4234e078a45f4bea82c68a2db6ee75ddf4c9e9f5d4e421471a

SHA512
526952b3a9aff49ce7511ae696616f50bd4795ea74dc6b2781e605f5cd1b01942241435384902a21f4f339d1b81c030f83956f33519559d334ece49f31692e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAgc.exe

Filesize
188KB

MD5
aa9c49f5484110e6ce486c0fa37001c5

SHA1
d330749434549bc5b1f7ae08058493cd4ee968a8

SHA256
fbf884dbcdc7d92ff7398053bb3bb23afb2e5ab6f978be0868d8a6273a1d5881

SHA512
8f09556e1069fcd98960a18e5f160e8c7eb4df1e72f9076053c7dce036d88821b931c29ecfe35d184885ec8d890e5e39578de25a38c987ae8d5040238a398e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMoO.exe

Filesize
632KB

MD5
c16a0a0d84942892a2dd07d2930f287c

SHA1
0bdf168192c73e4ee273f4f260db13843e93c6e9

SHA256
5c10d4f5523078559467adcf450122870a97486200b152e01e8d5c75c4496359

SHA512
8db2bc3ad5a8e3ab46116de3afaafb12a72c5d8c6acc3efd2f8157d732569b01aaeda0150ee506086f9ac139a4343d8d7c9fede1362b8c681b04b067ae2ca408

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQYO.exe

Filesize
211KB

MD5
b2c14144869a7f2d70f72f1ccf019c5e

SHA1
c251f1767d37a8d3572d92bff9bd339e54d9dbbf

SHA256
61b2ec684a0fa259ad64f6635957b1e858a4ab9a68258d284d008bce00751309

SHA512
c70d18df6772a4061d24b79d203ec3a0170c41f8f8700d6eeab26a42e1bd19ace5f00d6dce175add75d34aab7f02294527108bc9657b8a37746febf894f61edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsUi.exe

Filesize
197KB

MD5
b894b37540e0cbb62b0f6304798d0988

SHA1
e8c3e542ce54f5c12ec7420d4b91ee74465f7fc2

SHA256
3e5b451341bd2caee360a1b1c37b4628fff7b59c3276265b528ad8305ce1bc37

SHA512
f62b6dc8cfca237f3d26ed2feb110cc29c7f2c4fa0979ad467b41b952667a4343269ea593ac85579cbb1e849eb45cfad2ffcc255f661661a4ab384c8644f6d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsUu.exe

Filesize
202KB

MD5
6b7985792d807f58a50e6aa0b6e54389

SHA1
99c8a5293d6dd48af5f5034dab62399302ebc89e

SHA256
4cff20ab8400f3d16a675c454ed1262cecd0f698d9e7cda9cdcc0fe67276c1e8

SHA512
9621246bbee58dda468d711422ce11c742d546bea7df3cb2c22075203ba79ac9a8fed7ab8cd551905871d00d4a503cbf20414c7a3c4482fcc318958a738a09fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sssi.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUMA.exe

Filesize
228KB

MD5
4181cc45a078a03c7b44ed583835933f

SHA1
63682e689cdcdacab447a1891aa95e50f3a314bf

SHA256
71c6cf13efd54025e4f25e5c60993c88a0d2931e609d8717624dc67e3a0db562

SHA512
0bbcda7867821d4612095d4a1632dae311553e42c9442b46513784c1d7e91700fc4f6f2d352e5e7c9b9dc4df6a6198cdb5bc18f70a4f24f05b343f3d8d2dd972

Download Submit
C:\Users\Admin\AppData\Local\Temp\TogG.exe

Filesize
199KB

MD5
6a8bfd8909e16afe0ee3510379b0616f

SHA1
3e48f2717994c777f4d6769c6574dfbf08ef15db

SHA256
b2bb9c06d52c4e32dbf910fb07d33012717eaa6ab0b66c7f1f285569c349144e

SHA512
c93e36e5697785631d0e88c0df1f99228794ba0ea30ce6cecaa43e1fedbe6dbc149f319a8432aac093b9a562ae5feef46b79de612ecbba1b723459f0d7528eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMIc.exe

Filesize
195KB

MD5
dd7b550cb5fd6ea2d9a83ff134e3c6f7

SHA1
4f8c10ab5945f1c1f75227825b7f6b82b11a8def

SHA256
9df66c496df79082466c9ac11f4f50e50039cff2fee0f7e79bd219eaa207a0be

SHA512
b5de3bbaef62f0b28f57ed8626e478229a38c33b468209135f598616f37b0891ee67d01c3deaaaf61f320f965ac71deff907853e275659b25d723d21c7655e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ukgw.exe

Filesize
641KB

MD5
301b5b9800e6f817f31c63c6a9137938

SHA1
00b7cd8b30b39804431051a63cc9b6b8ed287f43

SHA256
ebb110e23495368df34fa937cafe1dcd1fd495647c9835831350324c58177e35

SHA512
f1d40e386525c03ec9654aa38e800ba88a6c2069febcada500e1dd47ab77375b7fb007da6c3c958be717f6dde0b6ff77dcdaaf9ebe8dfab18b1820a6d384bc88

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQwM.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VqQYgQwc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIIm.exe

Filesize
5.9MB

MD5
418e38ababd3a501dbc3ba5b659b4c66

SHA1
e7e657a91b36d628469e5b9402df3a66c051a0e9

SHA256
d2cdda8d7f07bc55bde354d415408e785c6ce7aaf4484b5d08265709c2fa330f

SHA512
99d654ac0236200d19511d079668363d21145d48334c7360c09368a611311caca3a03db633829382c856c14b1e0bf7d7f2577299c50f09af6fc5ff1998d10759

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUgA.exe

Filesize
195KB

MD5
66a091ef4167824475e026648fdd11b4

SHA1
5893642c812a06413ccec3f851c72a31e2bd0ad4

SHA256
28f8b7683c9deb294992b84926151d3b37814f6d577bfc1142bab1025a018662

SHA512
59f9b3faef879fa222a619bd904c4a16cd42b35013a75d2d4660761667dcd5c60293305bdc7cc0fd7f093fa768bcedfa12404a6394b7038a213ad8f81c3efb4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wwwq.exe

Filesize
185KB

MD5
fa860207f1780139bbc2e2acb4f0249d

SHA1
73eb153f77f93982a9815c79ac270285d91c66e4

SHA256
f51a4bf516d56c3f6f2b2d9e1ef59fded8449f13f755b740b402cb5b2b2b8770

SHA512
a4c17967f7d7711716fcab10f17af9c588798eaa9eed4c832e1c02531f2672e2599d62aff70145b0423f63e73ff9b32502bdca567a759163df7b6d4e49257fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMwm.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQIU.exe

Filesize
645KB

MD5
c5404d4c29b008841f0bd3a78587d8e0

SHA1
1f82411b546c5507fb4f0608b78b20baef4e9919

SHA256
0edd640dbfafc24ed88357f7a3ed0ebfbe1bdb0ccf0da5abf257b6377abda6c4

SHA512
7e7b3bdaf8e1326a31ffb9b2753140e737ed5e4350af087a3283119fd3f9add7ed0a37c5511c21764143d5932162d9d2c31194757c8b7012aabbbc490b51b34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYYwAIwM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwUc.exe

Filesize
931KB

MD5
e61b6282f03763af4e6d5b916a23511e

SHA1
75072496202cec300b247c264a1abc786831db20

SHA256
820dbe7df0e1309239121055759962dabfb42286103332eb6e1a945d4407154f

SHA512
2a4a6b1c719cf93554e737758f364cf3b1a6e512b6a3b362de041b8ed3f044bad67f96e8221d4fcab1d7767298483731a009d853791a2364ce547406dcff1687

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZUwA.exe

Filesize
201KB

MD5
8ece126c04362a0cf591561db8e7063f

SHA1
fd08a6b3c49401bc2ec38176e7f9c7531bbe6204

SHA256
e86ff8988c89c4ac30202233f5354db782a1a36b6288b2a49459132d2dc1ccb3

SHA512
57139a3bb9bc9ec0dd6ae433bdb944beca15e4cfb566cc9f76b34a709ef474a509c104acc868478863faf57081b9f2e9b847d7761cc3b47d56bad01257cc7696

Download Submit
C:\Users\Admin\AppData\Local\Temp\bAUK.exe

Filesize
220KB

MD5
66abc180d04c160616282b81bac6f773

SHA1
14615224799f2ca5aef9045dfd7de6babcca4489

SHA256
c6d4fccd8f2ef4d038a861b9dc8a16afe8489443bd8044ad44d7e2b06bde0c19

SHA512
09463b134d6144b77372b00218c433a729cb46507a3a635c53bace08708aaa971fb15b8ca189abfa11b6914c9f1c1b59c438f5cf4f832e931eb329e9774946c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIcy.exe

Filesize
818KB

MD5
923033cff7b07ce1032eb35f29e788e9

SHA1
e0affb3fce2cf6f2c8c8998caeaa7d1edb0b80e9

SHA256
1f091adfbac0d7c74a2e369e6386c9eb52546b459cdb96bbd321f92709b2fb8b

SHA512
3d16105ce986e92ab928bf2bf6e3fcef0f2432cd4debcd4d123a63a785f914c75869aae525279ca762a0ecba2fcbc1165493a7097b34d9f643104b41989d5279

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckwq.exe

Filesize
332KB

MD5
62335c19eab7a3a2cf5d6bcae5bce835

SHA1
e9e9f700893e090a86211b79fba68b27019ff343

SHA256
e441a3c38e1d892119c9797363e20e7094a8db72c653547d582a610952c1e589

SHA512
413b7ca82829849c0ea93680c8c9d884dfea157e7b558717ecb6c89c30238351aa03479e4edb1e61ba52aba213cbdc02e6a44e2547d244497a50c2043346e24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkEo.exe

Filesize
203KB

MD5
5d62cc6616cadf00b624d7e30e1de642

SHA1
d3c79e15d054cacaca427de199a8581e0fa58edb

SHA256
fb73d58629674545bf2b8608831afdb1f825c36410ec45fd9a7fae986f3fa4cb

SHA512
43ac0be71c5943e59bb80f8a4a930b5b778de4ad8077f62738a3a7d8b8d4a0e8cf3dbe419fefda2dcdf29c8c2f3ca2ca47b78d8b19cdfcec28fa61ea574331db

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEcw.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\eogg.exe

Filesize
428KB

MD5
ac4a22248949ef03ce8b52d3751a300b

SHA1
424c88a1253a7fd3d6baa7a4728d72116a8d7431

SHA256
dc719d4fa4357a80efcc53763b11c0ce18aaae69af55d1b2892e8ad6fd8ed35f

SHA512
28047592310959e41da37bba828cb53b35931f06dbdbeca5ebed09b1af792abdc4f7444a30b80dd8410ec03108609ac60a94d79343c2c44408e8258cda7ef37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewUC.exe

Filesize
224KB

MD5
a7c4eca6508c5b229b9147be07160c16

SHA1
df5088b54bf37796bf8f27a714e1aa3ac9d9c7d8

SHA256
adcf5536ec8f785f95fb19fa6dcbfefe705a4c38f26d3aa259a51445949263c2

SHA512
564408a1b22a1889938ca516bf457aca8f79dcd5ef953c8156f52629a4f1a9bd703fbbd9ac3ea07e4774aeaedd2136d5f82cb34f3994fd865dc15ae5c6fba70b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUgO.exe

Filesize
207KB

MD5
f2044372562b8fcf2b1d8e29b5d0b3b3

SHA1
9d34798083e12b78b29ac0ea78e3f5eb45d10200

SHA256
a3121d77234e9baa9903238ec59a727a1ff264a15ed392d1bea4476b5636fa51

SHA512
c3f5ca552d80d58addf539638ad4e2aadb99d19238a30334fc8791e43b9790f408e116584825dec02eeb4d31cf8ab450b7ed5bb7cbfe988bb41ebe7ec0ffab04

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEskgEUg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAgs.exe

Filesize
193KB

MD5
ca97318de0afe2625f4cf0fc19611cf2

SHA1
55d3527d0cdf57c5edee3eba0e3a15335834f4d7

SHA256
4446be898b6dbbb0bf0e87ed0222eb696c52b38a7952540119023dc3d950c493

SHA512
b3d4bbecb0e6f9af3ee79435f827239b88c7cf021fb1adef7c961a23f419a33a3db00d4a47984210dc6e03336244ae2421bd199da937ffc3382a7f3d3730b32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hEAI.ico

Filesize
4KB

MD5
2d56d721c93caea6bd3552e7e6269d16

SHA1
a7f0d3d95a19f61d30b9e68b0dcee7c569249727

SHA256
f8e8be11d1062a945187b65fc5e5b1500bce03cbdbf6f4af9404b649aacc2aa3

SHA512
c01d86c43876fb8eeab79b72380a00f095d95c3047f530b777ca89d309e7bd797bf83857beab29527eddbbc491da3edd95ba343f6a0725cc565015f095cf0919

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIEggYEM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kosM.exe

Filesize
1.5MB

MD5
0dd5d79e9309e597cb8eb7225134b550

SHA1
c793858a8c6ac24d3427277cc3d90ce5546ca522

SHA256
c5b584d6a4292fd19b93d4ffacc1e1986c3ec06e620675b80a1585626f26ee4f

SHA512
f364a0bf7f7c760440237ce54b304cc6cf36a1d41f3d62a52bb9cc783ff485512dd72e56010f987b7d88708c495aea325160f5cf8869aa866fa8cf386eda497c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAUG.exe

Filesize
205KB

MD5
1387b0d4fc5aada84722a380a653b4a4

SHA1
a8828d53c339f9ba7a224cdcfc96f3f98d3aba5b

SHA256
4145c2b666d57df2f5f2e3f974f2394f1683fdc1286629b36fbf20b8423f185d

SHA512
17382668e077819a9f933bd115fe03184863cc55798e09f48094189c66e0ed92680a42fe15eba0a8c33b03ea491a54fd62d6717326454e26edcb7e6ed52b1440

Download Submit
C:\Users\Admin\AppData\Local\Temp\lIMYgMYQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsMY.exe

Filesize
190KB

MD5
e93e9ebacfe783e4f0a6f4f5176b8af4

SHA1
2b4d255f820af7eef2b9a773c141732b598a9da6

SHA256
9cba84a137b20789f17b5d7bab6101a4e52791f189319d0c99057a3be5d9f325

SHA512
f29eb3a998ce911dd271549c2491aaf5e766a9ef7fd4282c68e860393652492c801e8192d9f377030d3c175de3fdbab3d6d0e318075ac599bfff38d616ad7d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsgQ.exe

Filesize
5.2MB

MD5
d1f7aece7562245cbd63c7ae1bccae06

SHA1
bf0b5eacba78ddb9302d9252b9e5f8139c72a379

SHA256
f6223e22811962ffeff6d6255ac964e75d28aeed8d81853f5a1c096abc6ceb50

SHA512
7d572b63835270df93d07fbe8404726551e9d48e7c66f70480552e39810ec5924276c8f80e7d8209e4e9b7c7313cb50a08d7dc3c67a830d2dcbccb6f6e14d6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAQEEswM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYEI.exe

Filesize
193KB

MD5
8edc453530966d4ce23b84b66f1e5b02

SHA1
006424e7b47152d037730bf460e9883eb7101031

SHA256
6d219f278f0597a900613fc1030bc19f9e1241bb5139cae9f086fed6a33f6da8

SHA512
81984109ecf5fa15b02e49a704527358ec20ae988b16b1c0534c37196c89090c81a5d837c09f1197708aa189027bd3faf38c5cc6326e7afa66d759d861ef830b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAgc.exe

Filesize
205KB

MD5
de646a9ff0c058e6f7b8fb03e0a2da96

SHA1
2346c9b842bcc9660b54b2a6a4695914c1942eff

SHA256
47b3258f532cab23df86806def829b225978c05f875b9aba630973ef67269011

SHA512
5a089e35e0b320d447046e3351eaf43b64dceb7fffef266f9a0eacde60721b5148a10c2e77c5898ca7ea6e70aa8865134f57557dacb3dce023c71daf8530f5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwAc.exe

Filesize
571KB

MD5
199a496c8de1f9cc0993fed86680e67c

SHA1
1dcef35adacd2f500396dc23807a9b106581c63d

SHA256
04af35fed7b391fd2b14e46887eecb911a4ee140b81fa15ca7b73215941af60b

SHA512
169d1f6282ccc01563e21701fff5a06adc8a0d7744d43cbcfc586b0085e261017e0ca8f2f3b60df914388471e71cd2d44df08dc6b6a003efc006164724957a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYokAkUg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqUQUsMo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgQs.exe

Filesize
206KB

MD5
98773203ed1af6041bc4785d6876ae9c

SHA1
ad1db7ad579b636c52778e17298981699119b889

SHA256
381d7e7bb01601dcb13c08598703ecf7549949db048d775a8ac61fa3f160dc1e

SHA512
4c4f70daf29d5e2566f44606c4fd84f8afcab6f33dc9e1ca72dbc2b6e534f538e6550a3ae3b87390c23644bd688f08b86af45c0ef62e44a48a6e27190fbd2536

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwEQ.exe

Filesize
198KB

MD5
7ff9db9ca9ec56386273d7c04b4c04ab

SHA1
1cb32a5fe3490497686da998b7b2e34c0b7595e6

SHA256
364611599ba3c185b774464f9f185af4f5f1806560d45c847a71b395d97d0013

SHA512
1a4a03a023d64fe72ddca58afdc43cb8a49fa359130898fcce1c2529e6438489cac9e9a0e1ceae1b5bed0ed11f54442d04e9d24eae3c82761285762345c8a246

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIUy.exe

Filesize
200KB

MD5
71f4ad9615a4ee2d388e9aa7209db717

SHA1
e1c540b62e26c6fd1943a921bb44add856e7d4ac

SHA256
157e71313a400a06c7e8758ce6c2bc0a7e35a364b1c9c5981e2c93f2eed7e963

SHA512
90329dd3e0d59e7b4cf27d172d05112fe7bad75609fb8b9ccc5c7b2f97ed66d3b6346b91e045c880a2d9b57e4f15ab27f17fba04ef104971d25425f5947c4672

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWkoUssk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\scYA.exe

Filesize
198KB

MD5
e4fae4bc18567dae63dcec20baef5a80

SHA1
a9fb0403965afc252a5488be5cab007d7a98c088

SHA256
c4d6407207bf7c0e7cb1790f11873a3874e268efd83e03a904b3266224a76937

SHA512
b052671fe54988e2eb237755b9ab4b04d6c9a960fe9641c1f9e637ddfee5e479e4cd0ba2c20de968fabb4041044ff2ebe833d9c4fc8b138d4c4b38f35b1d3896

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssYw.exe

Filesize
187KB

MD5
884138cb01964c0b1a5079308549c9a8

SHA1
d3c2fc1b2fef01aad518d945999f8f4024569773

SHA256
89b4119824972b094226d52722a1b42557c301769584ec8ab088de88e92a7240

SHA512
31de39837f1a73b77ca5fc328181258dd0f5bf33bb6323fb841221091597bfe3d16a6d1474427c74a7ec1dfe0db21ee38966779f90be876ee03072e94ab2b391

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIAw.exe

Filesize
190KB

MD5
5ebbc4f746d7d784c9663da2c3b15ad5

SHA1
5a5c5fd39f0efd4468806ddb2a537c3ea7013365

SHA256
49c5510da7f3a13c60b6bfcd681e9ad29c6a5bb745486f2baf874a7910bb6604

SHA512
e535273834df14a4627ff1e2a76758a7297cbe45a963d846f6696deae4efc1088813a877ba970249ac479282c42cbbb1b65aa147f6d2fbe1dbb72df58de15cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUMe.exe

Filesize
1.2MB

MD5
897ce00e3802076e7419c8ee1dab9261

SHA1
125489f32f52835c22710821c3f82c34bd34aa34

SHA256
eafd14d6a5998e84d74c85caf73dfe2c44b200fca07fd954de6d41069d83bbd9

SHA512
4416b9ba1c8f4ded436f90cd2fe11cb0bed1e32baeea8504da08b40cb699f5449c102d2233446d1b3a3161d403e3e8c18450a6d3306ee3d6b52d711be947fc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucEg.exe

Filesize
191KB

MD5
15f530ddcceace962c2e960f96310846

SHA1
c88109419af855c7b694fe1b8bec7c7af3655e17

SHA256
608317f1f38f00063661bdc6fa9788630f4d82db06b7755c8a027bdb22dc230b

SHA512
0d650686867c44c1b8edafd5d3ea99dfef3b330826259d06c43816fd127bab85712f4e3f63a13fea54a1a2913b6507a457bfd35985c165975686da5e567e6468

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucwA.exe

Filesize
194KB

MD5
d5f924c0c55b4e2b19190ca71cead4ea

SHA1
db1ecad128b5cc4fe4e323d119c25d55e3132fcb

SHA256
49bc83ab70dfc82cb9a345f80418f7bca4bcbedb9bd5dcff40628a477f214772

SHA512
a86107b683ff6693afcb5c667f63e40e2c797cce63ca0aed3e1ed69a4d45a716101404cd269745e7f5bcbc268eef15d440d65d5dd06d0aa4ae972da3322a65d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUwe.exe

Filesize
184KB

MD5
0912ef3d5335ced43bc8c456f36d0327

SHA1
ec07d2379a0cfe0bf2aa62927559f5eb8420d565

SHA256
1b2491c4815dc46a3a82a1e4f5263c8ab06ecb6c95c68388e4da28d43e6e6a2b

SHA512
dadd1ae76722df56d3cd55f1bcfbc7b2f1bf979906c0277575838734c9c6250ad406b0decb6f2356e29978ee15018423ff812e85a1595c6a3b5b424c9d683ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkoi.exe

Filesize
208KB

MD5
a8480568278556373a986dc076660761

SHA1
43dec2895a378ff0e724555e583c9ffcce6e1908

SHA256
4c3df117d769a736dab3348936df6ee6847d96a7493cc1d63b3a949debe0f073

SHA512
d997c5c1e5498ed2a8f21e2a8675f1f58c3bcb156187b66f2455430f82344fc2384f0a7bc5f7ebb9e5b90e72c7d42a45498874454c94fff8bc0a12a1f66fb797

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsIo.exe

Filesize
210KB

MD5
575487552423decfd855a33b6e441544

SHA1
5f22cd202a673c210d7d420f59af113828111037

SHA256
d0afb0b58dcf33730a64e2cec43eed201f61abba1690b16c2610e4f61fc97a8c

SHA512
09dc4cda03260865df23b247ed4f2ee5cbe16647188af8cba03db59a45ebb244198bee765b3374c3772e4e1e7facadbdfe127a191b0fbfeab94ae3fbf39729f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMcQosII.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOQYMQsM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUkK.exe

Filesize
190KB

MD5
2373e85eb145f3b520dfb730407311e4

SHA1
4096b8f8edac1f1612b59a4b777472ac0c131677

SHA256
d292b30fa9e8dffe2704c9a21891ea656c06e75950a2d40ea930746dac270d3e

SHA512
296a8364d34fc478491898a98a6f2de2ee60a57780ddcdffa73c5191a91a47de4ffab582066958b5c2afea66851dad777423b08ca8e16e8ba2b44ada4d131779

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwkk.exe

Filesize
200KB

MD5
4578b7c43a8953088fa54540500ab8e9

SHA1
ef7baadc376ac0bcffca3533a04eec39c4863693

SHA256
5b5b2aca56003e3961bc67512757516adcfa3cd2fee7f3c2492cd4e171b7042c

SHA512
2a9a25420d5349fa536052a9bb38ca0e8f5f958685908e5ed549f5c0ea07ec0b65d7cf7cbdd9d9baecac3968881e71b7c15dee8caa647f5b8abb8d943555f973

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQsa.exe

Filesize
540KB

MD5
53e9228372410d99ae8f7ea492fdc99b

SHA1
883727d087eeb3a066315aace751c0e1d1579418

SHA256
a5c3e5aa7fa6ea9e6dd17bd304785478757d5279537e4238e6491823fbd23682

SHA512
8a53d3db83dfb4b07c119a4e5ba6fded6010da43af3e540f670bd3f706eb601041db71737ab042159cd265b03dce88eb68d62efde018fcf63f879b22a8585a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zWYsAAUY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcEO.exe

Filesize
204KB

MD5
88129589c2ce4ae91d785b1290069515

SHA1
6d1b2a636c4cd20737663ca7c33c34ef37f34fba

SHA256
d85e934d43e1dffde635174eed589ad0b81a814ef4a937999684ad5f08cfe10f

SHA512
f02ecfd89122602d36c463803973ac22a50f4f8a202086211e07c410a5987a37f3fef15e06d76ddcb01da6b252b7a9dd641594a124717c91e04f2efce692625f

Download Submit
C:\Users\Admin\AppData\Roaming\CopyRegister.jpg.exe

Filesize
762KB

MD5
ab88e45d13ee4984bc9c8593a178ae27

SHA1
9fd413a3e16c85c95b7c5fb40d1ff1502ab71d9e

SHA256
bbc1fbddce6dd677ac22eed587a0485ddc6bb1b9a31dbcbad04ed1e51d555bd8

SHA512
d06e69ebf6cd92664527272b77a323d33eb36be32a1b2d72b318184f2801c11187d340f92c07f6a9003ce0a077502e3aeee1aba70b94f456112dc6ed74702312

Download Submit
C:\Users\Admin\AppData\Roaming\PublishWait.zip.exe

Filesize
434KB

MD5
e43e7b3a50d984ef079a98a204924900

SHA1
94ba9e3c4a3026248ccec6dc060bb303b8d2e153

SHA256
525ecb19f2521510d794aad2c734edbc4db98bfaebce591469e156d36fd19706

SHA512
a794c25eec4d2bf88c2d133e93cc8be42835f5b15f4d40b00440f06494c0088de8e095438e1035a26ccd575681a841e9893151a9dc594f9bf05ae510669d6caa

Download Submit
C:\Users\Admin\Downloads\FormatSplit.doc.exe

Filesize
501KB

MD5
d6aa0755f6d28bd0f93be033851409ff

SHA1
fdec8258939d185979e68641d7c6e79d14fe5e03

SHA256
04e3a73431bd1208e5c045cb06c0b67dde70855509a1c7cb9b6569b0e23c15b8

SHA512
1063d57978f26634af115de8df9391167a9ff422ffb744a9b5b1004a4c73149a1c7b34a09dad05c8c09be762e7899257acde1b4356aa0ded54de2a8eaa636358

Download Submit
C:\Users\Admin\Downloads\SplitStep.mp3.exe

Filesize
512KB

MD5
9fb0afe032b6a89bd0a876ac15e76b9c

SHA1
db4038d73c2c9e67bf8ff6f1a0cec15d74a02a3e

SHA256
a1b3eef2caa3dd01c6946f97b45dd1e5e632d8a5975fe3dc6cf80eb2ded5aa6c

SHA512
f6764594cf30614b6602238c83669f505805334bd94c2b8ee9f910d6bd1c726a6119eeec3362685b7f38941bdfd42ff131525d678fe854f6124eb38353f995b0

Download Submit
C:\Users\Admin\Pictures\EditSwitch.bmp.exe

Filesize
1.0MB

MD5
4794a3565418529af096f2eade2c6f4c

SHA1
bc9d4136b230f4843986080cb40707ca7a51f30a

SHA256
45baa81238bd51620207f0e4ac2d1ce5ca1f3f92054348b21ed8daf800381638

SHA512
c8e4db31c4093e6a9519b34c39bc87afcac3278e224e1a77fb5df7ba60b1f9228d13442d089cbff730466f58870b7bfb2c66f80c7c238384d03a3064bfdaca62

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

Filesize
225KB

MD5
59600b0f3321b4c42b973a5f306175ab

SHA1
4795da26a5883a927c2bad9610e416cfbb317ce3

SHA256
691eb3881f9e2d4d8dd3195984184ba87e1e18d71c4551d4813f7f18f9408a67

SHA512
eec0db23436eff3c069d958d8b018d1e935f3e7419c1caa7010b2db7da0bcf0b7da3d1fd884213d91bd640ebfcd9b4d03e39bd9df187ade3805134114703c09a

Download Submit
C:\Users\Admin\wkYcIIEw\YSMowYQo.exe

Filesize
191KB

MD5
51fa753d858d28ad66ebb21efe35c538

SHA1
2a41a3b6cfba5f573cb096cb6b58eaa383d803a8

SHA256
36d1715a2f4500d0e223b7a8845fca711ba8d6c728cb1815cf2d7a384762e5ed

SHA512
f99d0cd88e395b16014174d4f63fcc400cc3c666f1c3290765f73496a6c82b48eaa4289d4ea73d86a45832d6c4f0cf9dc1b0a4dedc3443083162f9e9538fa940

Download Submit
C:\Users\Admin\wkYcIIEw\YSMowYQo.exe

Filesize
191KB

MD5
51fa753d858d28ad66ebb21efe35c538

SHA1
2a41a3b6cfba5f573cb096cb6b58eaa383d803a8

SHA256
36d1715a2f4500d0e223b7a8845fca711ba8d6c728cb1815cf2d7a384762e5ed

SHA512
f99d0cd88e395b16014174d4f63fcc400cc3c666f1c3290765f73496a6c82b48eaa4289d4ea73d86a45832d6c4f0cf9dc1b0a4dedc3443083162f9e9538fa940

Download Submit
C:\Users\Admin\wkYcIIEw\YSMowYQo.inf

Filesize
4B

MD5
ccd2d7a252c8b07be65a1d1d9e7b1a6b

SHA1
b345a6dcde92e21862a70e9a30a87e4bc45561c8

SHA256
99868f95d47e16a7ac3dbf63d3db365e602173f23bf17c7d0f05a1fd4c9b3612

SHA512
db36fd77ab9178971b84736f992701aaa0d2e10820fdd66403af86202e90043f8d66ef5675de9cb444ff113ed226bb20668308d5111b5b9143756e50787edb9d

Download Submit
C:\Users\Admin\wkYcIIEw\YSMowYQo.inf

Filesize
4B

MD5
39b19a9775889cf496db4e54818a459f

SHA1
b820858105293428c8b4cd256521278ede85d45f

SHA256
2613c1e345d719b736addcd5df1be4db7e5ccb24ed3081cbb1c18f994e709c19

SHA512
34089133f87693e712461301316044f555ad1d860e3d759f67d5b114a1eb04a67ab853bfcc5cf37079ae514ac5ab6177a029bcdb54949834300e9d0323f5d6f2

Download Submit
C:\Users\Admin\wkYcIIEw\YSMowYQo.inf

Filesize
4B

MD5
87ffd80c449b2108ed646faa2f07245d

SHA1
c6eabf23d9136e73b21c470a948f68b55a74c1a4

SHA256
69315c7cf9bbebd1bbe245701e5a681ee19f3448904b6795f62ec51ffcee32c6

SHA512
b327f180a4e9a0416a7e908e9bd3c412f6d4dc0e3af93e2f467fc87b9e6393e6263a2a739a05f2938a768934b22219e8c3fcda599f38e7b45a227bd5814547b3

Download Submit
C:\Users\Admin\wkYcIIEw\YSMowYQo.inf

Filesize
4B

MD5
7f2e7affb0b6b5a8c9ddab6bc3262869

SHA1
0832af922349570b1bbcc2d39a01ef3033ea9545

SHA256
4f5920eb703870ed947b29283d503d15fbf44fdde29a122820838feabd9e01c4

SHA512
5b194f82f21adbe203b2ca477dfb875f89e0747c2020e487f744d10f143f122f26212331468f6339d33d112d8770ab4c11c96b7b658c3a66f6baa2ad17caff7d

Download Submit
C:\Users\Admin\wkYcIIEw\YSMowYQo.inf

Filesize
4B

MD5
cc9944e56247e20a231608837d27efc0

SHA1
380c216679966b2f53dd43de54de53d678a2d71a

SHA256
89efbedf6950a1dd929e3c2e803e05aac76d47ec20f1d41b03ebadeaa99b2267

SHA512
3fc4065b6f3abb96fb391d4e2202a3d91e7bbe55f82d9cc7bc9ddfeb23783ab092e1d95e0a5e89b1189b794d3d9c2d23401def2a4b5a7984723d1d25954170d9

Download Submit
C:\Users\Admin\wkYcIIEw\YSMowYQo.inf

Filesize
4B

MD5
6f37acc7fba837a99194f68af26cd6fe

SHA1
9a0e0de1b093c7ab475ead38b5e685d576da1b9f

SHA256
d6a96d6645457506841c089c68d605ec772644f21e106a352025a55b0c74e41c

SHA512
be6cf71998523fec4fbe69cd52349eadac7e1dd2ac6d3270eba0e6309a23eee204351566f5983c933639a49792fb490e2021c3d490b0075d4f674cb2860c3619

Download Submit
memory/384-319-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/392-374-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/400-164-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/432-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/432-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/964-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1028-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1140-499-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1148-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1396-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1448-2224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1448-483-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1556-633-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1556-642-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-190-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1632-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1680-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2264-235-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2264-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2344-326-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2344-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2356-545-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2356-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2448-154-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2448-2191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-501-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2492-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2592-574-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2608-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2676-606-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-564-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-557-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3184-153-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3184-2190-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3268-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3348-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3412-2235-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3412-583-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3676-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3676-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3792-536-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3816-651-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3848-624-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3944-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3972-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4008-555-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4132-307-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4264-214-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4368-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4368-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4408-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-526-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4664-632-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4720-264-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4764-614-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4788-456-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4840-398-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4840-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5036-518-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5080-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download