e7f1929f679f871ee1b0563365bf60fdc4b57ee8be02458bd2f1467b40c9086f

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c0c187699255ad3ade9e0536b8d63e7.exe
Size

480KB
MD5

0c0c187699255ad3ade9e0536b8d63e7
SHA1

38cc407577c84f0265b3e0cf0a93034ef402df6f
SHA256

e7f1929f679f871ee1b0563365bf60fdc4b57ee8be02458bd2f1467b40c9086f
SHA512

b4c415f977bb8f113540cb7b68f395d81a8339ce881adffc3cf420158e0684c26587126c86d40067cb65825f76d7cded6eba0bedf4923af68920281c36f163ce
SSDEEP

12288:WbFtxKsIySCGMY6EAeUAaQUfupAbzHIDNS4ju1FDmBDqI:TBTCUnlUfQAiju1FDmM

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 42 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 44 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0c0c187699255ad3ade9e0536b8d63e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (51) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	uYUwsgIA.exe

Executes dropped EXE 3 IoCs

pid	Process
1152	QosMAIYA.exe
4548	uYUwsgIA.exe
2292	qAwcQkwI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uYUwsgIA.exe = "C:\\ProgramData\\WQkIIQQo\\uYUwsgIA.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QosMAIYA.exe = "C:\\Users\\Admin\\uqsEUQks\\QosMAIYA.exe"	QosMAIYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uYUwsgIA.exe = "C:\\ProgramData\\WQkIIQQo\\uYUwsgIA.exe"	uYUwsgIA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uYUwsgIA.exe = "C:\\ProgramData\\WQkIIQQo\\uYUwsgIA.exe"	qAwcQkwI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QosMAIYA.exe = "C:\\Users\\Admin\\uqsEUQks\\QosMAIYA.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 10 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0c0c187699255ad3ade9e0536b8d63e7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0c0c187699255ad3ade9e0536b8d63e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\uqsEUQks\QosMAIYA	qAwcQkwI.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	uYUwsgIA.exe
File opened for modification	C:\Windows\SysWOW64\sheExpandFormat.mp3	uYUwsgIA.exe
File opened for modification	C:\Windows\SysWOW64\sheGrantSuspend.jpg	uYUwsgIA.exe
File opened for modification	C:\Windows\SysWOW64\sheJoinTrace.bmp	uYUwsgIA.exe
File opened for modification	C:\Windows\SysWOW64\sheProtectRegister.jpeg	uYUwsgIA.exe
File opened for modification	C:\Windows\SysWOW64\sheSendSearch.xlsx	uYUwsgIA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\uqsEUQks	qAwcQkwI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3096	reg.exe
2796	reg.exe
4068	reg.exe
1884	reg.exe
5040	reg.exe
4164	reg.exe
3912	reg.exe
1816	reg.exe
4192	reg.exe
3628	reg.exe
2236	reg.exe
1004	reg.exe
1420	reg.exe
2952	reg.exe
4552	reg.exe
4580	reg.exe
3640	reg.exe
1816	reg.exe
2220	reg.exe
3528	reg.exe
2864	reg.exe
4068	reg.exe
1548	reg.exe
1184	reg.exe
2776	reg.exe
1548	reg.exe
4380	reg.exe
4180	reg.exe
1764	reg.exe
2352	reg.exe
4348	reg.exe
3988	reg.exe
2452	reg.exe
3668	reg.exe
4544	reg.exe
4604	reg.exe
392	reg.exe
1116	reg.exe
3988	reg.exe
3348	reg.exe
916	reg.exe
4464	reg.exe
3628	reg.exe
4068	reg.exe
4960	reg.exe
4348	reg.exe
5024	reg.exe
2240	reg.exe
1116	reg.exe
2288	reg.exe
1016	reg.exe
3032	reg.exe
5092	reg.exe
5024	reg.exe
4748	reg.exe
3768	reg.exe
3548	reg.exe
3096	reg.exe
4664	reg.exe
1972	reg.exe
2868	reg.exe
452	reg.exe
4120	reg.exe
4552	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3396	0c0c187699255ad3ade9e0536b8d63e7.exe
3396	0c0c187699255ad3ade9e0536b8d63e7.exe
3396	Process not Found
3396	Process not Found
1100	0c0c187699255ad3ade9e0536b8d63e7.exe
1100	0c0c187699255ad3ade9e0536b8d63e7.exe
1100	0c0c187699255ad3ade9e0536b8d63e7.exe
1100	0c0c187699255ad3ade9e0536b8d63e7.exe
1952	0c0c187699255ad3ade9e0536b8d63e7.exe
1952	0c0c187699255ad3ade9e0536b8d63e7.exe
1952	0c0c187699255ad3ade9e0536b8d63e7.exe
1952	0c0c187699255ad3ade9e0536b8d63e7.exe
2480	0c0c187699255ad3ade9e0536b8d63e7.exe
2480	0c0c187699255ad3ade9e0536b8d63e7.exe
2480	0c0c187699255ad3ade9e0536b8d63e7.exe
2480	0c0c187699255ad3ade9e0536b8d63e7.exe
4008	Conhost.exe
4008	Conhost.exe
4008	Conhost.exe
4008	Conhost.exe
2392	0c0c187699255ad3ade9e0536b8d63e7.exe
2392	0c0c187699255ad3ade9e0536b8d63e7.exe
2392	0c0c187699255ad3ade9e0536b8d63e7.exe
2392	0c0c187699255ad3ade9e0536b8d63e7.exe
4664	reg.exe
4664	reg.exe
4664	reg.exe
4664	reg.exe
2400	0c0c187699255ad3ade9e0536b8d63e7.exe
2400	0c0c187699255ad3ade9e0536b8d63e7.exe
2400	0c0c187699255ad3ade9e0536b8d63e7.exe
2400	0c0c187699255ad3ade9e0536b8d63e7.exe
3208	0c0c187699255ad3ade9e0536b8d63e7.exe
3208	0c0c187699255ad3ade9e0536b8d63e7.exe
3208	0c0c187699255ad3ade9e0536b8d63e7.exe
3208	0c0c187699255ad3ade9e0536b8d63e7.exe
4984	reg.exe
4984	reg.exe
4984	reg.exe
4984	reg.exe
2392	0c0c187699255ad3ade9e0536b8d63e7.exe
2392	0c0c187699255ad3ade9e0536b8d63e7.exe
2392	0c0c187699255ad3ade9e0536b8d63e7.exe
2392	0c0c187699255ad3ade9e0536b8d63e7.exe
4648	0c0c187699255ad3ade9e0536b8d63e7.exe
4648	0c0c187699255ad3ade9e0536b8d63e7.exe
4648	0c0c187699255ad3ade9e0536b8d63e7.exe
4648	0c0c187699255ad3ade9e0536b8d63e7.exe
4304	0c0c187699255ad3ade9e0536b8d63e7.exe
4304	0c0c187699255ad3ade9e0536b8d63e7.exe
4304	0c0c187699255ad3ade9e0536b8d63e7.exe
4304	0c0c187699255ad3ade9e0536b8d63e7.exe
4464	0c0c187699255ad3ade9e0536b8d63e7.exe
4464	0c0c187699255ad3ade9e0536b8d63e7.exe
4464	0c0c187699255ad3ade9e0536b8d63e7.exe
4464	0c0c187699255ad3ade9e0536b8d63e7.exe
4592	0c0c187699255ad3ade9e0536b8d63e7.exe
4592	0c0c187699255ad3ade9e0536b8d63e7.exe
4592	0c0c187699255ad3ade9e0536b8d63e7.exe
4592	0c0c187699255ad3ade9e0536b8d63e7.exe
2776	Conhost.exe
2776	Conhost.exe
2776	Conhost.exe
2776	Conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4548	uYUwsgIA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe
4548	uYUwsgIA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 1152	3396	0c0c187699255ad3ade9e0536b8d63e7.exe	90
PID 3396 wrote to memory of 1152	3396	0c0c187699255ad3ade9e0536b8d63e7.exe	90
PID 3396 wrote to memory of 1152	3396	Process not Found	90
PID 3396 wrote to memory of 4548	3396	reg.exe	91
PID 3396 wrote to memory of 4548	3396	reg.exe	91
PID 3396 wrote to memory of 4548	3396	reg.exe	91
PID 3396 wrote to memory of 1700	3396	reg.exe	101
PID 3396 wrote to memory of 1700	3396	reg.exe	101
PID 3396 wrote to memory of 1700	3396	reg.exe	101
PID 1700 wrote to memory of 1100	1700	cmd.exe	375
PID 1700 wrote to memory of 1100	1700	cmd.exe	375
PID 1700 wrote to memory of 1100	1700	cmd.exe	375
PID 3396 wrote to memory of 448	3396	reg.exe	492
PID 3396 wrote to memory of 448	3396	reg.exe	492
PID 3396 wrote to memory of 448	3396	reg.exe	492
PID 3396 wrote to memory of 4960	3396	reg.exe	98
PID 3396 wrote to memory of 4960	3396	reg.exe	98
PID 3396 wrote to memory of 4960	3396	reg.exe	98
PID 3396 wrote to memory of 1816	3396	reg.exe	583
PID 3396 wrote to memory of 1816	3396	reg.exe	583
PID 3396 wrote to memory of 1816	3396	reg.exe	583
PID 1100 wrote to memory of 4892	1100	0c0c187699255ad3ade9e0536b8d63e7.exe	652
PID 1100 wrote to memory of 4892	1100	0c0c187699255ad3ade9e0536b8d63e7.exe	652
PID 1100 wrote to memory of 4892	1100	0c0c187699255ad3ade9e0536b8d63e7.exe	652
PID 4892 wrote to memory of 1952	4892	Conhost.exe	135
PID 4892 wrote to memory of 1952	4892	Conhost.exe	135
PID 4892 wrote to memory of 1952	4892	Conhost.exe	135
PID 1100 wrote to memory of 916	1100	0c0c187699255ad3ade9e0536b8d63e7.exe	404
PID 1100 wrote to memory of 916	1100	0c0c187699255ad3ade9e0536b8d63e7.exe	404
PID 1100 wrote to memory of 916	1100	0c0c187699255ad3ade9e0536b8d63e7.exe	404
PID 1100 wrote to memory of 1016	1100	0c0c187699255ad3ade9e0536b8d63e7.exe	611
PID 1100 wrote to memory of 1016	1100	0c0c187699255ad3ade9e0536b8d63e7.exe	611
PID 1100 wrote to memory of 1016	1100	0c0c187699255ad3ade9e0536b8d63e7.exe	611
PID 1100 wrote to memory of 5040	1100	0c0c187699255ad3ade9e0536b8d63e7.exe	507
PID 1100 wrote to memory of 5040	1100	0c0c187699255ad3ade9e0536b8d63e7.exe	507
PID 1100 wrote to memory of 5040	1100	0c0c187699255ad3ade9e0536b8d63e7.exe	507
PID 1100 wrote to memory of 2100	1100	0c0c187699255ad3ade9e0536b8d63e7.exe	103
PID 1100 wrote to memory of 2100	1100	0c0c187699255ad3ade9e0536b8d63e7.exe	103
PID 1100 wrote to memory of 2100	1100	0c0c187699255ad3ade9e0536b8d63e7.exe	103
PID 1952 wrote to memory of 3400	1952	0c0c187699255ad3ade9e0536b8d63e7.exe	513
PID 1952 wrote to memory of 3400	1952	0c0c187699255ad3ade9e0536b8d63e7.exe	513
PID 1952 wrote to memory of 3400	1952	0c0c187699255ad3ade9e0536b8d63e7.exe	513
PID 3400 wrote to memory of 2480	3400	cmd.exe	481
PID 3400 wrote to memory of 2480	3400	cmd.exe	481
PID 3400 wrote to memory of 2480	3400	cmd.exe	481
PID 2100 wrote to memory of 4596	2100	cmd.exe	439
PID 2100 wrote to memory of 4596	2100	cmd.exe	439
PID 2100 wrote to memory of 4596	2100	cmd.exe	439
PID 1952 wrote to memory of 3716	1952	0c0c187699255ad3ade9e0536b8d63e7.exe	602
PID 1952 wrote to memory of 3716	1952	0c0c187699255ad3ade9e0536b8d63e7.exe	602
PID 1952 wrote to memory of 3716	1952	0c0c187699255ad3ade9e0536b8d63e7.exe	602
PID 1952 wrote to memory of 3768	1952	0c0c187699255ad3ade9e0536b8d63e7.exe	529
PID 1952 wrote to memory of 3768	1952	0c0c187699255ad3ade9e0536b8d63e7.exe	529
PID 1952 wrote to memory of 3768	1952	0c0c187699255ad3ade9e0536b8d63e7.exe	529
PID 1952 wrote to memory of 2812	1952	0c0c187699255ad3ade9e0536b8d63e7.exe	124
PID 1952 wrote to memory of 2812	1952	0c0c187699255ad3ade9e0536b8d63e7.exe	124
PID 1952 wrote to memory of 2812	1952	0c0c187699255ad3ade9e0536b8d63e7.exe	124
PID 1952 wrote to memory of 1932	1952	0c0c187699255ad3ade9e0536b8d63e7.exe	514
PID 1952 wrote to memory of 1932	1952	0c0c187699255ad3ade9e0536b8d63e7.exe	514
PID 1952 wrote to memory of 1932	1952	0c0c187699255ad3ade9e0536b8d63e7.exe	514
PID 1932 wrote to memory of 2004	1932	Conhost.exe	194
PID 1932 wrote to memory of 2004	1932	Conhost.exe	194
PID 1932 wrote to memory of 2004	1932	Conhost.exe	194
PID 2480 wrote to memory of 2204	2480	0c0c187699255ad3ade9e0536b8d63e7.exe	586

System policy modification 1 TTPs 10 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0c0c187699255ad3ade9e0536b8d63e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0c0c187699255ad3ade9e0536b8d63e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
"C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\uqsEUQks\QosMAIYA.exe
  "C:\Users\Admin\uqsEUQks\QosMAIYA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1152
- C:\ProgramData\WQkIIQQo\uYUwsgIA.exe
  "C:\ProgramData\WQkIIQQo\uYUwsgIA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4548
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1816
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - UAC bypass
    PID:1692
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4960
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700

C:\ProgramData\RagIgwEE\qAwcQkwI.exe
C:\ProgramData\RagIgwEE\qAwcQkwI.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2292

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
PID:1100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RecIgAQs.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4596
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:5040
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1016
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
1⤵
PID:2204
- C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
  C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
  2⤵
  PID:4008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
    3⤵
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
      C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
      4⤵
      PID:2392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
        5⤵
        
        PID:1924
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:3812
      - C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
        
        C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
        6⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEwYcooI.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
        7⤵
        
        PID:2864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
        7⤵
        
        PID:3568
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2004
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1748
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1676
      - C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
        
        C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4464
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1276
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiYQQEME.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
1⤵
PID:4900
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awwwEIMo.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
1⤵
PID:1932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:3768

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
PID:2480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JckEkkgU.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
  2⤵
  PID:4896
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - UAC bypass
    PID:4988
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2776
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4544
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
    3⤵
    PID:2296
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAocsAQc.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:4928
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4748
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      UAC bypass
      PID:1824
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2212
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
  2⤵
  PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
1⤵
PID:3400
- C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
  C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
  2⤵
  PID:3568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
    3⤵
    PID:2312
  - - C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
      C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
      4⤵
      PID:884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWoUYQgk.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
    3⤵
    PID:2304
- - C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
    C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
    3⤵
    PID:3620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWYIoscQ.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
      4⤵
      PID:3672
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:448
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2312
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4464
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSAwoUIM.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
        5⤵
        
        PID:2464
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:2880
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3644
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:4984
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwEIkEMM.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
        6⤵
        
        PID:688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3836
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2984
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        UAC bypass
        
        PID:1168
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:1816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
        5⤵
        
        PID:5076
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
      4⤵
      PID:3220

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
PID:4664
- C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
  C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
  2⤵
  PID:4752
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3220
  - - C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
      C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
      4⤵
      PID:3836
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XaAggEwU.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
1⤵
PID:1748
- C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
  C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:4120
  - - C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
      C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
      4⤵
      PID:4984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
        5⤵
        
        PID:1100
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
        6⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
        
        C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
        7⤵
        
        PID:4520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYosMgUw.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
        6⤵
        
        PID:5056
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4348
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
        
        C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
        7⤵
        
        PID:3372
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:5024
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYUkksAY.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:3548
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4748
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:776

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuIgoUcE.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
  2⤵
  PID:1004
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4180
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4064
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
  2⤵
  PID:3328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
1⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
  2⤵
  PID:3196
- - C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
    C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
    3⤵
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCQsYYkc.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
  2⤵
  PID:1180
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2864
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4068
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKoMAYAY.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
1⤵
PID:4032
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3732

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
PID:3112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
PID:1016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cckgsEQM.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
  2⤵
  PID:4512
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3788
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5024
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2952
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
  2⤵
  PID:3436

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
PID:3924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQokEAII.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
  2⤵
  PID:3168
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOoIMwcw.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
  2⤵
  PID:4916
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4760
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4888
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOogQMgM.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
    3⤵
    PID:452
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3716
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Modifies registry key
    PID:4068
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1764
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
  2⤵
  PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCIksUoI.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
1⤵
PID:4076
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
1⤵
PID:392
- C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
  C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
  2⤵
  PID:412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOIkcMQM.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
    3⤵
    PID:4920
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4596
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:1184
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:3548
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:3988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwQIsYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
1⤵
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4348

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
PID:3712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
  2⤵
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
    C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
    3⤵
    PID:4884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWAwkowk.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
      4⤵
      PID:4140
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2896
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:916
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:2452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
      4⤵
      PID:4664
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4248
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcwMscgY.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
  2⤵
  PID:5076
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3912
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2104
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2080
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:4544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
  2⤵
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
    C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
    3⤵
    PID:1004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
      4⤵
      PID:3664
    - - C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
        
        C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
        5⤵
        
        PID:2012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKkwkUss.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
  2⤵
  PID:3180
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1168
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3640
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2588
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3732
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3436
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:448

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
PID:4180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUocAEoU.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
  2⤵
  PID:2392
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:5092
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoUQMYkE.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
      4⤵
      PID:1924
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:1548
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
      4⤵
      PID:1168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
1⤵
PID:2732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
PID:4676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOcAEMok.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
  2⤵
  PID:4440
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2204
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4180
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:3096
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:2796
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
    3⤵
    PID:3412
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1116
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcIwwsAg.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:3784
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:2776
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
  2⤵
  PID:4920
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3924
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      Suspicious behavior: EnumeratesProcesses
      PID:4664
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqsUEYEI.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
        5⤵
        
        PID:4744
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:452
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:1884
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
        5⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3668
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:932
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIQAYgkg.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
        5⤵
        
        PID:2400
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgYMIMIk.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
        6⤵
        
        PID:4436
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:228
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        UAC bypass
        
        PID:4912
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1972
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:3628
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3388
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:2288
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
      4⤵
      PID:848
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3568
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:4192
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Modifies registry key
    PID:5024
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
1⤵
PID:1628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
PID:3484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMowEsMQ.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
  2⤵
  PID:4280
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4164
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2400
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcoIgwQs.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
      4⤵
      PID:4512
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:2352
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:3032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
  2⤵
  PID:3528
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
1⤵
PID:3256
- C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
  C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
  2⤵
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
    C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
    3⤵
    PID:3332
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      PID:4348
  - - C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
      C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
      4⤵
      PID:3432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmwMkcoY.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
        5⤵
        
        PID:4140
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3396
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3088
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
        5⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4580
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4604
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rccQUEAM.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
    3⤵
    PID:4896
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1968
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:2588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYEUgsss.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
1⤵
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4740
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgQooQQI.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
1⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmEccMkE.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
  2⤵
  PID:2588
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1932
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4580
- - C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
    C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
    3⤵
    PID:4076
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5080
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3348
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1976
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
1⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dckcMMoE.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
1⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4936

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
1⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKQMQYwo.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
1⤵
PID:376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\macYoIss.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
1⤵
PID:780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
  C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suMsccMM.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Modifies registry key
    PID:2288
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:688
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
    3⤵
    PID:2176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
  2⤵
  PID:4892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
1⤵
PID:1168
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2304
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
1⤵
PID:3812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4848
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1924
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1016

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuQEUAMM.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
1⤵
- Modifies visibility of file extensions in Explorer
PID:4740

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOAUkcIE.bat" "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe""
1⤵
PID:2588
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7"
1⤵
PID:1900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:3628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4076
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2220
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3476
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3912

C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7.exe
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:2868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
PID:2776

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Modifies visibility of file extensions in Explorer
PID:2612

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RagIgwEE\qAwcQkwI.exe

Filesize
158KB

MD5
20ab423c7b623f643636d3451b38c96b

SHA1
95bc6f2271e7fd4c4efb833c241dde2ee48c0a4a

SHA256
85c381e4fa664e49cb032e236e90a671f0db3189038d3d9ad3cf8c17d6b79fc7

SHA512
d0e7e797f6ae7ba2e180fa34ba6c7bbd4f3a4e29e44c5dac3e5c9a8437fdab17a8802a79039cb0d15d482712bc2515f725a5b46258a2631a310a53cbfbda90de

Download Submit
C:\ProgramData\RagIgwEE\qAwcQkwI.exe

Filesize
107KB

MD5
355402a7d9c6995c6e2746c039f4c1f8

SHA1
13b8002dc4946aaae149bbde9710cfde94500891

SHA256
0006d4a93d67dd1567be52ddb0ea36ccdf7320b8faa2cd6825e9812005bb4cd7

SHA512
760a03d14614045cd6bcb07af07905aa8801f06244d1a48e87ef780ba26035ed1856bfe27120bb013035c9e788090d1b15e41947577424f01d2808ae41a6baf8

Download Submit
C:\ProgramData\WQkIIQQo\uYUwsgIA.exe

Filesize
58KB

MD5
6fedec6ae1b168e88408a9c075efbc50

SHA1
be52b7709f2c57cecfb8c70a88668e2a41915f84

SHA256
16c34255ff873ecd3b9a1aa5e65aa3d7d843e29fcf3d8ebcfa8cd5c358446974

SHA512
ef9d8e11a1e9280a737e98371c43034eb5334d632648e0aad2fa21e195e914559199105f47386cae34a40942e81b66e9223b7c24e6f39da14739bfe9d862db55

Download Submit
C:\ProgramData\WQkIIQQo\uYUwsgIA.exe

Filesize
28KB

MD5
cafd1dd287c54b463222cde7dbbda999

SHA1
165e4fc2e1b3d8d07f567901c7088c02b2f0e8f1

SHA256
342b934e1ab6072cb9adfacda16f6b9ee354b9df3ccf4965adde2e3e5fb02bc4

SHA512
bf16e5a42ecb354172f4b275404c530778b495fda9c7e1cfbf99b7a1e593b3d920727ed5bb4fd4e97b0d85232b4086a0bb6719cd1f60a8d8620ccb7e1bb25514

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

Filesize
156KB

MD5
0eead9cb8ff8c8a0c2f0f6b865af45b5

SHA1
1d98a38bff5ca0fa4947f46c52c8c15f3a4a30ca

SHA256
2f93e965d29761290371a2151364bcd0480264a488cbfb9c62f535844c7ecd5e

SHA512
1fd4779308766dcec84c525feddb40f333fc6a807bad65f59184b4b04d7ed1b9b425ad57b192809f1b88bf95eba1aa0e98f9c1bbef26a48a6f15bcebebe594ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

Filesize
156KB

MD5
435c66d6a55dd258db5551bf5a3fcafa

SHA1
3756d9c6cf28e367fce1b5ca88a73baead6119f5

SHA256
c680abd55c3777c357b26edae487fc17ca189604f823c238558a69539dd85915

SHA512
e464acd12fbd68d18b29ec9fbef3a9624fcc71f81fee11d5139ff554c284f3cf76fabbb1ac49861a0ed036eceb245bfee5767bce53c41ff74fefefc1ce4c88a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

Filesize
63KB

MD5
1749ed9acdcf1957f9d2119f87556ecf

SHA1
f6ed514a4f72ce6d1c2c733979d76ea5b6f7160e

SHA256
185b1ff9ddee6a3c05db1c0d4225a4e7e6f9c2996ac016f0ae9f4c4fa3d2b3f4

SHA512
cca92f287ec36873c0dd8915736778d0aa8b85c4d833e0fff66078419686848247a33acb001bbf0a57db2df0c00facd04d59d6bad00260655ca4cb29f04ff2bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

Filesize
1KB

MD5
59f39b928858cf6bd17fd289e850ba6d

SHA1
6dbbe3ae7146e54e41ecd6454b05b839ca8d0168

SHA256
dae3fe7be465792c92fc5d3f8c77afb66fa4568ef50eec5ccc4fe741bf41e069

SHA512
fb0af5fc4be5de90d26d839de08474a043b624ce48367de43da358f283a07282611c5d94f8808683796d9303e5f8116c7e732430028282e2d2d3855b49c671d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

Filesize
11KB

MD5
3aebdb15d760e71fa4533e8d2953ea26

SHA1
a56f62f03ac193bc6213ba09673e895f9a47d116

SHA256
f450adc79cdf4ec08f1a58dc0a699284be37b9a0507259f7f75a3439317f053d

SHA512
5995415acb16bbb6be3a7c8605a712aa644d348a223aedff1fa1a08b4f15e52ab8b6cf73cb7a41e42cfb90c164dad1895a84a5a6b9162630ce974ab0362d1c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7

Filesize
30KB

MD5
a4ef1947b10e91d7d1bdea8710170c89

SHA1
eca4271e2b5197773fc717b061d1cd74bdc020ea

SHA256
cf21535ad8283f8f8cf4a9306a41ca86d28642b17d3115085018c946fa9e6785

SHA512
3c6eb0e024ca5586c3dfb2b4e42a127eb3d1b90f86e83c8cd795cbbdf7d9797ec14c160f7a9db419cb8536abe670e565dab5858d07bbe824e96fce56fb5fb853

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7

Filesize
33KB

MD5
0758266c0fc3bc30c306aea14e4d3fe6

SHA1
fafd557236ddcc08725accebbeeec32f494b5fe4

SHA256
fb76bc772510c9bb509d81a8410d668473d43b759e9aad67da85fb41b5d43a6b

SHA512
d8bef4e0d25a9a07f3233589e19d6b152bc67d9ed66bc991155a9421ccbca53906b67e3e54a8c3c01308c84fa478e2343939e9e3d970ff8805fed4b342edd120

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7

Filesize
47KB

MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7

Filesize
45KB

MD5
6ebe46cf99c72757816482f2ab10bb1f

SHA1
a06e3e9c5be93617594a79cc139eee3ffe28ec7c

SHA256
001c22ed0a5be982520208c592d05194ec6dc82fe299ec1607dcf773c11059dd

SHA512
566a30181b0f2b9e76456cb46ecbf92b022beba9a4238b760112f7a3795a9390cc26819d88594ddede1ad22ba7714679cb7b96a8e9ead5047eaee1c43f1b0f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7

Filesize
46KB

MD5
e4321bb75202b13499e23e6d9317576f

SHA1
2d46d1b88f3934accaa86b2d49dfaab7170502a6

SHA256
4d346cac19afa9fbcf356c6e336278fe419fb842db54e5f7eb8761b58df26163

SHA512
f7fc30aa77878e2bf479e82dfda8d65c04914cb6af88c850ef80df5592e15b7ddb49e5db5824ff012a7af614bc7514523d846892ec56f28922a79a502293fe4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c0c187699255ad3ade9e0536b8d63e7

Filesize
1KB

MD5
1bc8d72ebc7bbbfcae9833c2fd9db286

SHA1
0d0decbbddaa68924fbbe70ae26a4a40aee5ae70

SHA256
4c7ac76fd0bd8f8469c3ac5206f79417e1ad93cbcff01ffad2dd43d9ad57bda4

SHA512
add786406e2b4850f3c1750cc8c1c2ee42478f0953b0467b6e34fabbdcf74eaeac58435e77be41e619fe1b1b9d0c63b9c8668693eb8e8f30bc2ac3ab6e8c0eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAMY.exe

Filesize
475KB

MD5
94452e214b246db99761426b506593c8

SHA1
67235cb61a336fefc784cbdcc065ff02bf852e53

SHA256
387cc55e7c1cd6ba2ffa53c50b9cf7eb1e80fe616f7baecbf2d74a664f8d86c2

SHA512
5bc27fca07ce7f0ae2608474841adf5ddbd19f09e1e65f5167d46f2d0bd22d40e7acd2cbf3da04fecc978ff99b0b655f906e11424f74735df21efc1fa840c4dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAMY.exe

Filesize
88KB

MD5
afccc7b91df4f74ebe64f869619fb201

SHA1
81ad7c7090a524d105637088b952bcd06f627a16

SHA256
ac80340a551d79f80e07e655920b475ecae5e566fb119bf3d8be6630777e6d29

SHA512
a179c7487dfb5f64fab2ecaeb303b150776e8ece662a8dcb76f1a463920063aeb86b22fcda901c8a9a5087054b183734430615e0d664e05c75ae814a6e93a8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMsm.exe

Filesize
40KB

MD5
5b19cfd4463142bf7d1dae909f3960ac

SHA1
9acfc1046461aa7c5539a4dc09f1bcbd86ca5389

SHA256
1b9707bd7224148a102d86b1b43c476be82fb95d3c07fcc12c2ae1e6012c1bc0

SHA512
90727df3c6575b8537cac416f47d02ae658113105319135b430a78d61883c8cbbeedadb99fcf34f98b329a10f45fee434bb8b17fca8e874680dbc9786f82c29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DwMw.exe

Filesize
1KB

MD5
55b3868340f550043a6a0dc2fae22319

SHA1
4f4986f8c21a486d3cee05b191aea9adb577df2c

SHA256
07e7693778cd492cf464914a0ecf1120e0b4d69852a85097f6e3fa5ff179d4d5

SHA512
c9b1944cad4bfa68dabf7e7dd3b65945eff0561c5b9056ace278e0af25ac0e3f1b200ac538732713f5b2c9b207d1c236031a38546f93ca11372d9609b11f1595

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAsG.exe

Filesize
9KB

MD5
dff094b217a5d4d859aff49c8fa912ae

SHA1
2fcede25eaa794ade6f077803421adbd89c9e7be

SHA256
4547da2e5e188461558ce28cc812bedc742a6e624716752802d7bde1a0173de5

SHA512
1ffaf85c9f509a136d318451e5d52f8a93f37f3d2fadbd35e92fc7709eee47ab75d1c83bcf212317459f2dd2bcf287470ff095343e8bab484a1e803e8780c844

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkIW.exe

Filesize
184KB

MD5
4dc150e878777e9d1b69f8807304efb4

SHA1
1cdd2f88d1351b777b8269eb5f3bf5d0fb52256f

SHA256
60e8c840cf3e9da7fb9c12faac5034af5b4b6da8b9ef2308422e28613042dee6

SHA512
07a75b91a672da07f2188c8f92920c4f46fec3979c27591b3e22222bd0a737e92d59a8ef9542bb933b4c0e6ad19b96a27ec8cc666a5b1d3f3267947fae7da0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMwC.exe

Filesize
363KB

MD5
ebaabd415a4344dd665d4282432e3270

SHA1
f4c4cdedef8de0bf16cca51036c07241c2ad2579

SHA256
c61aca5e67b951e1863e32ffa3aef040a62b7fc939da0ea754e0cda2ebd8568f

SHA512
8b334656c2ae06badaebf74e48d42c1304c2cf827c1d3a670db0cda20e598194f1243c2d6ec7cafbffdc250f085e1a9727fc7d0e050effb06ef9da1de9ef107b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQsG.exe

Filesize
100KB

MD5
842e7c30b9071fabb3affe4fd4e32f48

SHA1
2ba842ad9ea991cd2232e0d1713643e428bc13ab

SHA256
c6b16a294dd79979e0c4387e8d475b3377573f87ce69423d23d7b5afa337a7be

SHA512
caf67c3aeec97e19b75a6f45fd13d78bb91d709062655cdd7e54fc5011580260f24b133b8b5123ba85bc02d6119ac9d7c97ad14b67421ebd0afc30afa511d66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEwg.exe

Filesize
269KB

MD5
33b361dd3060987341af1a4e8fc3e257

SHA1
3c63d866e4aa9023697bb0fc65fbb88e9497ddff

SHA256
cbcaf30ff2cca1a2e6d70549dda95d483fcce92d8c1e7e638c8b2f445e2ade8e

SHA512
e48acc2c4ac456243f4852e1f975cd61da97724620bf68b4725e599cd5d19781ccae8a95dc645347aea1bccf189d22f315e50987e3d78f1cead4b22cb6fdb647

Download Submit
C:\Users\Admin\AppData\Local\Temp\GSEA.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgwA.exe

Filesize
60KB

MD5
ba9d6316c34a767da99a3c091fe60d42

SHA1
5544d3f8681e0bddd206766ccf8dcf66606c9b63

SHA256
fb254ee2a023e4ba78c45a35e98454ff94220161186e3086e6fd1654559531fd

SHA512
b9a32e9b052f88a25b6efcc9b0e64f1327f43c74f5af6262b370de42dc700b83a163856cd4bafb56f3f592f7c177281c07a8edff3c19b7ede5f7751633656d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsoC.exe

Filesize
239KB

MD5
e85ca09104102cc57b0b9e9bcb83dde3

SHA1
5bce82ad4946134ad75493d64ab7147e9a746e23

SHA256
2abf0db8060b1f52a21ef74ada53319af2c19dfb68c6e1e4ffd213b09ebc68ef

SHA512
3d5c55244092d9284f60c0c858fda27f182b09ff4cb05865599ae632ba514efc02fa9ebfdfbf4d6e584c42988243254180f802d02943d422c9de361d591c52cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYQy.exe

Filesize
20KB

MD5
50b9b6298cbc792f9f2248e86ef506c7

SHA1
3f4523a567ad822c860dabd0764e4a430c252b11

SHA256
cd7d02a9fb462c887e68113c2d0fd950705949d74723f9b70cba7196e47a2de2

SHA512
a6972f6d30b75ebfe60849257af46bbb1002f919b07414da92c465b2a7a8076f2578856865b67642bed3c9fdddca263cb6b004721ffc764c56ccb5eb78b7dba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hcgy.exe

Filesize
45KB

MD5
550d8b9c830338385b964ebb19a9b3cf

SHA1
f7b75e764241adb58a9643bb3bd1a8de3495a5e5

SHA256
8b1dd2c1ca1b035810caa8a0009a3f74e9e4d15dca4b454645303a1ea32319c5

SHA512
c545e0c40c564f9d04985c6ecb7be8d4a1889ec7bba0d404b45f9210c2a21af72b180d560c1df801d40bea98bf919f414d3f0a5df9a90559c5afa0c7d0ef448d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUEw.exe

Filesize
133KB

MD5
a9735227fbf516d11ead193d6c175005

SHA1
da775a3a544d4a9975f39a4fccfbb1d05ad6f721

SHA256
eea77c796af3442323223c96804433fbef1724b3488e054f4230a05ab4a34b99

SHA512
a262229ce9d36a8851a24fe589dd4ccf798414924fdb41c927cb4c2ccd273b59884a7c271622c80201d99f09b7fbeef7be025d06d9e2508cc3af9da9f7df670c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkAs.exe

Filesize
9KB

MD5
b921f9098e65e5d379dfceba601bf061

SHA1
f6dda26a5861af08557c783337f3e16dc672653a

SHA256
1929cc8c829ad4b6885b10eab8692c02509558171eb158d538817a27350b1c71

SHA512
d8a44629d975af505d9302d58017ee6ae6c4eab18f86c6704cdf9413582a6f53df763608a1a50baa0e983741d58a08fcb123943d3a4ff1ffb86fc9f5ea82c6fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMAw.exe

Filesize
43KB

MD5
081a84b3bc355c5ebe210ea16c1600d1

SHA1
5afe1648afb7d09c930c7c2d577d1bafb74e8d69

SHA256
d4ea69befd510c2aca8668bf074cf29d53d8c6129c7bb92a83b22b7134771f88

SHA512
c2b34b29e571f839937659d97ebdab242e00098e6f394521445a3d343d3e57a0a0dad151163eed6f7b842c32cb52c7e6e8c9356e2a236fc9cd5b3401c118c050

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEsi.exe

Filesize
23KB

MD5
3446649e0c4e595c87531090d798969e

SHA1
a1be7cc168d46c8d4d8c151ff2620cd7aef1960e

SHA256
08fe89b81dd4eebd0ae46e7ddde2b31a8098ded2fe47cab3edf323ea5970f057

SHA512
4c8c2011777e2c2df64ec46b9780b90db42b50661185712196ca6292cf4924b01ae13f916383e6467c9e58eac7fea9445a76b67d0f0d53a498b342383b8e3c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQcs.exe

Filesize
98KB

MD5
45fdb229c59bfb7408d062d3a5a62751

SHA1
2c1d95eb7f789eb62a45fb3163b84f0931a24735

SHA256
432f613a4ea7c479ef052032303b47bd037ffe3d9e03a7e9f9a97a16c7364a9c

SHA512
f4f9c2cd9726c4bd0f62f89d47d7bde7048ceeac91c8a593738743d81c7080d0f82591716d3b2723193dded11362090d851e0384ffa022eabd8e92550635c859

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYgA.exe

Filesize
33KB

MD5
f72e859cd3e3f5fab1e199340699cfb5

SHA1
314979fa4e26396d28cf6807d08014d76c10f261

SHA256
bc3edc0873d06dbc2a18acca913f81511fa5cb1be688a4db45a873227e7ff377

SHA512
395d3bb3bea1bfc3f270fe6a0d20c185c0a9ae9357eb82254daae5124c162e5b40fb2c8974ce13aeda9be4037a18a8d7f4c1063e91ce532f28fd41af1ab0a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYwG.exe

Filesize
92KB

MD5
34912a7e6d180bf64d67bf0474de5d75

SHA1
857d3d1fc636d14001f556d2d6f62b5cd4f2e6fe

SHA256
89c6735133d5aec4be998ae9ea900664dbc99a48c6ecb3df450990d2d1518bbb

SHA512
b39e59021d4760c17621fa6652f3416f6b466a3b4d0c9d00df514c33407d76b77139b9a072e8c1398df00ca313d0a4a742d058497e64f8c0440b2b1d78bad347

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgUA.exe

Filesize
1KB

MD5
1f48abe7b3a27eb06760c65934b99381

SHA1
56ea26abeadd6e53667cd80dd0952a9abecda8b4

SHA256
e6354f8cd83fe0ec151a23fc8bd879d25086be7a1d93e672fb41e032262f7eb9

SHA512
55962417f4f3887f51ae1b4b4e5768463571e35fde74124834ad8d6ca0bfb7201013e681c897096e5ce128acc8dff0b1e73f5cf56f1ecf8c227bd1c865df7602

Download Submit
C:\Users\Admin\AppData\Local\Temp\MosW.exe

Filesize
44KB

MD5
afe3bd938c075eac63c60e21d3676fb9

SHA1
7df5f0a3fc0a145fa891282c1f0be57b43922121

SHA256
9739bebf10b37ee5a5ecbb0ed8516904d07a219010ff89cf015de3476087fda7

SHA512
8afbabd7c6446edaf121577f8552e48fb2dee44a307cb0bad7da85d8e5d91771befd127089235a90171f3321dc52d0828d8cb802e094ea6015a3e80710d2bb7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Msse.exe

Filesize
531KB

MD5
554e24a38baabcdb6aacc5aa28d15c67

SHA1
45e3f2277efc6a6dea6588e4817bb572bc159669

SHA256
5c96b3a933a7f5201dbee825cc99ab4ffa8fae64d2d9fc9c2ccd82bd5bbcab67

SHA512
aaa4a91cea8464f23486a13c0924554aed5a0eb984e30a3538adf62ffec94376341479e19c1fe6702070dc47a9481c7e9b288e0a98cf0126adb84eea35153f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQkC.exe

Filesize
96KB

MD5
48fba87052343ccdb4ecde7d8d2a783d

SHA1
b7d0fd7cc477370a9c41244c36acb79dddf92a8c

SHA256
78d2c3c510f3e357b57960c600b75d664eba255beabf937b493f068bf6df7c32

SHA512
ddad35b2cd19e733a270a5e6b372432852a325b2452b447c54143b3c812e182b2209ac7f75db4418ee3f075e029a5782ae8c3923f3c0f49a05f7eb534da54fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAQI.exe

Filesize
198KB

MD5
e37dc8d8df107a90e7815b079732af56

SHA1
69ebca435fc05313ea807355507582338188e580

SHA256
499045492af0384c61fef4c65a5f4ad768acd682c7e29492bbfa23c7b74dda37

SHA512
a7c00aac2ba67aa6b6fbf33a355d126f8763daec48d5e7aaab90a398549c05946f660100239e933b1e1b75dd8d155b6f7b25f20a6179dd6ad3ef1433fb7a2fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\PEII.exe

Filesize
109KB

MD5
02c5744b749dcdaab5c8cb674dbf1c47

SHA1
e69a9b0f97e151376dd285e5ce699db4f1ba6c9b

SHA256
fda7bdcc5aebd5c1ec31432ec1947532e9998b9533893bedadc2eff82723efbf

SHA512
3a69b69c4541b7920b5e054abcb3ca595c7dbb03b1cb599b019b6d450f0a80712724665a6f6183e6cf53d327bed0bb10e8a27587bbe8ef227df7b9a9222ad3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PEYq.exe

Filesize
32KB

MD5
076802688a3f8bb43140239e3f2c9300

SHA1
7cecf0d04d2f105e799d8d94f521f64f54035d0b

SHA256
bf291592f7573be99728e95e9208101b7b027f30ec055b7200404fef3748dc7e

SHA512
b8c090fe74272e1b4a504852eeed7049508d07c7d7721b5b3d85e91ea50439770eab3b095e18f01cc576c8a11f5c2cc390117cbeb1adfb2221dda6222a516566

Download Submit
C:\Users\Admin\AppData\Local\Temp\PwQW.exe

Filesize
174KB

MD5
8fb6c37c87882c463e7ed4e0d3059ed7

SHA1
dbf6ebe7528b2c9e9dfd04d39cac15d79dec9289

SHA256
34d1aaf8cc3b539a9b02904e63d72eda0ee048e422ceda8be27085f6cda09b28

SHA512
f0993c0fd4a0980a9fe4e9e61fcafa47f7649e70246f6dd5e44e3e9b9e94850d32574b35f5c49883941afc325cf042b03556e02c66609e24daca04aedae51a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcoS.exe

Filesize
387KB

MD5
d07c15ff4de89a00ef18345ceaa90ef3

SHA1
8b3510aea30b46a85d911035ee55c7efb73276e1

SHA256
17b0879c2db30ac74ae3b1eee2f254254a8689a8dfefa3b715a088a95675b9b5

SHA512
5fe8bf98965d63d04dc49e8ca2e91466770d8ab3df9a9a8f4db573160b7bac4a7235293803b21dc5b296800335038d0cce2f1431a66ba8623b481c8e9b9c8210

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQQA.exe

Filesize
58KB

MD5
6427c3372059fa294281e9f5256afde5

SHA1
548e189fdc7f6e8382db5e910d0cda35afc7a938

SHA256
64d08ef8575d5595187e7b559795f292e0a0663e85be450eaff4ce75772c7d57

SHA512
755b8dd01474a6dfd68b35611bf935e7a00bd9c2f2e990f01ee19d289f554e08851f0083790a8b00b6d8b65f91c3291372c75b5f8638a4536f0b8b7b1bf1480a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYkY.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\RecIgAQs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RsoG.exe

Filesize
1KB

MD5
601b259f79db059516a16ef8f1825194

SHA1
4b6c204324446aecae92dd1f455ca1f498986684

SHA256
8c00ecac1a978f18fdeaa738eeae7e0ec407d14dc4bc1564c106d34ef08b5bfc

SHA512
b58b14743388cc9b5729bcf0a107163fd327cb34d24c4d615bce96ff90d0136fa48a1f7361864f65ed231399fdd1399ecfee9b405c9acd5b769d9ae9a2b2d49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAcU.exe

Filesize
1KB

MD5
77c25a22b093e9a213d5d5d8a1931e8e

SHA1
ebb16b4e15e38b95f453dd4a5e12cb4988a0eaf2

SHA256
97fa7988c93804f5da9e4885440b282de3be200447cf9fd730b480ce111728b0

SHA512
8a053635d6606f4f4ea2892922e9f9bc5ee06b29518799c18d7e1ddc58a7e3ccdbb1aea5ddde191ef74d606f368f3a9f7e7c63853ae68fc45e536830d7ee773d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAks.exe

Filesize
121KB

MD5
4e83cfd7a84a9aa451cd1f8df49085ef

SHA1
d41c496ef62891846982092db0b5891747862ee2

SHA256
5bbe6aa9460b07b17f801dd250633190dc15e06897eaf0d3329b71628d9f69be

SHA512
ab41055c55a594c4dff59cd7f26a8f1fa074730de25a1223977dbb4961b3580840b0b689d4de3a8748caabe04922def3af8647cf80183b9793678a0ddf6aaa14

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUIq.exe

Filesize
69KB

MD5
88c332c541981baec9109e7b23bec0b3

SHA1
3d96643ad4a927ff6eed1e584a38bd5445e8e854

SHA256
416069647dcab7bf03388f05d0ae31758388110f57770be3a7a5f93008cac941

SHA512
b467046a46d72d7ba4b6c38d1f81a404181bdaef0a392356de169ca613318404734a7994217ddf80bc8f2cee6ac9028527053d165b9dad94d2607aa78375ee2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcMm.exe

Filesize
224KB

MD5
e52386b0f4d8a64ffed810dda48b9ecb

SHA1
8499684706f63b8058baac2432769216921f28c9

SHA256
032eecf0e6daea53087679c4fa2a1f040ab1e7a59fc7fa89ad84173b03837653

SHA512
46f4e97769f389469ac8ed264ca79ac83f44c35bdd71a5b45fd0eca542a6162f40d6b2bd6249884996c0ff8d6f7af79868ac5c9dc48bb1a7dbad7ff4fcf347de

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQcy.exe

Filesize
107KB

MD5
d826c4d31d868608d7acccfd828832fe

SHA1
12a22405114766e28ae9231b3478ad5f239286bd

SHA256
35cbd432ec4ed9eaa554b832bd76b921415d63d13dc4b2df0015cd9ba2bbf146

SHA512
608560997520be580780e376a759eed5cc39c80f67a25872958c9c7d5ff4abc1eb633406712b9f11fe02224194dfec26d2f40bd5523e9bfcf02a8c973cff4701

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsYW.exe

Filesize
8KB

MD5
cb943b562dbcc12a7d9004575bb6c00c

SHA1
40312c9ec9bd2c3623772083c4ad1337dcc93aa3

SHA256
ef3a5ccd750e837e7d2356381015c891781033a8515c1cc49a93af94213c08ff

SHA512
4a544c99a47b32b4b482afb7d6966eaddd3254106d373962b05f23bdea755a119a772662e96bf31a8a200828ae413b3125af2af676463b6a5169bc65cfdfb831

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZEgQ.exe

Filesize
104KB

MD5
0a44553facca3cad73f01e14d4b0ba4e

SHA1
3838f22cce2f7dc6d8f01d7e5935fa5bb87c862b

SHA256
8de91cc9992a18bda3240c4a42dadbb33d232a31816b4b80a6b2d0ae41f334bf

SHA512
c6e36e2880c89e0b9e62e025927b961a933eab2eb4dede231885b7a83b2e818cc3bfb7508f76cb3b7f62087628aaf965a838ff1c20117b01f585a6cea7c5f7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zwwc.exe

Filesize
116KB

MD5
93f20e8f194c71e1691da7466c4c90c9

SHA1
5ff43ead915dd5f1833b4456f95cdc9306127e82

SHA256
ad3cb58249f342dc3c6bc0832ca728493106a5bd6ef2e123d19b05b856cd63c8

SHA512
21da1082281dba047b61f7d7c93cb56fd9df9abcb9aae7dd00da5da3df16f24a4a3d0420ac14a39c60a89cf92d39b2bc3245fd051367bc792a3299c66ef5e992

Download Submit
C:\Users\Admin\AppData\Local\Temp\akII.exe

Filesize
22KB

MD5
de29feb1a609d2522c8651bb041a7b93

SHA1
b8d19ca8c631a579cfc6dc91ae6200a358cd82ae

SHA256
eeeeaad4ff656c9d7e973c64c2ed1701e391417907d9b02cf82e1af46ec2b66d

SHA512
c37b716ac41fd5c3ea0b3cc8b7cbf8a869b414d754a581d08b05a33cd455dc77c5e6142e4386cd856637fe7bcfa53ce036a3966574e46ae9a1a61cb95869ab43

Download Submit
C:\Users\Admin\AppData\Local\Temp\bAkG.exe

Filesize
463KB

MD5
ae5959cfc028f4180ce0d1257ecf7b04

SHA1
bec6dc843ef75482abf99a60e37526b3d1b455cb

SHA256
30a895d25f1f4736ca8a1f7c3dea5e1f72fa77cb16f89bf59f4b333047682c76

SHA512
2bdd39b143a7c509e5a2527c9c80eb0e1253607d8c9c51714e4061604a3902eb79bc21c4e1b3ed1f1b3b16cb4dbca7688e5f3182bbcae1957594aa568ee3a415

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMkK.exe

Filesize
139KB

MD5
1ec97bb43e1da36c7156a48e825748ea

SHA1
47cd82163b67350e3e0ee9092db6d20b799cb73e

SHA256
7c37400a83032440ef6c73d39f592b5612db6bcb0513454755142cedf9d78cf0

SHA512
4bc76d7a63bec3baef47cda0e41fe5140d80ceb0073a31471bdfa37024f81c40847f8630d7e363a161011991b63ae4f09f68776cf5655861c4a92c7b515d7db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUwo.exe

Filesize
353KB

MD5
f6dd760905f3517a36b60c4cf60ddacc

SHA1
1a880fc9cc79540c4771552e761364d20c30a849

SHA256
b7afc608205bffbe5b0052810ff2c8c0a112de6a067815d51e3ad4350d40c92a

SHA512
f0bf101323976a70b2810a8624e20cab9290c93e9d8f807a5ef023bb4573230dfe675e821e2dabf1329e15a5e6a86b9d6b3186ca6af79fe102dfb8f1de0e9655

Download Submit
C:\Users\Admin\AppData\Local\Temp\fEUC.exe

Filesize
105KB

MD5
8747838338e007fa8c3e5f37313bde43

SHA1
58fc79756e5aefb064ce38d63969d18fc2d77e67

SHA256
891923a51be9edac4701c95ab0acdca1ff7655885c3e8a39fef13dc30e3b2829

SHA512
cfaa93923f165b7024870accbe5ebd4f097cc2d84839eae008f435cde8d7083440c4d9d46c5defd0f34da0a40bbbc6f7448af3b12fc9122e1b3dddf0cc0aeb58

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwAs.exe

Filesize
444KB

MD5
667e0c800a2f8724f1c2c503b3a723cd

SHA1
eb34afce0269e278464133d96c0b9737d10dca5b

SHA256
7d4b62c70fed586f04402507dc620d66f8b18f66fbec4d39ba0c8332e9709739

SHA512
84fe9b3adbcddde19a5a8475df5ee224f4d5c5f48bdf2191ed748e92330a774d4a3f42ed0c6b4170e957764909e7da8c336ca365dd94e3f9284f065a1d8b235d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jswg.exe

Filesize
440KB

MD5
aa1c6782b742ce0c993ac066d706fb86

SHA1
cf9ce293f3115b323cac63f940f18bd179851aee

SHA256
3a9616fd4c7f7127ef0801f08a1aa1012ff258022b2d7f8745afabe3c00035c9

SHA512
42d78f825b0ded5ae73e875609df0a5badc12100ea6f96b2fcf98e833a97603fe960c89169d7adf83c2d17335f1142a2705ef17e9970c2d396f46a0f83fa315d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUAG.exe

Filesize
115KB

MD5
b48157d5e118b8ddbfa9ddd2c07c611a

SHA1
ae1500613301ac5d66ade7a8ed086c5cba79e5dd

SHA256
d593a69204f296260679471ee56c2eea07a3dbd7038f9ef3107552763d940ff3

SHA512
dd4a38eeb62f84bc0892d3d44320393439dd5a61053f6596b9cc2dc18389ad2285b630bd2f30d262f7f5585c1cec12723a11f901f622fed695083cffef7d01ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkAG.exe

Filesize
46KB

MD5
6998b1e9c46d4919a152d7494ba9e89b

SHA1
3dda55598f4c38cd55c271f4632b2495e5f8e5ab

SHA256
80833d7a18a21fc1ca8c26bcb29467e30248da6d949e48f7b8d402708866925e

SHA512
0693d6668f2c6479bc16a5bab678c605a2bce34f875d75ea2888502571bb606f18f9447df9d8dab4c794a40b7a64733a6057e13b60d9e13524a2c5868d485134

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQQY.exe

Filesize
114KB

MD5
c20265fd2877077a093b7f6ac9d1d67b

SHA1
1d9cacec6f89ff6ff2d59ef05e2f9f0dd54a8462

SHA256
1bcef0aad74eba8fbbf91df67450f06b793533271035068053479481a8a02970

SHA512
8357d36fae74437e67fc4a9edc63ef137ebc4b31ba5fd1c91609cffcf4b3485e4d8483a2dfac2ad999eb7dac6478ac2d21a0746d6c8563e5a76f58357c67bb15

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkgA.exe

Filesize
515KB

MD5
31e1e64e3724a697e58228b5c18d1135

SHA1
6ec8aeffac4941e9b2fb7823dc64a719bef301fe

SHA256
3f77a309d393184b713d0a4613f4971d10d30e5c624a4468f5e0b85e2765040f

SHA512
a452b21cb33f7e7d09aaed317d9c8ed4d477fee375a6e21627b6c07e2dffe850046d7686163b1075a0f5b79397304f82f1db1b6575643a7735e89ef208b2fdec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsEM.exe

Filesize
123KB

MD5
1dc318966ea37a38f6b04519af008d6a

SHA1
2ffd0d1190e1baf309116f13d38d21dee25d7363

SHA256
c280b2419a3a8e75f332bd0c07dd1b7212f9458618bceb2656d1efd116c8b727

SHA512
a6345d2078dfef55a09ef83a527abfe84e2f8788a98bf842b0b02aa617fedefff85c2c99b7f8879f10457e6db8e378e051d833565ff3352fdfcf0bab8117198e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pIoI.exe

Filesize
168KB

MD5
752fe6b196126b5f36a3f7c78ae61e83

SHA1
792a5fa44a97bfa3c42d3afd6ebf33ac401abe96

SHA256
8dc7166884b58f7c9b394d132fe1a9233eb3f5ef74b94c484aa441b7f1778783

SHA512
33819604b2ac62db7dd6199f5d265c7b7409686d3352cc799f3f7b5c16a467c23fae50229283551f09370cab07e92706bb70db76c7b2599dad1e6ac68016b0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rUAe.exe

Filesize
25KB

MD5
6ac9457a8d371e609e529bae70a16420

SHA1
5146088685d61a09228c50e680844080c2594b73

SHA256
a605a35204269ec2fe3e33b5f3fcb99e969ab481382374681cf1464c3aa411d9

SHA512
cc2a31035c9bff42bb344b0edf1032a89550a8e11f1288bfe57d15f892c88f93c9b301939dd7b1e1060231dabb8779a88575400a2329ab43d34d62ddf6e9931e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwwg.exe

Filesize
9KB

MD5
8d617df752b213c3217f269324f327b7

SHA1
8794621220cbf148b3ecdeb05b6529554e5b7dda

SHA256
5dc0be5cc2dac8940b35da131cfa47c897969071ade7274aaae7ebe10ec728e6

SHA512
ff7d330e6b54612152bc447b520fe1e797bb5256971c019d416b4830e307aa8150d999da121f842587ac60afd44f5c0c44e156e3cf37a3f87083957249b19d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUUu.exe

Filesize
70KB

MD5
562444226781c1a9cc7ea28707731e4f

SHA1
082b30bf7bdcec837ff9701bf38317012b8836de

SHA256
b09547dd720e46f74db8781b6dd3216693f3f506a4236f1d3b84a8fdf6e3f20e

SHA512
b3ff14944d90f301de10d7be21d18aefc83220be10376f67f38d74bcdb9301177fd22db72c8b1912d495641ececdf814cef8a113ad2a1fe5e4f20f7613287cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucgK.exe

Filesize
461KB

MD5
9c27b76cbbbe5329ce77745a81063eb4

SHA1
529c5bf4bbf545555a23f52cad1582989a289861

SHA256
d4a5215596c093f25da05454e99a1a14e9a931a31f669aae514c0a8fa7b94a3a

SHA512
e36449e50a506d2a0f0cbb3fe6d619026654f795ed1529366c60343236adf857794b0e74403b81511bbeb12398d08fc0c516aab9605d4c6c5f0aa2d2f32cfad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgUI.exe

Filesize
439KB

MD5
fde617567badda0453c8878674e8954e

SHA1
5b8a76bdd9d9b1aa37171308b0deed8df580ba84

SHA256
2d18c8031ff37c5cd360bba08ca9d8ffcfa1d5fb3d7a986f46c03e03b3ac7641

SHA512
1bbf99f3b6e513006c8fa5407bc46c2ad2506fffe0fd2697e39ab08bc717cc757c07d6f052d2ecd5e82d528b7e462e08aa9f56a66a902613c0872fe31d986109

Download Submit
C:\Users\Admin\AppData\Local\Temp\xYIk.exe

Filesize
50KB

MD5
4bbf40bec686702d12b4977b614cd405

SHA1
8d4939e5a5cf193248ecbf38c61d254b233a578d

SHA256
27160e5d43ce21fd5888c90ff0ed1d1d04b4d7ab6fd0add9e800200ba1d68d4c

SHA512
5391a530c0505947d7528fae1ceb7ea816f4258ba9b57efdf4c71988736a1f587c68751339334da59026f38f74a040c3924e7096073038743ac31f3100aab57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUkG.exe

Filesize
69KB

MD5
4cbd9ee7b1a6a2b4a56a8ea764e87404

SHA1
f213e0a3b2489103ea4a7861de4408d8c4222756

SHA256
a619549e9e83eb5e9cfe0aaf7aeeeb26c30bf6e3012c938d40a263c41b49fe7e

SHA512
ec5537a0c678bd4057910cb4756443808aeeca28e670eed5b7e1c968f4a9869c09531edfb899fae9ce9ca60c250492915adcc6f46377a6a228d65b1102ada934

Download Submit
C:\Users\Admin\AppData\Local\Temp\zesM.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoYK.exe

Filesize
1KB

MD5
05923b5cef39b5d1f6bd7394bf371eb2

SHA1
08b1b31ca22caa8cb90e02a123ad3727c8a77cfd

SHA256
3d5cfb17123ad5e1dd3984abeade5ff5cc15e96898461454c924af7b6276d3e1

SHA512
f1ed38b3fdbec68cfa46366d1a0e1e28792a3dc865e7b836524db99deb0f20684019c1e6e25bdf3ffc2f9f88e6c1dcc3be12f3e94869166edfbab5cc5cd19233

Download Submit
C:\Users\Admin\AppData\Roaming\AssertSave.wma.exe

Filesize
29KB

MD5
25ac0e6412595e8643a1e7f98a34c961

SHA1
502b27ec03e4b0315d34345e38b85e8cec0378cd

SHA256
98b34064beba7d5b2eab8dd5ce298cff221318a7c9019c67d3c6f8fdbd922e7a

SHA512
de0227afc707e7dedc380330b279eb258895d95f2e4d0e3a87dbbf62ad39da1a25db25fd4a545d158689bf1900474a40cab97332903c00be782097f813a67813

Download Submit
C:\Users\Admin\AppData\Roaming\ShowGet.png.exe

Filesize
42KB

MD5
86ed92d5badd3b656f794bb0509fed7f

SHA1
028cc0cc9c7ac7ac494ba024ee368104b8d9ed99

SHA256
c33cc904df388cc767040307ad0b80b750a8f8c69209b9003acc4cc4f38e29e6

SHA512
114894b1988fd4d933a08825ec9e6f0a01829e4f684b47fa152f06232d0ca62b7c0a734ed8fffeea3fc8ffa5a4ee4b3f8934f6060db08a80706ad9b9f77537c5

Download Submit
C:\Users\Admin\uqsEUQks\QosMAIYA.exe

Filesize
95KB

MD5
ad05d3e3c21c95c30f37418852ad4588

SHA1
7fee72a5d3718e8346e73c120355bbebaa032601

SHA256
68dca54c5e3f3a084f2a517d12082a32f461be0afb06286264fd9970986219b0

SHA512
1752a7649f43490f16a43d80e1e2f2e91bafa3df036de79f8045e87ded1a8647ee6fc73b8cf7636a5064495493624caebd5f1368d5deb1e1128ecfc64b91b131

Download Submit
C:\Users\Admin\uqsEUQks\QosMAIYA.exe

Filesize
205KB

MD5
abe69af09f504432a8427281ed906b63

SHA1
038768e175a8f4775e153720c341081ddf1182d0

SHA256
e4f88ecae8d809a3a03eb93ee1e5395430d95acdd45eb45c675aa7824dc80f49

SHA512
6f0cfe51f0ec85fd33dafc77e0480cd09447f9edbc28d7dfa7f20d196fef3bb3dd2d4d97b9a6ca066caf12fc3c64e56861e843565786d28af34657017250eb37

Download Submit
memory/412-886-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/412-931-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/884-458-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/884-393-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1016-501-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1016-542-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1100-22-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1100-30-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1152-98-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1152-6-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1952-31-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1952-42-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2292-127-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2292-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2328-649-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2328-699-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2392-128-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2392-77-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2392-65-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2392-141-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2400-89-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2400-103-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2480-564-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2480-39-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2480-619-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2480-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2776-185-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2776-200-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3112-242-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3112-296-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3208-114-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3208-99-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3372-921-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3396-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3396-86-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3396-569-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3568-301-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3568-350-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3620-778-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3620-819-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3664-228-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3664-201-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3836-834-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3836-866-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3924-584-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3924-539-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4008-64-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4008-51-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4304-150-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4304-164-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4464-173-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4464-163-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4548-115-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4548-12-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4592-176-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4592-189-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4648-138-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4648-153-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4664-73-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4664-90-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4680-787-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4680-729-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4984-129-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4984-116-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download