fe51da10c124ccb19506e5756dc085ae9acbb7fa3d643574d51fa3434da8b9e5

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10be76fd5d5e9cbea101cf33bdac7a42.exe
Size

484KB
MD5

10be76fd5d5e9cbea101cf33bdac7a42
SHA1

c13a641eaac8f8f769d844a59787d203adf9b162
SHA256

fe51da10c124ccb19506e5756dc085ae9acbb7fa3d643574d51fa3434da8b9e5
SHA512

f9268dc8e64c3324eca94e380852910e6d06f944856257becc84f68fd900c463c362e172df0706298e11d5f984dae59de069f6138d8cd296835053ff168cb2ec
SSDEEP

6144:yTRxDWum7EKVYLDhnGXo6M22WffQcXND+jaTXwhcAd6biCbhEHJ5fE3uFj9jqLXy:OxDWuAEOo6M2GpjaUcAd2bmHouFj9GL

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 46 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	10be76fd5d5e9cbea101cf33bdac7a42.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2400	eiwMwMYc.exe
2704	lsMUYsYc.exe
2776	JCIsMIEc.exe

Loads dropped DLL 10 IoCs

pid	Process
1864	10be76fd5d5e9cbea101cf33bdac7a42.exe
1864	10be76fd5d5e9cbea101cf33bdac7a42.exe
1864	10be76fd5d5e9cbea101cf33bdac7a42.exe
1864	10be76fd5d5e9cbea101cf33bdac7a42.exe
2704	lsMUYsYc.exe
2704	lsMUYsYc.exe
2704	lsMUYsYc.exe
2704	lsMUYsYc.exe
2704	lsMUYsYc.exe
2704	lsMUYsYc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\eiwMwMYc.exe = "C:\\Users\\Admin\\DqAEAkUU\\eiwMwMYc.exe"	10be76fd5d5e9cbea101cf33bdac7a42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lsMUYsYc.exe = "C:\\ProgramData\\hwgAgMsA\\lsMUYsYc.exe"	10be76fd5d5e9cbea101cf33bdac7a42.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\eiwMwMYc.exe = "C:\\Users\\Admin\\DqAEAkUU\\eiwMwMYc.exe"	eiwMwMYc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lsMUYsYc.exe = "C:\\ProgramData\\hwgAgMsA\\lsMUYsYc.exe"	lsMUYsYc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lsMUYsYc.exe = "C:\\ProgramData\\hwgAgMsA\\lsMUYsYc.exe"	JCIsMIEc.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\DqAEAkUU	JCIsMIEc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\DqAEAkUU\eiwMwMYc	JCIsMIEc.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2392	reg.exe
524	reg.exe
272	reg.exe
1344	reg.exe
1756	reg.exe
1992	reg.exe
1288	reg.exe
848	reg.exe
2532	reg.exe
2980	reg.exe
312	reg.exe
1484	reg.exe
3552	reg.exe
540	reg.exe
3000	reg.exe
2352	reg.exe
1532	reg.exe
2740	reg.exe
2988	reg.exe
680	reg.exe
820	reg.exe
1868	reg.exe
3412	reg.exe
2848	reg.exe
1992	reg.exe
2744	reg.exe
1784	reg.exe
756	reg.exe
2352	reg.exe
1236	reg.exe
2640	reg.exe
2980	reg.exe
2684	reg.exe
968	reg.exe
1872	reg.exe
1948	reg.exe
2296	reg.exe
1528	reg.exe
2732	reg.exe
2152	reg.exe
2268	reg.exe
912	reg.exe
2680	reg.exe
2780	reg.exe
2732	reg.exe
2712	reg.exe
660	reg.exe
1684	reg.exe
3056	reg.exe
2700	reg.exe
3036	reg.exe
1180	reg.exe
2564	reg.exe
1428	reg.exe
2816	reg.exe
2448	reg.exe
1512	reg.exe
2248	reg.exe
2624	reg.exe
1532	reg.exe
2716	reg.exe
2544	reg.exe
1868	reg.exe
1212	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1864	10be76fd5d5e9cbea101cf33bdac7a42.exe
1864	10be76fd5d5e9cbea101cf33bdac7a42.exe
2676	10be76fd5d5e9cbea101cf33bdac7a42.exe
2676	10be76fd5d5e9cbea101cf33bdac7a42.exe
1752	10be76fd5d5e9cbea101cf33bdac7a42.exe
1752	10be76fd5d5e9cbea101cf33bdac7a42.exe
1936	10be76fd5d5e9cbea101cf33bdac7a42.exe
1936	10be76fd5d5e9cbea101cf33bdac7a42.exe
1984	reg.exe
1984	reg.exe
1080	10be76fd5d5e9cbea101cf33bdac7a42.exe
1080	10be76fd5d5e9cbea101cf33bdac7a42.exe
1728	cmd.exe
1728	cmd.exe
1724	10be76fd5d5e9cbea101cf33bdac7a42.exe
1724	10be76fd5d5e9cbea101cf33bdac7a42.exe
2676	10be76fd5d5e9cbea101cf33bdac7a42.exe
2676	10be76fd5d5e9cbea101cf33bdac7a42.exe
1488	10be76fd5d5e9cbea101cf33bdac7a42.exe
1488	10be76fd5d5e9cbea101cf33bdac7a42.exe
796	reg.exe
796	reg.exe
1424	10be76fd5d5e9cbea101cf33bdac7a42.exe
1424	10be76fd5d5e9cbea101cf33bdac7a42.exe
1696	10be76fd5d5e9cbea101cf33bdac7a42.exe
1696	10be76fd5d5e9cbea101cf33bdac7a42.exe
2640	10be76fd5d5e9cbea101cf33bdac7a42.exe
2640	10be76fd5d5e9cbea101cf33bdac7a42.exe
2632	10be76fd5d5e9cbea101cf33bdac7a42.exe
2632	10be76fd5d5e9cbea101cf33bdac7a42.exe
1620	10be76fd5d5e9cbea101cf33bdac7a42.exe
1620	10be76fd5d5e9cbea101cf33bdac7a42.exe
760	10be76fd5d5e9cbea101cf33bdac7a42.exe
760	10be76fd5d5e9cbea101cf33bdac7a42.exe
884	10be76fd5d5e9cbea101cf33bdac7a42.exe
884	10be76fd5d5e9cbea101cf33bdac7a42.exe
2056	10be76fd5d5e9cbea101cf33bdac7a42.exe
2056	10be76fd5d5e9cbea101cf33bdac7a42.exe
3032	10be76fd5d5e9cbea101cf33bdac7a42.exe
3032	10be76fd5d5e9cbea101cf33bdac7a42.exe
2288	10be76fd5d5e9cbea101cf33bdac7a42.exe
2288	10be76fd5d5e9cbea101cf33bdac7a42.exe
472	10be76fd5d5e9cbea101cf33bdac7a42.exe
472	10be76fd5d5e9cbea101cf33bdac7a42.exe
1548	10be76fd5d5e9cbea101cf33bdac7a42.exe
1548	10be76fd5d5e9cbea101cf33bdac7a42.exe
1900	10be76fd5d5e9cbea101cf33bdac7a42.exe
1900	10be76fd5d5e9cbea101cf33bdac7a42.exe
484	10be76fd5d5e9cbea101cf33bdac7a42.exe
484	10be76fd5d5e9cbea101cf33bdac7a42.exe
2488	10be76fd5d5e9cbea101cf33bdac7a42.exe
2488	10be76fd5d5e9cbea101cf33bdac7a42.exe
1112	10be76fd5d5e9cbea101cf33bdac7a42.exe
1112	10be76fd5d5e9cbea101cf33bdac7a42.exe
2812	10be76fd5d5e9cbea101cf33bdac7a42.exe
2812	10be76fd5d5e9cbea101cf33bdac7a42.exe
2456	10be76fd5d5e9cbea101cf33bdac7a42.exe
2456	10be76fd5d5e9cbea101cf33bdac7a42.exe
1952	10be76fd5d5e9cbea101cf33bdac7a42.exe
1952	10be76fd5d5e9cbea101cf33bdac7a42.exe
2944	10be76fd5d5e9cbea101cf33bdac7a42.exe
2944	10be76fd5d5e9cbea101cf33bdac7a42.exe
892	10be76fd5d5e9cbea101cf33bdac7a42.exe
892	10be76fd5d5e9cbea101cf33bdac7a42.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 2400	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	28
PID 1864 wrote to memory of 2400	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	28
PID 1864 wrote to memory of 2400	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	28
PID 1864 wrote to memory of 2400	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	28
PID 1864 wrote to memory of 2704	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	29
PID 1864 wrote to memory of 2704	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	29
PID 1864 wrote to memory of 2704	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	29
PID 1864 wrote to memory of 2704	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	29
PID 1864 wrote to memory of 2884	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	31
PID 1864 wrote to memory of 2884	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	31
PID 1864 wrote to memory of 2884	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	31
PID 1864 wrote to memory of 2884	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	31
PID 2884 wrote to memory of 2676	2884	cmd.exe	112
PID 2884 wrote to memory of 2676	2884	cmd.exe	112
PID 2884 wrote to memory of 2676	2884	cmd.exe	112
PID 2884 wrote to memory of 2676	2884	cmd.exe	112
PID 1864 wrote to memory of 2616	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	171
PID 1864 wrote to memory of 2616	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	171
PID 1864 wrote to memory of 2616	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	171
PID 1864 wrote to memory of 2616	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	171
PID 1864 wrote to memory of 2560	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	103
PID 1864 wrote to memory of 2560	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	103
PID 1864 wrote to memory of 2560	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	103
PID 1864 wrote to memory of 2560	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	103
PID 1864 wrote to memory of 2576	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	165
PID 1864 wrote to memory of 2576	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	165
PID 1864 wrote to memory of 2576	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	165
PID 1864 wrote to memory of 2576	1864	10be76fd5d5e9cbea101cf33bdac7a42.exe	165
PID 2676 wrote to memory of 2540	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	40
PID 2676 wrote to memory of 2540	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	40
PID 2676 wrote to memory of 2540	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	40
PID 2676 wrote to memory of 2540	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	40
PID 2540 wrote to memory of 1752	2540	cmd.exe	41
PID 2540 wrote to memory of 1752	2540	cmd.exe	41
PID 2540 wrote to memory of 1752	2540	cmd.exe	41
PID 2540 wrote to memory of 1752	2540	cmd.exe	41
PID 2676 wrote to memory of 660	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	50
PID 2676 wrote to memory of 660	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	50
PID 2676 wrote to memory of 660	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	50
PID 2676 wrote to memory of 660	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	50
PID 2676 wrote to memory of 268	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	49
PID 2676 wrote to memory of 268	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	49
PID 2676 wrote to memory of 268	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	49
PID 2676 wrote to memory of 268	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	49
PID 2676 wrote to memory of 2816	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	48
PID 2676 wrote to memory of 2816	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	48
PID 2676 wrote to memory of 2816	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	48
PID 2676 wrote to memory of 2816	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	48
PID 2676 wrote to memory of 796	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	135
PID 2676 wrote to memory of 796	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	135
PID 2676 wrote to memory of 796	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	135
PID 2676 wrote to memory of 796	2676	10be76fd5d5e9cbea101cf33bdac7a42.exe	135
PID 1752 wrote to memory of 2160	1752	10be76fd5d5e9cbea101cf33bdac7a42.exe	54
PID 1752 wrote to memory of 2160	1752	10be76fd5d5e9cbea101cf33bdac7a42.exe	54
PID 1752 wrote to memory of 2160	1752	10be76fd5d5e9cbea101cf33bdac7a42.exe	54
PID 1752 wrote to memory of 2160	1752	10be76fd5d5e9cbea101cf33bdac7a42.exe	54
PID 796 wrote to memory of 1464	796	10be76fd5d5e9cbea101cf33bdac7a42.exe	46
PID 796 wrote to memory of 1464	796	10be76fd5d5e9cbea101cf33bdac7a42.exe	46
PID 796 wrote to memory of 1464	796	10be76fd5d5e9cbea101cf33bdac7a42.exe	46
PID 796 wrote to memory of 1464	796	10be76fd5d5e9cbea101cf33bdac7a42.exe	46
PID 2160 wrote to memory of 1936	2160	cmd.exe	52
PID 2160 wrote to memory of 1936	2160	cmd.exe	52
PID 2160 wrote to memory of 1936	2160	cmd.exe	52
PID 2160 wrote to memory of 1936	2160	cmd.exe	52

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
"C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\DqAEAkUU\eiwMwMYc.exe
  "C:\Users\Admin\DqAEAkUU\eiwMwMYc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2400
- C:\ProgramData\hwgAgMsA\lsMUYsYc.exe
  "C:\ProgramData\hwgAgMsA\lsMUYsYc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
    C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
    3⤵
    PID:2676
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2160
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:1684
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FskEwgUs.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        6⤵
        
        PID:296
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1756
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2152
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ngUYcAEE.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
      4⤵
      PID:796
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1464
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2816
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:268
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:660
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2616
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2560
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SocUQgwQ.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:1484

C:\ProgramData\HIQsMUEU\JCIsMIEc.exe
C:\ProgramData\HIQsMUEU\JCIsMIEc.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2776

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:1396
- - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
    C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
    3⤵
    PID:1984
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZQoAcEwA.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
      4⤵
      PID:892
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1236
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1552
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
      4⤵
      PID:1132
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2360
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2244
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\wmMAscMA.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:1224
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1080
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:856
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:876
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\gwIskMsA.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:2368
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
    C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1724
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
      4⤵
      PID:2740
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2268
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:968
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\PUQwMEow.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
      4⤵
      PID:1668
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2756
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1736
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\TAIAAUcM.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:2632
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1729160131904684573-106224083532755337-1688115532-7851198671954765025-981763750"
1⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
    C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1488
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
      4⤵
      PID:2008
    - - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:796
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        6⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        8⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        10⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        11⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        12⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        14⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        16⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        20⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        22⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        24⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        26⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        28⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        30⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        32⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        34⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        36⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        38⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        40⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        42⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        44⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        46⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        48⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        49⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        50⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        51⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        52⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        53⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        54⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        55⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        56⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        57⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        58⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        59⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        60⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        61⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        62⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        63⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        64⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        65⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        66⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        67⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        68⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        69⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        70⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        71⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        72⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        73⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        74⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        75⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        76⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        77⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        78⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        79⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        80⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies registry key
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dsAUUIwk.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        80⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies registry key
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies registry key
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aUAsQUAE.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        74⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PqEQwwQM.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        70⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EUAAAUAE.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        68⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OwgkYoMg.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        66⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oeIkkooI.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        62⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DYgQccck.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        60⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        60⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        57⤵
        Modifies registry key
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yaYYEcQA.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        57⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        57⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bWkQQwQM.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        56⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xeMgkUgw.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        52⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\akYMYMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        50⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iegkksgU.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        48⤵
        
        PID:296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dEoAYMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        48⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        48⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        49⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OwocogoU.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        44⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rsEcYMgU.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        38⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LmcYwsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        34⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        33⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\juoIoskk.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        34⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tUYocgUw.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        30⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AoYAIkIg.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        28⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\skcAwkkw.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        26⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        25⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies registry key
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kSQgIQIY.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Suspicious behavior: EnumeratesProcesses
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XooEkAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        22⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oEswcUwU.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        20⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOYYwgME.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        18⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RAkEQEYk.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        16⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KYIYwIko.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        14⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYggYQsw.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        12⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VmQYcIcw.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        10⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KwgUIsYA.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        8⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3428
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:1512
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:540
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1136
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kmMsEcAk.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        6⤵
        
        PID:1132
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1872
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2448
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:240
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ECMYoAsY.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
      4⤵
      PID:2044
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2616
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1992
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1160
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\eEsAcQQo.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1029422297-57034375717895450-1301765871264754552062146218-16720244501351585008"
1⤵
PID:1388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1847989941-129603296-798102572-995582299-1167142605710545484-1093965478-1734666409"
1⤵
PID:2348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1729650659-307504585-7548259141525729866209222221612138849221484637458486246253"
1⤵
PID:1552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "852151604-10206585001664018641-398027562-984313713-1497540000-1288984303-127042296"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1982787860974936882136203967415535253661690222218-13702572591873028904343261910"
1⤵
PID:2008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-29304418163417375311505348592019210983214175895-309203760-1990310434454368079"
1⤵
PID:2272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wkAcokEo.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:3104

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:2732
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:2828

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:4024

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\eusMkAUE.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:3612
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:3780
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:4032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZWEYwQwM.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:3080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2248
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:3124

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xUAwoosA.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:3396
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FOcwoUUc.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUMQsMAw.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:3488
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2848
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3256
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:2308

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:4028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\gwkwIskE.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:2572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3352

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bMAwoQkI.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3128

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:2632
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
    C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
    3⤵
    PID:2368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\icYEYwoU.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:3108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HIQsMUEU\JCIsMIEc.exe

Filesize
429KB

MD5
cebb57c21f3adde57ec893cf72dad837

SHA1
192c6eeabb830602418bd0a82ec58510a5287b30

SHA256
3f8547a17d3d8050a654b3194e99f687636f91b34fd82e04b006f1b958f337e0

SHA512
33d31ea9efa966f1d07a47ab7f1db90ababfc937b2352b71a9ac020c9cc581136b84115c7a18d1c3a3abca7a6c8b92db6ba2c46cf7e8d103ae3fe419dbf8824b

Download Submit
C:\ProgramData\hwgAgMsA\lsMUYsYc.exe

Filesize
432KB

MD5
6f5cf5b4faa23e52d9fb44072150f43d

SHA1
224ef7e43065fa8196bd017c69e19ad8965a3682

SHA256
228e9db530b94000abaab91b9735061a7a51150b213d8fabacb29ce24c5d2f5e

SHA512
a9a1076c7d6a621f544f420acd6facbca415485f14aa00b5962f9db1eaa9c5cfca8cc9a074e802367edfc4b5a83d36d6db0803794f74ef6b51e63d5bc1df511a

Download Submit
C:\ProgramData\hwgAgMsA\lsMUYsYc.exe

Filesize
2KB

MD5
0363d32c57a34b095938b493ea75ac40

SHA1
2c9d9bda3d2f2e650a9bb6991b472edc1928ebb7

SHA256
ee61f0fb5377ab19147a314e3d773c6df035cdbc6644b38be84be39e35008c5d

SHA512
9a2c41393f2748c4ef220ebf85b3c7d14d012c4ed7abb2b653e11b4403e52fd7d07be12db3edefa4565ced7df290ef4cb74ef5e5dc2931447a27d8f987f91a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42

Filesize
48KB

MD5
35cbde129d22ad6080dc8fed0fd3e185

SHA1
e29871c61fe34d7159cf12daa543e1679f3ef63a

SHA256
eaed558d6439df7f6172277ad993c778b631aa73ffce8cd9619b525ff92a2265

SHA512
009e3a9714454ae0b0ea87d391dd42583a390ce74d249a0421318dfa8af27e98d4cfc625f1923304a177a6824210c687f522082783c9920beeba3ab078ae2f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAAgIUEs.bat

Filesize
4B

MD5
3316a068694fe6702da196d626f3d79e

SHA1
6943112e373b83cc9c2f5ce9385142aaa835229a

SHA256
1c7113240564ed7db5b1c9fee13fcf87071f9020273ab60672496b0d80c32432

SHA512
6c276b61f54636a191e77d0fc490a131f3d728861a72a59c984f38fc135c79ba870e6f749a32841d88a528f3fbb71ab4f9e5a3aeeedf62224ca497098993e9d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoAQAIEs.bat

Filesize
4B

MD5
6d5c3d0ceb2a65c7ff5b55b41a9372f5

SHA1
fe7610726a2e5c983b41a23e522cb6624b9133a6

SHA256
90997de2d5fb686e5fa7a7a10d73eda41af2127661c827b6a6d928b24e5dcbc3

SHA512
4c0c1a555d230c6d84fe2dd25be0edff8d0eb917d63759f153bd122e2de3e06f253a291bcb16fcc45615361783b16924792b9f4c2949054ac6514d60c07bc52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsoU.exe

Filesize
461KB

MD5
ed091c9495de26222c5dab22c12b77b7

SHA1
f6eba59ce1e65783da11ced5c9e61340fbf38905

SHA256
aa63ad4ee70b114f6cb52bd6039211fa133eebb3a0be9ef75e5f918ff74c2404

SHA512
6f2d6cb7c1f1ebe7f566da3f71a28c7e4f060b6c09301c40e591b4fef8b606f9b9eeae6687866d4a8aa6978d9ea78b0da18bc03de22f293cf370f3596b59b066

Download Submit
C:\Users\Admin\AppData\Local\Temp\BSQkkwgk.bat

Filesize
4B

MD5
11f43579d04119bcf465b6d73319de60

SHA1
3d82a1bb360f63d8f3996cba815144faff9a804f

SHA256
9d0a4e3d69da8250973d6098ad692f5577875480e0de058f39fb6b471f318148

SHA512
df735c3524022daae00933b296c583d234c24953e58ee8261427fc11160b28c07fd5e9799379094858bc1ebfed3c79c866bcf1c14386adff618996fbc027b881

Download Submit
C:\Users\Admin\AppData\Local\Temp\BmMYUUIE.bat

Filesize
4B

MD5
f21bb08f46d4ca64a8e3ad6844e07647

SHA1
ced7c3f47db5d9441b9a0195d2aa369e15f84991

SHA256
8f75d2c2ad5295a3d1510da78d8ae5f614932711e7ba90af1e53165891df0419

SHA512
664147e5bf37ea173391eb4082739ed5cc6e70659aaef3eb880759631dd8327e228035df0a5e5662b8a96395bdbd48400bdc68ddafee72495b0539f86de3c5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEcwMYkc.bat

Filesize
4B

MD5
29e24611c96bced65e6380401488dd11

SHA1
a6e603247aa52e2e446ddaf1274d76e14744cd4d

SHA256
d701fe3c10d918386de21486449fb2758f0aa7cad6089eb45a74835fbe2bc068

SHA512
4f6474ac5e9d3d9eb4c7ab12d99c26a49c7d94cc22c27700f84da9b1cbde075c307a0f8ee7a7f35be401b02ce53f6f699139eb259739aa9826f6890afd41e5e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQsAEMwU.bat

Filesize
4B

MD5
2bf283d4b0ff7a6f1e8bbfe05ae5a312

SHA1
69562883851de71373f28b67e47033834320dd4d

SHA256
7afa1b11a4da50063ee3014f53f0e11ea534007f28089a9bdc0504c70e15e930

SHA512
edfd38e9c0aaee489bda03d928f3c3da029397ad611bd643e2775716d697b0c995a081c006f796c1d8a827ec185ef736ab5ae3e3e9fd72f489e3b8c7839ddcdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQsQcoAc.bat

Filesize
4B

MD5
9ab4e3d5cf0cf588ae5863b876b1d11e

SHA1
df5b33802d5d43dbc6824b2ffb445e0a5d9ab654

SHA256
c179ea6e0e4e32673fa69c2bdbd7f9ddf6b3844661e39baaf487cc31b3ffa372

SHA512
d7dd30ded0d38be5750e3f697e184c156629f5d7b18817b42f35c15911f4d15bdb0e2765c4e8bf77ac53b3ea833953d70eb1fac13f3c20f25a80ec227a560dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAkwIQUg.bat

Filesize
4B

MD5
bdf714ae0ff64c1f919d85a31eaf2a0b

SHA1
da698481add9cb012dcf678fb6829445826b410a

SHA256
298662a701dde9e2d09dde00b48b39cda4b9f80180aeaa08c8b5c88a85bcf5f5

SHA512
4a4b2ff70489fd94af699d8e42d6e7831bf89e1f182300bc0374381e4eb8f86e85fadc85a2d2af012b51604c4afeedbe98ef0bcf3358c360b37dd89b4ae300df

Download Submit
C:\Users\Admin\AppData\Local\Temp\EqAkMwUU.bat

Filesize
4B

MD5
50bd3bce54856d1ce6b65de1b849e1c7

SHA1
68f07a9bb28e3cb69e82b3f6b922d786cbd22987

SHA256
0cb18489a5ad288c2a1bf1a1b967ea28689fbd46a4890530c9e0d734dc4a4075

SHA512
c7ade4a06740f05f7960ca4440449e4983a0cdee65e38635f75e72575fdc4cc50702f130bde63331f8637548f1e500065e236abe469c595437a5e35e7fdad922

Download Submit
C:\Users\Admin\AppData\Local\Temp\FeoowoEg.bat

Filesize
4B

MD5
dc72321da90645dcf3c67d415ceb2201

SHA1
6537a70bafa614de1e9550781180fd3f16cbd50c

SHA256
8bf7cbfaba4e2c3f9e06bbe4c5556a09393eb0226a16cb4ea3cb3b84c9986561

SHA512
504c10abe9146d3aafc957b2d695d65f1ab753bdadf9e14035ae07cafbfbc21b00989df673c009fac5e5ef707401b3e18ece9b3cf6173bbbcf83c81f87f13739

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUga.exe

Filesize
320KB

MD5
b9c64f542aef78b810ebd879114a5022

SHA1
98d4eedb028441b0633443e92f54e4a31a20063c

SHA256
13a8de2133b0e17d74c832921bc4147015d61cfa2388f16f3fe096668cfc89e4

SHA512
3bbab4cb28510f68df3e9019cc4596fdc73d28bab57e05352a1cac56e5151a4d556b1e78afacfc59f1d3443eb85ff194532bcb26586c91bf539ed7bf24736ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUIE.exe

Filesize
256KB

MD5
c4c186a7a784df2043ef415e887378ad

SHA1
853e7c771322680cf80e35b0f401c35fa6f3085d

SHA256
318011953eb1ec9b28d4c59b90581b48f42314f80c63a9ec585c73637edf7723

SHA512
0ca88972709a40e63a30fabaf629fd448b66ba353f86160ead776dffd90abf99035ceb2d8a470fe4a8a93a6deb4a836e9c53db0ceb7c6c2f17cb66b082200633

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGcgIkks.bat

Filesize
4B

MD5
9c329a28b60022eb657105d1d0110541

SHA1
4840835a39094cfd7e5973e7d6b3009422d74e34

SHA256
46211c50dd58b2614443bd4c50f0d0db7c150e8a4bf38ffdf515682e2729a507

SHA512
a31f9ef828388405397f3d287279fae28ae7b0ea34189871e0c2d89e41b13a6bef05f5f03d5aeb51203babe815f2186ef8e7450f80cf822bd3b540b0b025547b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaowgAIA.bat

Filesize
4B

MD5
b8f0785cc4cd4a2c9844df6cd0b0cf9a

SHA1
3460741bc2dee08989451bd06a56208b548c6b7b

SHA256
7b6cb5dcd13f085188ef10d26c2a5b474a588156ac237afbd98f5be9faa73df7

SHA512
f7052d52b49343bf4a1ffc8a91c9f6e01e78549af9f7739b470915abe8ebb52e056e9259c5fec1d5e9122dafa995f214dd3bc50c088c7bea871429d379f395ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYkm.exe

Filesize
128KB

MD5
190ed2ae71bd5bd702705e716266c098

SHA1
70c81b8800d0c63f313a0962c2184c8c57e85b12

SHA256
e0ca8c2138370a9f3af929800464cab2b745d93f9d3cba4d40b75523124c18ae

SHA512
46a76f8723b6c6e09ade97982dffd9d231dfc5ee2d34918ae843aaa64a4bbf6c2e30411f37b9dedc9d556291c8fae5d30e9bf8226a15939b1aaf8c9f4253897a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgIc.exe

Filesize
128KB

MD5
2fb7d6727447b5cb601bb1842075c806

SHA1
eb09c33fb95ccf698f405100e4700f7476e8322f

SHA256
38e51b419ac406afbd6198eec46734e7127292fa6a71f140a8403baaf7d5057e

SHA512
e2b773fa9ca16ab1525a2087e99b818afb5ab27fcff350c3945a7bbf387e268010c67aabc1411ae23d76307cf707e2ad6626f4ca790379d7fba712e06fd8c2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MGsYkMkw.bat

Filesize
4B

MD5
eda3846e644ff505b98d5eb31a5792b0

SHA1
250839bc88e646262364158e3d7302088f43163f

SHA256
8e0f1a8c4fbf45f709897e802a4a5f2353734f62926270a124fb45f5837a143b

SHA512
d0cf960771fa56825c26ffb23a574bbc09591b3c669fbf602569adece8b3e787081718a286ba55ecf20d4811db9d8603c08a5806a339262539cfd053d31b8a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMMkMcAA.bat

Filesize
4B

MD5
50bfb2ef455b7665da361492c535b0da

SHA1
eb4582bb13450649389598c3f39dff98b39d9c50

SHA256
a8f5e0679d9d184c5d44149893b47d82013e12421418d90951005a1e9360c23b

SHA512
f6107c46ee4ef65c932050e2309a2ef6f7851505132c922ad7793ffbfc0ef0d50e2e5e7f51d823d23f92a28f3352979b382a20de36e145af3437c58d62b606d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUEQwwEY.bat

Filesize
4B

MD5
9de2b0f77adaebcae405941bfb40db83

SHA1
d429f53585fde45392be0a3fc64376fdea416a10

SHA256
948fa8b25c81dd3e5c480b8a006a12a1576759290649058216352c5087230e23

SHA512
9fbd657a87d977cf29dd335a18b6f3ba8277c5c0b449c3626564eb1281575eaf67e5a550b9d09af000576244c1e55aaac10619f37698d7954abe71b281f2e30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYUs.exe

Filesize
1.2MB

MD5
4b2706ae7d4cfe53758cc7b29b3227c1

SHA1
1fc3e799c17c5b20dbe2fb248ce9153f5cea5b81

SHA256
788f1a42788aa237ab8029797fe69728a531298b23127dfa631cb5a6787b38a5

SHA512
e7cc1bb765ccd8cccb83667ccd5827d70ca528c4dfe078d471744bab012c734932b967c72db5173b5eb5e8869a853ea41f81bee4a5a9b7ea8d374fbec267738c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MewAEoME.bat

Filesize
4B

MD5
e90befc0a5c3d2403e1d1080d430fdb3

SHA1
21ac0d31b7cb3c683e0b6f827a162e6c9b4f912a

SHA256
df20828358c4bfb742b6485ebea2cee355bbbcb9f64e9ae6fc36b3894acc3956

SHA512
ea33dcfc68fd8ff96a90b5caf551f9afaa6c1ab4518bf73e7d2190932c552bfff9bc6f9d03c6aaa0f817338ad97be98187fe0be91a743899c7729ee48be5b055

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkUEYMsw.bat

Filesize
4B

MD5
501d329cec56b15f6db7b3c6fe92e711

SHA1
b2110eb264c47f975e54f7ec1ca04298aab98cba

SHA256
af0f2fcd05f364f9df423927781b010a2a1bbe8731f4821cd2541bd6061c98cb

SHA512
353dfa90d91d71933de99fe075300c295500de45e5abee8bbabe33ee79e96ea6e33f7024756c06e42c5537f0e7114aefd4b30e310d8534926f91d23290355c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQIO.exe

Filesize
480KB

MD5
f192942d5034104fdc47d62751701285

SHA1
65f4b5f4a49b80fa164708b55d790446815663b3

SHA256
32926e8d1e5c78d88615d273d9b2c346094b1e3f624156596dfd6baea69d72a5

SHA512
4b1279848f19df76a987096357e2c77b23bf4ad2b4796ffe93cfad0603994cff8a38a645058b303c38e58605afe7c71e9dd5780e1e35b933feff0566c4201880

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkAa.exe

Filesize
482KB

MD5
2f1c1dd122f6d6f738bf88624a99c5e4

SHA1
07237f2b49a66525a2e5c7fb181780551b4cf52b

SHA256
9bc19e9bab19676c15529fac96075b043e75757fdfa8621db316a496ad176b61

SHA512
e6c47372ba418e2a5f779c6fd3ae6380c0347703bb2c450c4ba7c40f1ff4721a199f1fb3a38f5898438c54796e5a2f50f7c8941e33a98de79cc6b8102e78ba6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAcoUIEI.bat

Filesize
4B

MD5
be0139e36b02fe3e5401815f9fde49da

SHA1
f0768d0a0a6b44ce62b0d7b5a5d98ae6a9f1f2a4

SHA256
ad1aef2d2e9d82648d53c1c483050b9be56ef3c19d1b62cb37aa0b4049648935

SHA512
8efc9f0f3347a487b435da40c1e71e68af64f7b0f5d91a5a5cba355f951cfaf264dd0600b0eab85e542df5328fa9ff108fcfca51351cc44104b53c839615c767

Download Submit
C:\Users\Admin\AppData\Local\Temp\PgUYIoos.bat

Filesize
4B

MD5
ab3bb99212d792250efa1569911e572c

SHA1
285e2769277f92c001433e8cfabed2c97e1fdb71

SHA256
c4b6471421b6ac0f3bcbecd5278e9357548f8258de11e883833ea15dbcdae50e

SHA512
d4cb2b8d599925a0d5967d00bc4f98ba0750b00bbda117551c9fdc57322ed3e5f8a4e5143552d7402af4a489ca7034dc1328fdc233759801eee61a40e2308dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOYMUcoU.bat

Filesize
4B

MD5
c1f7c9cd6b4dbab5080f0ac740580d0f

SHA1
73860ab2bbe384d2b3fbe92961f41f0f54ee697f

SHA256
7a1a07212415bc1b0abd7f2ddb6d6643d9956481ca1e863898f8a4922f424434

SHA512
add1180822830c2b38ed5c0082b5d75adc48bb63eb7534a7107e03e08fa9d23a2d1f56d3e4892cb35923b867ef7b680944dfcb6898304a40068ca14f199770c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWYkQUkk.bat

Filesize
4B

MD5
5362d23fd8f43858d5fe970b40d190f7

SHA1
3bb6ad14a0d467557bc2de633f8a28c5b1b4410a

SHA256
65aac687f98b91a04658e63d21e422bf6c2fb9985318538065c01f622e446c0f

SHA512
bb207cbfd502d8cd6fac25367fa2db7fec712d2b79520868bd54d643589493592a26fb204c8329c14b5ce6d1535e76eb77a39555c9e39c13523cdb411a48b1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcQoIwoo.bat

Filesize
4B

MD5
3a4e63733bb90390d5f7f350955120a9

SHA1
74b749a42a3d2c07f0b94912e1ef8b5888afc148

SHA256
b2ef263265ff3fb939a9240ef3ad6f6788e7c5fb24ee201a05e26f66e5bc22e4

SHA512
3fa8c22c14f84e74063c834f1be69fa7fc1d731220856e5821c681977fb046dddf0ebeb5bf08ac8958e63a1fee435286342af4823305f63fb2d91bcd54e66175

Download Submit
C:\Users\Admin\AppData\Local\Temp\QeAkUggA.bat

Filesize
4B

MD5
281fa5ee3f4cdb0908994a3a5665015b

SHA1
d6c9d9a5121a4eae4430c3b16d322616f2901f04

SHA256
c963e8105ad17f7c0a6ba5f30080e475ccb405463143991b776d2fd4e776cbc5

SHA512
20537f89e7bd18d427ff3914fd41ffc8e82ba5f54794517b45df5a7ae6585b8c44d792e6a11a88a99075075506f8103903889014c77cac4792f11164cf3caae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIga.exe

Filesize
335KB

MD5
b0d877a48d193475a6b09decc71a09f7

SHA1
bfa3f930dc54320f86dda21d08ed7f43f0cdbd9e

SHA256
7547ed2721b5cb33add1ca36f9c91625353d46bbe1bef13d9a022834c0be2351

SHA512
35cd2549653aadae4d501f6884a4258b51eeb24c0cdce9c9a50259a7cbe7d6b06c4f6bb41f11c13f2d2f2066c45ed4b58b2c3b78f673f67edf75a84404adf8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAQAgQIg.bat

Filesize
4B

MD5
7803972bf5164ef80ec66604e9620882

SHA1
23a6e65ba40cbc946ebb8bd750ac4c94cc7ba4e4

SHA256
430298bff2175a234015f00ae89168786e0177050ac17cefe8a7734440ba774c

SHA512
6c99da7ab339e296c29e7e2b1856e601716945ab6f9e7c429f339330efe55b2e53a3a3fb6030d4e4258082c38937ef0e15189ed1553a83c763d343532354ae2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SGAkwocY.bat

Filesize
4B

MD5
3e1d9f921bc52bfa910d82f550948649

SHA1
bcb82ac7f8d887dded3d2e15b36dba1af8aec64d

SHA256
8fdb43b6f4b5f929d0d4bd548af362c178b0263ba0ecb3a6c5c622e523678680

SHA512
9d0f30a6ffa7f4a08b92ec96d038210e694fd44ba7c6ae24bb723fffb44a8376f701bbe4086d72134509c5619484564246a4299844c2473cef2dd02d7f7a284b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIQYAssQ.bat

Filesize
4B

MD5
77d0e5b275d72142bed56cf8b464fa4b

SHA1
f33741c171d51bcf9709c3b95544ee9d94170943

SHA256
7d9103e024fe98a94549033a9eeadeeeee33d85e687cf59b336459d023d15a89

SHA512
404cace333d29e0ebb42f439f5aab8816a2ac9152e8963d79aabac75a8210fc84ab4ccb0499da6ae4badf0c9e7a07f70732912b0cba46795fa8bec388b9d07ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYMwkMAA.bat

Filesize
4B

MD5
a28cc4dc551ee01bd937ab6bd1a74ce7

SHA1
2282e8fdeaeb4285fbfd1a711f732ddea99d24a1

SHA256
01dc461a0df55b080e44885134a8a39a7aa5b0ab24bc5c9f23dde168ee8097d3

SHA512
338960bbf8f9efc1d8450974bfda40077edd9c9c5660c61f8e0d6269af7aabd49f162e4b1056f31dcc2f2d12a856bb638c31fd8a30473cf4ce949fed10b2552b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TiksQgMw.bat

Filesize
4B

MD5
9a5d040c672e2b118dd3f4c7e0c6d909

SHA1
c5c89b860cb448435ff6650e2ed8ca47ece6948f

SHA256
4e06097dfc72b7e9874048e80246809aeeff226d15db3b3e584ceccb2de2b29e

SHA512
c04fe3824c46f9310013f70f29f0ba4c3e3ff1001a80dfccc011333c9ec239d29cd1bc778da0cca5337a3cdeb5c6ffda1810758f47216c797e79bfb49714381f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UKgQUMEI.bat

Filesize
4B

MD5
bd2c2f2e66e2287d31b968bb13912c1b

SHA1
fddca9ce1242907ee6a645cf0ac8d9ee0d62148c

SHA256
3e411e2cf30f8984e8bd14043629ffdffef2c2a90f066a5d24f61050d8767988

SHA512
db4441d04ae60485e45b49c5cb39e4887d2bd62a6259635c313f68b3894b5a4b79d2d98f6acb1d5d7ff9d8473ab73ea35c49e783717945bf59af5675bc6b22b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwwssQAI.bat

Filesize
4B

MD5
eabf19fd41b30b1856c4618f84fac6fc

SHA1
1e1a0087d42804a7bc3e7a534b3f00820a406f00

SHA256
68be0dd4468ca578962ab3fa6120df71d6800313ae34b89724e6157b9f3d3e21

SHA512
5e469c27ab2eedae3cfea93b5c7376406f69d025bfd6d2beaa3776ada476742f792f7c8cec46940719f1e60484560e1f42ad7d1ba5864d0ca69475a5fe4d352e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOQIQgMk.bat

Filesize
4B

MD5
07b748ee5ae3574b901857da5025bb58

SHA1
ab744842d3fec1d729fd2d8c7a2bb02e042388d1

SHA256
30c578a368646ae4accfd65d6f790584faffc66351f3c20f0bcea0e16921292e

SHA512
b58aa47f3106659d03c18ef9fdce26b95c01938b6d29885a37e29199718cf9314e6d93f2d210c44235da44d2c4423cea30a30952fa8a6deb819a81c84f0ad823

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUsW.exe

Filesize
560KB

MD5
8559a2b6baa54e321f1911b884ce8609

SHA1
749841c8b43ed6ef0a03cd51830f51a7d5face3a

SHA256
e5376f58a6f04077d09a4808b060e1eb4bc83de19139997800b5f9bd801a6202

SHA512
262dab5a3a4858106cafca99add77e656bd8e2b77d9158b15392ebde8302fc1dfca71b8a60b71013ee540792798047f65e80b13abd03c5daec5d92058b6e3fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgUQ.exe

Filesize
476KB

MD5
51d93eab1d0b0d7babb31f85d4c7a8c7

SHA1
a8d57d47838afa3b69de1346813fb6c0bce23baa

SHA256
9f3808ee14c2f88914bd7ae2f2cdf5920f4657fbe2f54d093444d09f662c83a1

SHA512
74fedde5d625577270af42ad93d4a91defdd4c7589c14d754afa533e6492e9db2728f5d185df09e32942d87e24c3e32107c3836882bd5aa30914d25d768e3cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\XGsUYAIs.bat

Filesize
4B

MD5
61dd221fafa019ff8d9f60fea8326a11

SHA1
5aa7dc838d8c12a0aca55dc05394005a3a936c16

SHA256
fffda3fdd70e399b83f03c056bf722606d43ed0a74ef2da767d19c5fee7bd942

SHA512
8447229b0c5425d598d0a886738c86f7e38ece656b8abf0783dfdc6a5d6dda61657edc4572ef15bb34c88b03b2c0f8eafe708b41056d8a9d5e32a0eb68c764a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XKggkMkw.bat

Filesize
4B

MD5
3021c032824759e117c2886e46ab04d2

SHA1
5aa14f3ba010600ff177c8b0d9b4ebe7fc117b61

SHA256
d5133cd14aa48ce962d567c8fc944b1bc5dcf0006ee3bb0f52d82b8aae17f1be

SHA512
f2b668e739c991b1b8e8387bcc64c00f83e5c93cc3547dcc6da6716ba806e87e600cf3f388b045362b460a6ff048fb9dccf42a018b6d4dcf6a1a12293cfa1b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMgM.exe

Filesize
481KB

MD5
4ba76f738c4706f0042cd1810c75c6be

SHA1
bd9e4186f204a1a4c3c639b65cfe07c2fc805172

SHA256
4be8dc547b8a9112dace421d383719560834f9b59d831f5f9a5e246cd4621966

SHA512
d64bfa1c589363caefb4f660d0e03a12ac32a910df66cd5c141eece57eae6307494457a8eb59c43bc89badda7d0dcccc96381651a28516bd487d88b6dfc43893

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkEO.exe

Filesize
480KB

MD5
73586ac926e5305a587387231df92bbe

SHA1
5fd438ab28751c94327c2c7123a54fcfbdb4860b

SHA256
bbf287edd63d975c3e6f11d3b60abaae9adbe124e6ed2d458973e520255c9ae6

SHA512
57a79868755ef9014bd342ba43a417490f28cb1b7582dba26892b133abe396a303ecf670124ea160059295e9bc15ac33efac780f291448d2ad360cb05b0919b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkoI.exe

Filesize
477KB

MD5
3fce3fb82bac5536f974f35319454860

SHA1
20558fbefbac9736f721c7087220ddd12f7d1c51

SHA256
dc561f7b20eae537871f06bf20460eb8c744c2f2de8241d160d487351ca04d2f

SHA512
c3733ebe5b47a864ca3b79bb33ef0b321ef3f6000d339f7d6f7a4b7734efc5b1aa6264573e7622a33e6cf5ef18e3bc0394c4d1a0933e5cf9800a76f9a103e7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YccoMkIM.bat

Filesize
4B

MD5
292792c946d82d63ea98d39dc5a8129d

SHA1
564123322c147784baa5457c853c01cd300a1803

SHA256
ba5830989c581731c414c75a07bd08088c6c7656f2fb30234daac6d10b748d5b

SHA512
63ee1ac3661b1bcd50c49515745f9c16a5a9d4179f3b09a98ff1bd42e765b92a4da8e9117639d8a4e6e19a5dfdbc6635963ee43cad48780cf59a6b59ee3e7132

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywwa.exe

Filesize
128KB

MD5
3efaf533ff285f847bdca0ddbabb37ab

SHA1
bfacf93e62ce36c5947e5372a8dcefad8a52cad3

SHA256
30e8e25fbd57ab9f68f02b3486550f7ddbe15136410837d51052bc10d2b62d08

SHA512
5657d365530230e8b6ca80ccda5552b04ec4947797e11a8a2fc406e8d29a3836e247a56023a9c0f542a6cc64114f9d2e0c5b909298337ad30286fb1ab2970313

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQUw.exe

Filesize
480KB

MD5
86f8bd39e300be8b360098b5ad5180aa

SHA1
27275a6263c1dbdfe97e94342baa6ce4981840a1

SHA256
b8982ecb67c4195cc025b2ac791d87d4a9b939de0c9a8f57b71c948410caf9d5

SHA512
975e238836ae1cd81cd741267dcf4dead12c58179e7a09049eb5a93bb9e3de7db71cbb8a0f3c06e760923f75c0a549a011b921cdad9331f582a1e2af785fdd3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZkUsEMAA.bat

Filesize
4B

MD5
896cb74a06e6fd72d547d4e29898ff00

SHA1
f3d0590408168baf7b236efe71a6e8374a8e1320

SHA256
657369a7f71398b56ffe3bc34eb742b599b2b73f1c40f1aa5b414acbea45cb73

SHA512
812a8234c69168dbf8b9a75bdf9e7a815c8b95943d3220529863e81170a852d315958d3b291dce91dc22297c0f2927c9dbad3948cd0abc80a882c18ca9ecf70b

Download Submit
C:\Users\Admin\AppData\Local\Temp\asgG.exe

Filesize
481KB

MD5
f5264fc71df3e3878dd7c8567b1487f4

SHA1
16ab849f4ccca3d1c1f153b229d53d98d2d9c7cf

SHA256
8ad93123a1286f674d00a7ce03b8ec0eaac1a2994db91fa5c92f128ec291ca88

SHA512
6495525a4c16f2f98b2d7713704533a696442a244c9bde26e6fed413d08dbb1a3699d70de7ce08db176bff9e093bd683d7ddf0ab9186211df08de32e94349f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgwU.exe

Filesize
281KB

MD5
44871981f7ac2bfa38e0c01439301cbc

SHA1
4cce26ed09561d028dce14b1779b352bc75c0c1f

SHA256
130b7529636f02600bfb94b38cb5c5f3a0d1af329b20d49f4ced0341f23882cb

SHA512
3735a09e1fc9d2bafd76f79e594305a3d3c41cb3e94e6f6ce51c7a9338daa832486812005664a9c505c3ddc0ff19a1507a3458b1c403aba6b9848defc88281be

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIYY.exe

Filesize
192KB

MD5
1e9aca278670097617081bc0f8b02f07

SHA1
c3756ffbe1079339f5e484ec89d92880b3dd01db

SHA256
b5c020f33efdf102200c13d42c55538db50d8b99d831e0d440a833d2eec74a65

SHA512
d2813e591596e8cf4399866f9fef432db2ebd5a2a78e1bded5b5cc6c79714ba7df6a245336744f8e22fe4a4c0707d8c95575d154fda5255cb6a022169a10f393

Download Submit
C:\Users\Admin\AppData\Local\Temp\dKsoUYUE.bat

Filesize
4B

MD5
a730e1fe3795620f1929a8a605cf94ce

SHA1
35520c15dd8158f8a33c703dc8c617a52fb866b1

SHA256
9970b9444e9c5697ec99b5849b00b10a105f5b67f8e0ca4ed7d17a51fe408fa6

SHA512
942e6dd0c821cabda1c79897882be06e34d43e48c878a8b486a07ade482092bcc1800c0be05ce98f5a5574f632a3f56938e9de05b895fb23072ccafcc1033d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecgs.exe

Filesize
479KB

MD5
1b3a3a80adc42e45a820adbcd51ba81d

SHA1
d466cbcf8716931091a40bd5b0ebbd3587acb238

SHA256
4c8ff7fd5953c2bcbfe577a3a3311ab1ad4d0cb88b34764989028273c985a81e

SHA512
a1d19091d2487ac1720c22fd35b305a5ac86a28bb8818c08090c64d4e49e477c435c5890da966797b346fa2c2516ea4c5d826889182232e5de7079d8771823aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\emgAckoI.bat

Filesize
4B

MD5
a29d469213ac580e2ec52bfb8b219a4c

SHA1
2f82c5a6836f084d03b0d9041887284439efa882

SHA256
1933ca7c860475c035b7d94bf1b2f932b00f02302e8a5bacced47843577e99fb

SHA512
55dc6e17736249a99ffd4e6a2ce6a0dc88445b7fc8f4db00cec6c3cc0197125433b9613c3dc14060604b626d162242f8dbb90cc0c23277256137525a229816e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fOMAcEQk.bat

Filesize
4B

MD5
9660ca993121ab04cc3e8af6720b598b

SHA1
244745d096d4aa3fc2470bf701a37bafdc2ed802

SHA256
a28e52e5a9c5f7bfd2732a71180823b5694136a9b918d975f9ee9465771be87f

SHA512
fd76be4262ceb2ca90bdf25f5d314f00bf2ce1a5a16dd3e6651fab9d772c70774d1d649301be64dfb8be0afba7b786edce5047fe8ada7239f5c4729e89afc894

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYIoEokM.bat

Filesize
4B

MD5
116f98949470a81eb3e43496560ae809

SHA1
4764aa1f2a9ee126a91c7fda07c68b71339b51da

SHA256
a1d56a8a4f169bbe67d5f23d7c111269fed6924778e7bd7f1ac0486c4ceedfc7

SHA512
fd27f0a38f1d6d15554d7690c925859cb7f8cc0ed8cfb4097b3e0b7978f701bc8043b2dcc49b82283db71e0560878ba5652f1f81cd46efd93a752bb970afa3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\feAkYMwU.bat

Filesize
4B

MD5
4053478507dc0e554361a3864da257eb

SHA1
9874e87b5a91fd08fb8f07a7c8d8ff03a16f798c

SHA256
ab9e73cb213d760d7f4b64b69fd6e01a9208923a7d3a1fe9aa6181c06837d786

SHA512
80f1bf7be6efb82945ccc3240770ae9a4bf83404ffb030828b9a159bb074452484bf43dca65ca680bba1cad99f66e9dbebf02fc3f8f03635d4b4d285fbbe726e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAAwYwMY.bat

Filesize
4B

MD5
707f843ccca040e9ecc8d0253bd8a0dc

SHA1
32fdac591cb02d7fb1eccc0e83b1a4ca05e584d3

SHA256
edf28c3bdde9bb5e161e1e40896d088a2fbd137484c06856e47cf4e5087e70df

SHA512
690301741c7f15dfb479bcf2d0243fee320cf24006defc22a7fa9634ac2784c3224ee6350f36d00ac033c771f9097ca0cfa97dbc7b1033a39a67359af286a8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\guUUMYYQ.bat

Filesize
4B

MD5
828c935efdce82b3d1feb6d34bfadfc5

SHA1
0d9d090990ae2edbc10e2fe33088ce6d27a5b076

SHA256
ebb9aa92628c8515683af2324989de8bfbbb1185425131c1377a076ed7de765b

SHA512
37ec0b1998d764e67b59d26dd1f4516ee866fc360dfeb04bbec673a2ccdbce5a361345f4a5f64157e551853705a1884e07ce2663e13a27e4ad2ee9221f1a681d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAwS.exe

Filesize
468KB

MD5
99b1fc7ce8d617745fb811a2235ca21f

SHA1
51865b70e36b846a797596ff50ab82cc6359894f

SHA256
55886a4814ae780cbd6dd1519a4ce54d02f1e5560da1ad8f767f93453a6ef711

SHA512
aaae70e7269ecc448085c86f9990cd33b00f27c2e39410086bc3626be29e24934ea01a84282f3600797820848a92515902243fc3e01c062c18adddd0fb83d9c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUsMgckc.bat

Filesize
4B

MD5
a460d6466a4f1978dc82abc4b506c15e

SHA1
3a47db008d230e7426bf682558c5b2fe64e6412a

SHA256
27fdb2048649471302b95066b90e5ffd282baaeb8e39a6e52bd48d5c32a592dd

SHA512
5e52d610381188f2a4fc237e6b3a994ec1173b6e55dd2cfbd6c54a672653afb5c13b0022b9800cb1512db1b2ebb88d059cfd2987e391d2036a0d8614ffaa6d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgUG.exe

Filesize
479KB

MD5
4552729c2513d435f7782796f63a2675

SHA1
deb512af0010ee6feae944312ca3bbe61ef3f308

SHA256
0ba4d1e07cc03405eeaac9e83ba255e0be683950deb0ab7639d84c86b2d34328

SHA512
599b7a97c829d83b58f87048b7cf10b83d162460a05690a6bed8132b8464dd2ec25a7b13079a6445dd324994d57a80eeed4d724f267b9cfd67d380d81d8c7b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkoq.exe

Filesize
486KB

MD5
767100315170dfeef68dd6ceabc4e7f2

SHA1
608e256d525167b6213c2277667ea8e61bf88ff0

SHA256
7f37c8cae53d7cdcdb90753168891959d908eae9112eb4911992ef1f2093be4f

SHA512
9a7120c3930b4300794943032b11a0e397996ae2c7e2537959c632113138e7dd2c0e07a883a402705af2a3de26d746eb25dbe9312277906b2fc867d2d20e6695

Download Submit
C:\Users\Admin\AppData\Local\Temp\hskoYwMQ.bat

Filesize
4B

MD5
7fdbaef71704edaf4b6d4883d1511edc

SHA1
4cb953c1d6823ab27b91029c93e997231bd00d97

SHA256
35bec095b00544b55f085cc3bcf03c38967978a9ad98c2777db9a1d5d79d3120

SHA512
867c7b24ff636e9b14feb582d8c301cf9e3c96b24d6919f4b374cb5e1d147a9e81cc479d213a88bbd46806835300c55d23feef249aeb82d49cf58deae2b3242d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMgS.exe

Filesize
1.5MB

MD5
7cc4c2c157f1cf7cf3e2933e5a6497b9

SHA1
d653f8419e86e8c5b6f08e8fb4fd09e2141e7fb3

SHA256
ef773c2d129c1c94c391be30d77a36ca0664dead0a6eea82ddfb419d9f69646c

SHA512
de7c63bc136bdbf2362e91cdb822f984d7a2e44f96d34289e18828b3d0a056c8582bf150cf6d931e7899f57d3c518c8b959f6d214945c3b55038c636035d2fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\iiQsYIcA.bat

Filesize
4B

MD5
6c4df55486405b36b1b0796266fbe479

SHA1
a78ab743e6df4367c8dc642bf0a9cbf278281f81

SHA256
106ff833860bfc7dbf75b33fe47c9e55dc9afe307ca33f336e07ffbc20030b65

SHA512
64ce2cd57bd314db7171ee55f49cc470176746274b053bc8761026d37e1c6c566b2cdc73471c2824eb7fc128dd0909851e4caf0d6410ae91e00b13fc63c14399

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwYi.exe

Filesize
384KB

MD5
31b80ae32752d05b7930700261c44787

SHA1
aa149532710ef370aa935c511363d8c189b701dc

SHA256
16484895c88214978d9cd3d9167b0b08019165d25d4837eb3e35a070a328fecb

SHA512
6541b2951faf04325eef59103e3514b954e75565caca0ef779be5b02fa5710e2a50c875cfe1e5a0830caf188e699e8eadbaa3fc5b7b563eacb9019f7e6f6241f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwcMAwcE.bat

Filesize
4B

MD5
59185e0d274c9b33330e586d92b48ae9

SHA1
5b2a2591726cc6f82279235c869e3f8d366424e9

SHA256
0af3dd0f7c3045bbcf5d5ed006607e0b77721f35f143c5f5234fd8f004346d55

SHA512
14264fe66b868e3cd5d1858045a023f8750c3260ea758909525a220c2ee26924230b3a98c4896d8fdb1fb172d573511f2e92d88da09387ed7748ec4a93a46072

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYAIEYsA.bat

Filesize
4B

MD5
86e244238c69b03476660facd1513e87

SHA1
76e7cd54d6012890843ddf520e02f18524607246

SHA256
3942971a4bfa5419c8db158e7158df843b2a011f6841109e7cf1fc7a4e569419

SHA512
c825215f8b965c1d3c91db15b81f03babab785f1339b4f8b37fb565c295aaad59811498ad4a5f74bd79a4f6f660b2ee0cbc68791212326c6829a3db768755726

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkIgwwsY.bat

Filesize
4B

MD5
9037912c59210ec4706deedbe1875c0f

SHA1
c1572390687c31501403bb2844b0ca37f6f5b88c

SHA256
1a1ccc6cc343c510a73a1438f3c435b2bf0b8e2b419dba71901cfebae74182d5

SHA512
68c7a4739c5dc7eae610e1dd3ac0b84100e2698e501011fff59b5644c4b6a7e3a682f7fe7e7742d64ae92bf9e17c58301dc0fee88f1b9321830ef993efc6f624

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIwgwoYo.bat

Filesize
4B

MD5
68b2dc2d353c30e64565b3fe53648770

SHA1
6845e815b59152b4d56c11bee2547ef9acdc36fe

SHA256
4f0888dd45bb437f13d8487d6d471da835e4fa5fe0abe352fc6df700f6287711

SHA512
385c70f0b293599f78cb18c6c36ed9ae9eb6fb0f1e60ee373b7fc50830f776691da2b390fd1305201fb3e4b8f833be2669ac6c645937e7ad0b72716fe13d4414

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngUYcAEE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMIkwIUc.bat

Filesize
4B

MD5
39f95110f211a26d8632152c45fe27f1

SHA1
029196c1dce957ea6949723d015f533e32d8af1d

SHA256
4e505e0e45ecb4799edc07e9b5fa12ceba5bcea5be367831fb934302cd61ea20

SHA512
e8b71d55efac7d16239040b21b928b54cc3436410e0af9694715fb3b2a42e1e57f745dc8664d6878ccefcb485fee72341ce0aa01be0a3234bc2e31053846012b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsYE.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rKIYEgoE.bat

Filesize
4B

MD5
b893ae9c324b750d19a80fdd79f0e32a

SHA1
7053d7d768bff347a0d4819a0a9da7b3542c83f0

SHA256
c4b9d8c033a51ffbae60ab84d42824f26937f9eb253d11b4c631fd02e3282ff4

SHA512
36eef884d2d1fe3412f59a851fffa29e2cd857ad01ef6769e3a47ea394218694e1116aa42cadf06bb44395eaebff730cc8ea917126bf49078c42f7d4c22ffac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rUAcgAMQ.bat

Filesize
4B

MD5
fcf139bc26f60e84ae10d31d20316f3a

SHA1
be21a29eca83c9c3d5c7b2f1c4535c514c3be34c

SHA256
f10f89323ad23a2f7361f4777a045d64001ba8904d47f74aab70eeeb0fa0369d

SHA512
f1b39fcab3488873c0defa912fef62aaf5964b3529226890d4eea767c0a24451fced3a2bfb6d5d8489d71d132506f2d34dd925af7b361236a6d7fec956138a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\rYMg.exe

Filesize
483KB

MD5
efce509ee730b7632772baedfc9b6ab9

SHA1
f9f0a15c2af23ebed727d7fe502c22df0e6d7c3c

SHA256
640930f87bb1868068a6f97b68435ea7a7967da55155502d9a36cb8dcd4e0138

SHA512
56597947f9128a40e5b8cdd1b89987a776cc7ccb564cb4270b473d57e7eab6759379ce7b0b26ed4176cb4859c41de4ef6a8b561f5812656ba60332745a54fdfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sKUcgEkU.bat

Filesize
4B

MD5
dc06bf1d93ba903c5938fa79ed561e00

SHA1
af7c922868365c23313418e40cf96ec8bdd41cc1

SHA256
db7d66dae2af64a309bf449e4a2fa73659c89f843eadf0c273b9073e005a97dd

SHA512
67653003cb44d11bec22028ab5b1fe6877aa52653dbff2b27be8ebba5448f30f731e4201173f8e854017e2cb094d26671b354c874b2953567893c0a472d7e3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYEQ.exe

Filesize
478KB

MD5
f12346c35fa83fb39f1448f9223c5ccb

SHA1
5d8eac16b97675be6c579c9fdb8a18f6f2a22516

SHA256
e84aad7c8842025bf2b4fe4360ee935bb00ed67e3a4bd893424ac31bc5f2a738

SHA512
9b7ef90a5c023c5f475317375ff71ca7160faa411ba31b041cca7d3e33ca6e7f77a99dd4297d73a21a532b18df9eb2cae8978870f55079150a7393a2910885f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tOogsQYs.bat

Filesize
4B

MD5
88f129d11ebac791581c74059f304713

SHA1
a8d4e3c27311479d04e99358ee8d3e30bc8f328a

SHA256
1cd7dee667d9513914270d9769909cd6939e78a9c3fba4e28d1ed6733933ebbf

SHA512
46862f50dd37ef04e051180556164af3429da0c75f16665d42a40875ffb43b5999147a585b7e7432e99c504e33aeeb5ab51f4aec33c288919682d30003ba1237

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIocAoAE.bat

Filesize
4B

MD5
d0b415b0b96f3e919f08821a872000e1

SHA1
de69dd73c7c10cbea4a74acebb87456c3ab5aae7

SHA256
f2bdb51fcc5a01dc7cfd4ece9450158a07aeab409109ec613672ed5e67ac0cbd

SHA512
3056d491ca1eb5231fbb91e8ffd9c4ab025fc3132c6378995562288f9a47f23af150a8cdc92a922dfadbe6b5621c5e1332062a69a6665989b11316e2ac688b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\vOwsgUIQ.bat

Filesize
4B

MD5
3f196a9c2b3ea104fab3b5a1c28cc6ae

SHA1
2ed4fa839f4dda2bf18ccbbe80030be1de1a46f1

SHA256
3c294f2516881502bb95262acd1bf57e5069c3621ba6d2833ae148fa9b064228

SHA512
37cffce2dd61eef42bd54256c27da5a838e3d586ede5713389519b51fdbe621effc1aef01a6b850fe9019bdc06a8412a4c4fcea9d491eb38791f3782022bc1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmUgQgIY.bat

Filesize
4B

MD5
ad5fe5392cfacbd2926b0ee08f60ed3a

SHA1
fb9efba33b17b4dce61dc4c2bbbeff06ce2a2cd5

SHA256
305c72a74a716cb47a51601643072dc3c189720af93be42579a77f0654a5e3ea

SHA512
6d57daf79707cf2c3efd6825487e0613720640c652842433d4f9daf89a7f0d5d419dc0e289b7f7aa34713498a94f4f5c10c76e988cf23a6fb2347fbc18ce964f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQIEIwIM.bat

Filesize
4B

MD5
37e5fdb1012210b5302444a7e98d0be9

SHA1
b56cba3afa096cad32ad52e71a8da0092e6b087e

SHA256
b994a035e84c7b8c7ef8e2db917e839055abf4148686ee56e91fd2cc681864e8

SHA512
66df53696e018cade8495d20f8f5127bcee1205a1a6fb93ad26f22888bfa702c714d3100c855d33cde1355ea6d1bc44bed9f1fe0bc84683c07b7bd062616944f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUoMEAcY.bat

Filesize
4B

MD5
1ae2d7bd36e9323cd19c0545a112ae5f

SHA1
230362a376c2e71d84a029e6c83e444ffd144919

SHA256
2d7f937ced3a63502eb3146555d9e83e7da9c5c0de72b9df687ef2c32f4dc84c

SHA512
603cd3f95960387748576a5c12841209043d5407b4bde777d3e645ff26630a4ae948a4425bf8560e1372998ebdceb0165b9dee0ff457f0c7bb7898fc6a283f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgMksscc.bat

Filesize
4B

MD5
eb72e05793f9eba75cb832a07264c373

SHA1
a3d77bbe010667c3f351772c946b4a5a090eecbf

SHA256
29fa1f9be1ba4990452c88ee1fb85de05fbd13c4171c8c262b89c34e2b781a9d

SHA512
095f3f19d1637dc056ee4f2a8ded76dfefbb6ff9e3424f3491fbef34fee84865306ebc01d7f5c1fc81cb2ea8140b812441ed65b52b740b8e57f92e260086071f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygogUosc.bat

Filesize
4B

MD5
915fde3a5fc6a5217af43e1028c67960

SHA1
a02e21a9d146e4fe2618ba37fe8bafbeb59c7d0e

SHA256
6125e2494144c230201f271ec6b5c0d0cdaf13d846cad87295a7b623e74811fd

SHA512
254f5043b1e2879e0d26c8e29c975b4c00e4eb24d8a7d93b9c774a33f8e06487695a0bce113f5f1d992de215ac158ab2b760ae0fcfb3f47bee8d1621b3721ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yywwQcEc.bat

Filesize
4B

MD5
b3f581571359a62b56e0233ad0a19b04

SHA1
1364b7561d3cca9e590e1a52b46b1faf3424c1a7

SHA256
5867fbacee06b6dd13ff08ecca0bb3b9a578d1d77e3eb364e62f4c3bcc0a5d5a

SHA512
8b4706d6a6460f27620cefba4aede0e9de09efd790fce45d7a598ae292f512988d66cc3092abe4f3e9f468a8eb96582e974a201c56b6b80ab20af489c213e93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zckIssUI.bat

Filesize
4B

MD5
59761a63a7f35098bc0fe62ab3e15451

SHA1
13b18e3d6feb615550ddd954b68c5e949d32c330

SHA256
f78e571e6353861949fe37679ff2d9df707a8c995ab7caa63966f92cef564d50

SHA512
4ed5aa871c858111859d2f1196cd57a8f29784180506baa640b160bfe218dca1672ae4d258073ce619ed6b3259d010006a6e37a8c84ddfffd93ce2df0afe9b38

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\ProgramData\hwgAgMsA\lsMUYsYc.exe

Filesize
69KB

MD5
0ad14aa9a08cd1a53cbed94045818565

SHA1
f9bd3af645d83960fdfc1fb64b0f3487b79b198c

SHA256
284ad8c7f32c08c6662810a28dee208df540185b382d00edc3b3351342f9aae3

SHA512
e17f8bf2b3dd77e8cd4a20c8632759074f05d54dcb1333b27ab82455a3013fa431067820aa578c1d09a0a0fa7b2d2b5cca3d6a474c73f70c856c0b693fcb539a

Download Submit
\ProgramData\hwgAgMsA\lsMUYsYc.exe

Filesize
38KB

MD5
001500750605ea1975507d8b2fbf58d8

SHA1
90a4a1e0b4084ee51692a1f219e98fc0e9aa7bbe

SHA256
92ee627649d57528744922f5060ea402429ad5001ce4b65c1aaa03021f153ae0

SHA512
a6e6d5fa6fc7fa080467bb43afe47a298867c08c3ecbe904f925e2c6dd4fc854fc4986ce938646a75f340888873c47cbd601868d0c784a0425e28812ce12472f

Download Submit
\Users\Admin\DqAEAkUU\eiwMwMYc.exe

Filesize
432KB

MD5
c5c763866b87fae70ca07aca7789a952

SHA1
328ad474a3ec98cf2fdf2d5b324c1572583673de

SHA256
647e6ab19fa0df12f1c1daa8810dcd177db25628605b06e0846ae7e58a3b205e

SHA512
b3a2b389724d44a0c888c53307a7787d8d05e2fdf1fbcb3ce9426bd7dc0903b9720e988d3721e779faa62038d4e8adf497b8c2837b703d1bd3ab4e0484d4e0b8

Download Submit
memory/472-516-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/472-391-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/484-437-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/760-446-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/760-335-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/796-214-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/796-264-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/884-347-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/884-459-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/892-528-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1080-140-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1080-109-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1112-460-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1388-538-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1424-234-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1424-300-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1488-201-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1488-263-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1548-402-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1548-527-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1620-436-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1620-324-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1696-247-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1696-319-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1724-196-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1724-155-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1728-163-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1728-131-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1752-45-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1752-75-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1864-153-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1864-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1900-548-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1900-424-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1936-66-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1936-95-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1952-506-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1984-117-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1984-87-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2056-483-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2056-357-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2288-380-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2288-505-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2400-176-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2400-10-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2456-495-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2488-448-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2632-425-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2632-292-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2640-279-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2640-419-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2640-421-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2676-178-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2676-53-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2676-34-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2676-233-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2704-200-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2704-20-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2776-212-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2776-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2812-484-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2944-517-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3032-369-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3032-494-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download